Interesting People mailing list archives
IP: Commerce Report on Crypto Availability
From: Dave Farber <farber () central cis upenn edu>
Date: Thu, 18 Jan 1996 20:04:21 -0500
Commerce Releases Crypto Availability Report The US Department of Commerce today released a report on the international market for encryption software. The report, which was jointly produced by the Commerce Department's Bureau of Export Administration and the National Security Agency reviews the foreign availability of encryption products and other nations' import, export and domestic use policies. The report finds that there are foreign products available which "can have an impact on US competativeness" and that US export controls "may have discouraged US software producers from enhancing the softare features of general purpose software to meet the anticipated growth demand by foreign markets. It anticipated that there is a steadily increasing demand for crypto to be included in general use software products becuase of well publicized break-ins. A large portion of the report has been redacted by the NSA. EPIC filed suit under the Freedom of Information Act in December 1995 to obtain a full copy of the report and will continue to demand its release. EPIC believes that the US goverment should remove export controls on public domain and commerical software that contains encryption and end the policy of demanding that key escrow be implimented in all encryption software. Enclosed in the Commerce Department Press Release and Executive Summary of the report. The full report is over 100 pages. EPIC will make every effort to make the full report available in electronic form as soon as possible. More information on crypto policy is available at the EPIC Web Site at http://www.epic.org/crypto/ UNITED STATES DEPARTMENT OF COMMERCE NEWS =7F=7F=7F =7F=7F=7F WASHINGTON DC.20230 OFFICE =7FOF THE SECRETARY FOR IMMEDIATE RELEASE CONTACT: Carol Hamilton Thursday, January 11,1996 (202) 482-4883 Eugene Cottilli (202) 482-2721 DEPARTMENT OF COMMERCE RELEASES STUDY ON THE INTERNATIONAL MARKET FOR ENCRYPTION SOFTWARE Washington, D.C. -- The growth of an international market for encryption software is being slowed by strong export controls, both in the United States and other major countries. Moreover,the quality of products offered abroad varies greatly, with some not providing the level of protection advertised. The study, jointly prepared by the Commerce Department's Bureau of Export Administration (BXA) and the National Security Agency (NSA), evaluates the current and future market for computer software with encryption, which allows users to protect their data using codes. The study also reviews the availability of foreign encryption software and assesses the impact that U. S. export controls on encryption have on the competitiveness of the software industry. "Our study provides a clear snapshot of the international competition in this segment that the software industry faces," said Cornmerce Secretary Ron Brown. "Better understanding of the products and the marketplace gives us the tools to ensure that our export control policies are appropriate," he added. The study noted encryption software presently accounts for only a small percentage of the total computer software but should grow substantially as the U.S. and other countries deveiop and expand public networks and electronic commerce. The study found that the U.S. software industry still dominates world markets. In those markets not offering strong encryption locally, U.S. software encryption remains the dominant choice. However, the existence of foreign products with labels indicating DES (Data Encryption Standard) or other strong algorithms, even if they are less secure than claimed, can nonetheless have a negative effect on U. S competitiveness. The study also notes that the existence of strong U.S. export controls on encryption may have discouraged U.S software producers from enhancing the security features of general purpose software products to meet the anticipated growth in demand by foreign markets. page 2 All countries that are major producers of commercial encryption products were found to control exports of the products to some extent. A few countries (e.g., France, Russia, and Israel) control imports and domestic use of encryption, as well. As part of the study, NSA evaluated twenty-eight different foreign encryption software products, finding that some were less secure than advertised. Because customers lack a way to determine actual encryption strength, they sometimes choose foreign products over apparently weaker U.S. ones, giving those foreign products a competitive advantage. -30- A STUDY OF THE INTERNATIONAL MARKET FOR COMPUTER SOFTWARE WITH ENCRYPTION [Note: This is a redacted copy of the ogigional secret decoment. Brackets [] accompanied by the origional classifications have been used to indicate location and size of excised classified text] Prepared by the U.S. Department of Commerce and the National Security Agency for the Interagency Working Group on Encryption and Telecommunications Policy EXECUTIVE SUMMARY BACKGROVND In late 1994, the President's National Security Advisor directed that an interagency report be prepared assessing the current and future international market for software products