25 August 1999. Original document: http://cryptome.org/LIB42.doc (51K)
A US national newspaper will publish online tomorrow comments on these recommendations by members of PECSENC.
Date: Wed, 25 Aug 1999 13:20:37 -0700
To: John Young <jya@pipeline.com>
From: wcrowell@cylink.com (William Crowell)
Subject: Re: PECSENC Report
Attached are the recommendations of the PECSENC from our July meeting.
These recommendations were sent to the BXA in July for consideration of the Interagency Working Group, and are today being forwarded to Secretary Daley and to the PEC Chairman.
Bill Crowell
President & CEO
Cylink Corporation
910 Hermosa Court
Sunnyvale, CA 94086
408 328-5222
[William Crowell is Chairman of the President's Export Council Subcommittee on Encryption (PECSENC)]
Reporting requirements should be eliminated for all exports: (1) to health and medical end-users under License Exception ENC; (2) to on-line merchants under License Exception ENC; (3) of "recoverable" encryption products to commercial entities under ELAs; (4) all exports under License Exception KMI; and (5) of non-mass market products that use weak encryption (56-bit key length or less).
Reporting requirements are difficult, and in some cases impossible, for industry to comply with and have questionable value to the government. Manufacturers and exporters of mass-market software and hardware normally do not deliver products directly to end-users. The enormous complexity of mass-market distributions, involving numerous layers of distributors and resellers, makes reporting nearly impossible. As a result, many exporters find that they are not able to use otherwise available license exceptions, because there are reporting requirements attached.
To comply with reporting requirements, companies would have to invent and implement entirely new product distribution and information collection systems. This would be extremely costly, and in many companies, it is not clear how those costs could be covered.
Reporting is not required by any international obligations. The December 1998 changes to the Wassenaar Arrangement eliminated all reporting for encryption exports. The unilateral imposition of burdensome requirements on U.S. companies puts them at a competitive disadvantage with respect to foreign suppliers. The added costs make it impractical to even attempt to compete for all but the largest customers.
Little if any useful information is provided by reporting. In order to ensure that all end-users are included, companies could, for example, submit the entire medical directories for the eligible countries. Alternatively, for each 10,000 seat deployment from a master CD, a company could report that it sent 1 CD to company X. Neither option provides the government with any idea of how, and the extent to which, encryption products are being used by foreign end-users.
II. License Free Zones
Recommendation: Create a "license-free zone" by eliminating export approval requirements for encryption products sent to countries that do not present a significant national security concern related to U.S. encryption items.
The US government should create a list of countries where exporters will be able to export encryption items without a US export license. Such a policy would be similar to the policy currently in place for Canada. This policy should be expanded to other countries where there are not significant national security concerns related to export of US encryption items. The countries listed in Supplement No. 3 to Part 740 of the EAR could provide the starting point for identifying trusted countries. Trusted countries could also be identified using EU or NATO membership.
The United States government has recognized that there are certain countries where encryption use is of less concern for national security reasons. Current policy allows exports to several different sectors within these countries, including banks and financial institutions, subsidiaries of U.S. companies, health and medical organizations, on-line merchants, and foreign commercial firms. Given the number of sectors that are able to receive exports of strong encryption within these trusted countries, it is only matter of time before strong encryption is widely available in these destinations – if not is not already available from local producers or other foreign producers.
Furthermore, the European Union is considering a plan that will remove all export barriers between its member countries and greatly simplify export procedures for a list of friendly nations. If burdened by U.S. re-export controls, US-origin products will be unable to benefit from these relaxed controls and will suffer competitive disadvantages to foreign products.
III. ENC/Sector Expansion
Recommendation: Expand the scope of the current License Exception ENC to add critical infrastructure industries, friendly governments, and multi-lateral organizations as additional sectors. (This should apply to trusted sectors located or based in those countries that are eligible for ENC treatment, but are not included in a "License Free Zone")
License Exception ENC should be expanded to include additional sectors eligible to receive strong encryption products. The critical infrastructure industries, friendly governments and intergovernmental organizations should be included in the expansion.
The need to protect critical infrastructures is widely acknowledged and the necessity of encryption products to provide that protection is indisputable. Secure communication is needed not only for individual infrastructure providers, but also for secure communications within the infrastructures. Moreover, most of these critical infrastructure providers are in industries that are heavily regulated (at least as much as banks and financial institutions). This treatment should be afforded to all of the industries sectors called out in PDD-63 on Critical Infrastructure Assurance, including power suppliers and distributors, telecommunications providers and ISPs (to secure the networks, not to provide end-to-end security between customers), and transportation (air traffic controllers, other traffic control networks, commercial carriers, etc.).
Friendly governments represent one of the largest groups of potential customers that are not currently covered under ENC. And of all the classes of potential customers, they are perhaps the most able to seek out and obtain alternatives to U.S. commercial encryption products. Friendly government could be determined on a number of bases including: NATO members, plus Japan, Australia, New Zealand, etc.; Wassenaar members; the 46 countries listed in Supplement No. 3 to Part 740; the Tier 1 countries used in the computer controls.
Intergovernmental organizations that consist primarily of "friendly governments" should also be included under ENC for much the same reason that the individual member government should be able to receive exports of strong encryption. This treatment should extend to NATO, EU/EC, and the UN.
Exports under License Exception ENC to these additional sectors should not require reporting for the reasons discussed under Section I., above.
IV. On-Line Merchants
Recommendation: Allow export of general purpose encryption products to on-line merchants under License Exception ENC.
The eligibility to export strong encryption products to on-line merchants under License Exception ENC should be expanded to include general-purpose encryption products under Section 740.17(b)(3)(ii) of the interim rule. Encryption items for online merchants are eligible for License Exception ENC only if the items are limited to client-server applications (e.g., Secure Socket Layer (SSL)-based applications) or applications specifically designed for online transactions for the purchase or sale of goods and software, including interactions between purchasers and sellers necessary for ordering, payment and delivery of goods and software. Thus, in addition to satisfactorily meeting the criteria as set forth in Parts 740 & 772 of the EAR, an on-line merchant is constrained by end-use limitations that impede e-business.
The scope of eligible commodities and software must be expanded if the policy is to promote electronic commerce as the Administration intends. The Administration has emphasized how strong encryption products will form the basis of the e-commerce infrastructure and an environment of on-line trust. A secure e-commerce environment is made up of both products and institutions. In order to establish a trusted e-commerce environment, users must be assured that the security infrastructure extends not just to particular e-commerce applications, but throughout an online merchant’s organization. A consumer can not (nor should) feel confident conducting e-commerce if a merchant’s transactions are compromised in back-end applications or elsewhere within the enterprise. To meet the objective of promoting secure electronic business, online merchants must be allowed to protect their own business infrastructure with appropriate security commodities and software.
V. Mass-market Hardware and Software
Recommendation: Expand License Exceptions TSU and ENC to allow export of mass-market hardware and software encryption with key lengths of 128 bits or equivalent strength including triple DES.
The US government should expand its current export policy to allow export of mass-market encryption items with key lengths of up to 128 bits. Although the Wassenaar Arrangement sets the level for discretionary controls of mass-market encryption at 64 bits, longstanding practice of foreign countries has been to allow export of mass-market items with unlimited key lengths. After the change to Wassenaar, several Wassenaar members (e.g., Canada, UK) indicated that they would continue to allow export of mass-market encryption software with key lengths of 128 bits or equivalent. Other Wassenaar members, such as Germany, have adopted government policies openly endorsing the proliferation of strong encryption. Plus, there are many countries producing strong encryption products that are not members of the Wassenaar Arrangement (e.g., China, Israel, South Africa). The current de facto key length standard for electronic commerce is 128-bit or equivalent encryption. The US government should recognize market realities. In addition, the US government should recognize the difficulty of controlling mass-market products once they are allowed to be exported even to limited sectors. Furthermore, mass-market products play an important role in protecting the communications and data of individuals—a segment of the encryption user community that has been neglected in recent liberalizations to the US export policy.
VI. Encryption Licensing Arrangements
Recommendation: Expand the use of flexible licenses such as Encryption Licensing Arrangements to other areas of the EAR.
Encryption Licensing Arrangements (ELAs) are a mechanism by which products subject to export licensing may receive a license that covers many exports at once. ELAs are extremely flexible. They allow BXA to write individual export conditions that are tailored to the product in question. ELAs can set limits on exports to particular countries, or to particular end users, or they may set detailed rules for use or distribution of the product in question.