containing encryption and the impact of export controls on the U.S. software industry. The report was to include an assessment ofthe impact of U.S. encryption export controls on the international competitiveness of the U.S. computer software industry and a review of the types, quality, and market penetration of foreign-produced encryption software products. This paper presents the joint efforts of the Department of Commerce/Bureau of Export Administration and the National Security Agency to complete this tasking. (U) EXPORT CONTROLS All countries that are major producers of commercial encryption products control exports of those products to some extent. Control methodologies and licensing practices vary, however, and a few countries, most notably France, Russia and Israel also control imports and/or domestic use of encryption. There is a significant amount of international cooperation in controlling encryption exports. (U) Some European and other countries apparently treat exports to the United States of DES- based software more liberally than the United States treats DES exports to those countries. Some countries have stated that they generally restrict DES exports to financial end-uses. In general, no independent verification of these licensing practices was obtained. However, in some cases the U.S. was able to obtain DES products from them for non-financial end-uses. It is possible that some countries may allow these exports based on their political/economic/military relationship with the destination country (e.g., within the European Comrnunity, or former COCOM), for end uses that are considered legitimate commercial applications of the technology, or, in the case of exports to the United States, because DES is a national standard. (U) As the technology and the marketplace have evolved, the USG export control authorities have relaxed licensing constraints on cryptographic products several times over the past 10 years. These changes have usually been made after industry pressures and internal debate to balance national security and economic concerns. (U) DOMESTIC AND INTERNATIONAL MARXETS While presently encryption software accounts for only a small percentage of the total software market (1-3%), according to numerous information security experts contacted in the course of the study, the future growth trend for this sector is expected to be great. The market for encryption in distributed computation, databases, and electronic mail is beginning to expand exponentially as the U.S. and other countries develop and popularize electronic commerce, public networks, and distributed processing. (U) Encryption in these environments will often be implemented in software, as opposed to hardware, because it is generally less expensive and simpler to install and upgrade. Absent changes in government standards, for the next ten years, encryption software will primarily use DES and RSA-licensed encryption algorithms. Other non-standard and company proprietary algorithrns will be used primarily for security-specific products for small niche markets. (U) Certain developments are promoting greater use by the general public of software-based network security features, including encryption, throughout the industrialized world. They include ever increasing use, fueled by well publicized "break-ins," of distributed databases, popular acceptance and usage of global networks, and the development and use of electronic commerce. (U) These developments are ongoing at one stage or another in practically all of the countries surveyed for this assessment. Less technologically advanced countries, where demand for encryption software is reportedly negligible, will soon undergo widespread development and computerization leading to increased demand for encryption so~ware within the next 10 years. (U) The overwhelming majority (75%) of general-purpose software products (e.g., word processors, spread sheet programs, and database programs) available on foreign markets today are of U.S. origin. Cornmerce Department analyses indicate that the U.S. has few viable foreign competitors for such products, and of those general-purpose products with encryption features, all were found to be of U.S. origin. (U) In the security specific software market, however, U. S. manufacturers face competition in several foreign markets from such encryption exporting countries as the United Kingdom, Germany, and Israel. To a large extent, markets for these products tend to be "national. " Not only do export controls affect sales, but local vendors of security-specific products are at a competitive advantage in that they are better situated to work closely with end- users and develop encryption solutions tailored to meet the conditions of the local environment. (U) NSA confirmed the existence of a significant number of foreign security-specific software products with encryption features, predominantly from Western European suppliers. Security-specific products are usually not available on the shelf at retail stores either in the U.S. or abroad, but can be purchased through direct contact with the manufacturer. (U) ES-2 BXA attempted to quantify U.S. competitiveness and market share in 31 foreign countries where encryption is thought to have significant demand. While sources in the countries