The flexibility of ELAs has proven particularly important in the context of fast-changing policies that affect mass-market products. Indeed, the export control regime for encryption could have caused exports to grind to a halt if not for the ability of the Commerce Department to use ELAs.
The Commerce Department deserves praise for its creativity in creating and utilizing ELAs. Experience with ELAs will have value for products beyond encryption, and the flexibility of ELAs has made them far more widely used than Special Comprehensive Licenses. PECSENC recommends that BXA utilize its experience with ELAs to modify or supplement the current Special Comprehensive License procedures.
The current interagency interpretation of the EAR is that applications that access cryptographic APIs are considered to contain components of a crypto system, and, therefore, require a Department of Commerce review before controls are lifted from the application. Since API specifications are typically published and available worldwide, there is no way for the US government to compel non-US application developers to seek similar review of their competitive applications. Implementation of API calls in an application is typically a trivial matter for a seasoned application developer and requires no knowledge of the actual crypto functionality. Therefore, applications that use APIs should be viewed as far enough removed from crypto-related technology as not to be controlled.
License Exception ENC, Section 740.17(a), should be extended to the following 56 bit or weaker encryption items: chips, software toolkits, and executable modules. We understand that the original reason for excluding these items was the concern that people could use multiple instances of these hardware or software modules to build devices with strong encryption. However, we feel that the exclusion of these entities provides little value while penalizing US vendors of chips, toolkits and modules.
The reality is that it will require significant effort, cost, and expertise to build strong cryptographic systems from these modules. It is unlikely that an individual or organization with such expertise would be significantly aided by the availability of these chips, toolkits or modules.
Multiple application of products currently under License Exception ENC will more easily result in strong encryption. For example, using two 56-bit DES encryptors rather than one is easier to deploy than building a strong encryption product from 56 bit DES components.
The technology and implementations for building the equivalent chips, toolkits and modules are widely available outside the US. The latest agreement on crypto controls concluded by the Wassenaar Arrangement does not exclude chips, toolkits or modules from the 64-bit mass-market or the 56-bit general decontrol. Therefore, the U.S. restriction puts exporters of 56-bit components at a competitive disadvantage vis-à-vis foreign competitors.
In addition, the U.S. Subsidiaries provision of License Exception specifically allows exports of encryption chips, integrated circuits, toolkits, executable or linkable modules, source code and technology to qualified end-users. While the other provisions for export of strong encryption under License Exception ENC do not prohibit export of such products, it would be helpful if language was included in the Regulation for all of the ENC sectors (e.g., banks and financial institutions, health/medical organizations, on-line merchants, and any such sectors as may be added in the future).
IX. Infrastructure Management and Integrity Uses of Cryptography
Recommendation: Exempt uses of cryptography for infrastructure management and integrity functions from EI controls.
Uses of cryptography to protect data related to the management and integrity of public and private networks, e-commerce and Internet infrastructure functions should be removed from Encryption Item, ‘EI’ control under the EAR. These systems do not provide end-to-end secure communication between users or consumers and do not provide open access to encryption functionality. However, these systems do require encryption to protect the data needed to manage a particular function. Typical infrastructure management functions that require encryption include: network management; application management; and user access management
The use of cryptography to protect information critical to managing these functions is required to maintaining the integrity of these systems. For example, a network administrator typically requires secure remote access to nodes on a network to monitor events and reconfigure equipment. Intrusion detection systems use encryption to protect data concerning network intrusion events from interception and tampering. Systems that manage on-line access to applications such as license-to-use management systems and single-sign-on systems may use encryption to protect profile and authorization data.
The current access control and authentication exemption in the EAR should be expanded to include the use or implementation of crypto for infrastructure management and integrity functions, if the crypto capability does not allow access to crypto functionality for end-to-end user communication or general crypto use.
Recoverable products should be exportable under a license exception. Unlike recovery products which are eligible for export under License Exception KMI, under current regulations recoverable products may only be exported under ELAs or individual licenses. From a technical standpoint, however, recoverable products meet the needs of the law enforcement and intelligence communities to no greater or lesser extent than recovery products. Therefore, the licensing policy should be similar to the policy for recovery products, i.e., they should be eligible for export under terms similar to those under License Exception KMI (i.e., after a one-time technical review, exports permitted to all but the T7 countries).
HTML by JYA/Urban Deadline.