surveyed had limited access to import statistics or market literature on encryption software and encountered nwnerous difficulties in evaluating this complex market, definite conclusions may be drawn from the responses. (U) Sources in 14 countries indicated that U.S. export controls limit U.S. market share in their countries. Sources in seven countries indicated that export controls have either no impact or no major impact. (U) Sources in most countries indicated that the U.S. market share is keeping pace with overall demand despite the impact of U.S. export controls, which may promote indigenous production or reduce U. S. market penetration. In all known cases, the U.S. holds the majority of the general-purpose encryption software market. (U) Three exceptions are Switzerland (where the U.S. market share reportedly declined in 1994, while the market shares of other European countries rose), Denmark and the United Kingdom, which reported unspecified declines from previous years. Sources in all three countries attribute the decline to U.S. export controls, which they claim promote the development and sale of indigenous encryption products. (U) In many countries surveyed, exportable U. S. encryption products are perceived to be of unsatisfactory quality. (U) ANALYSIS OF FOREIGN PRODUCTS NSA used various methods to procure encryption software products from a variety of countries and companies, as reflected in the TIS database and other sources. Altogether, 28 products from 22 foreign producers in 10 countries were acquired for the purposes of this study. Of these, 21 purportedly use the DES algorithm, while the remaining 7 use proprietary algorithms. (U) [ ] (S) ES-3 ECONOMIC IMPACT In the absence of significant foreign competition, the impact of U.S. export controls on the international market shares of general-purpose products is probably negligible. Customers are often unaware of the encryption features in these products and primarily base purchases on the features implementing the primary function of the product (e.g., word processing or database). (U) [ ] (S) BXA attempted to quantify the economic impact of export controls on the U.S. software industry by forwarding a detailed voluntary questionnaire to 206 software vendors and other interested parties. Thirty six encryption software manufacturers provided completed surveys out of the 71 returned. By and large, the companies were unable or unwilling to quantify the costs of export controls, but did provide substantive explanations of how and why they believe they are adversely affected. (U) Some general-purpose software companies claim that export controls have affected their plans to expand security features to meet anticipated growing demand. These companies believe that they could expand their domestic and international customer base with such features. (U) The export licensing process itself is not a major obstacle to U. S. competitiveness. Only seven survey respondents use the Department of State licensing system. While they continue to have some complaints about the administrative burdens and time delays associated with State's process, several noted that there had been improvements in recent years. Only two of the survey respondents had been denied licenses by the Department of State. (U) Numerous survey respondents indicated that they avoided applying for export licenses from the Department of State altogether. Some larger companies whose products tended to be general-purpose in nature either developed two ~fersions of so~ware, or incorporated an encryption algorithm they knew would qualify for Commerce general licenses. (U) Many smaller, security-specific software firms, on the other hand, elected to limit their sales to the domestic market only. These companies indicated a high level of foreign interest in purchasing their products, and therefore lost potential sales. While it is difficult for them to quantify their potential market, they believe it to be sizeable. They claim their small size limited their ability to develop two versions of their products, and the fact that their products were for secunty purposes ES-4 specifically requires them to incorporate strong encryption. Only one company was able to provide specific examples where a foreign competitor o~ta ned a sale due to an export license denied by U.S. authorities. (U) There is little evidence that U.S. export controls have had a negative effect on the availability of products in the U.S. marketplace. A broad range of products with secure algorithms exist in the U. S. market and availability of products is based principally on the level of customer demand. Export controls may have hindered incorporation of strong encryption algorithms in some domestic mass-market, general-purpose products, since some companies find developing and maintaining two versions of a product infeasible. (U) The existence of foreign products with labels indicating DES or other strong encryption algorithms, even if they are less secure than claimed, can nonetheless have a negative effect on U.S. competitiveness. Most encryption users base their purchasing decisions on the advertised product features, along with price, company reputation, etc. (U)
Current thread:
- IP: Commerce Report on Crypto Availability Dave Farber (Jan 18)