IP: Re: U.S. cyberterrorism report hit on encryption stance

[Dave Farber <farber () cis upenn edu>]

To: farber () cis upenn edu
Cc: willis () rand org
Reply-To: willis () rand org
Subject: Re: IP: U.S. cyberterrorism report hit on encryption stance 
Date: Thu, 06 Nov 97 10:32:18 PST
From: "Willis H. Ware" <willis () rand org>



--
Folder: YES

--
For your list:


Dave:


With (ex Senator) Sam Nunn and (ex DOJ) Jamie Gareleck co-chairing the
PCCIP's Advisory Committee and with their known positions on national
security and law enforcement, there was little chance that the Commission
could escape saying something about encryption -- even though it originally
intended to avoid the issue since it was being worked by other parts of
government.


Since the Advisory Committee appointments came somewhat late in the game,
one can conjecture that the Commission could have been instructed to
comment on cryptography as late as its September 5 1997 meeting with the
Advisory Board.  Who knows what was discussed in the non-public closed part
of that meeting?


By tracking the media releases, their content and dates of appearance
[http://pccip.gov], one could get a sense of how the Commission's positions
and outcome was evolving.  Had encryption been on the agenda for much or
most of the Commission's tenure, one would have expected a little hint
about it at General Marsh's keynote address at the Baltimore NISSC-97
conference; nothing was said.


So I conclude that encryption was probably a late addition to the
Commission's scope but of course, that personal position derives from my
reading of electronic tea leaves.


                            ===================


FYI - the full text of the Commission's report is on the web site at
http://www.pccip.gov.  It's in 5 parts, totals slightly under 1 Mb, is in
PDF format, and seems to require ver 3.01 of Adobe's acroreader to open
the file.


The discussion of encryption is page 2ff of chapter nine, and for the
present point at issue, the operative paragraph is bullet 2 on page 3.


    "Law enforcement agencies should have lawful access to the
    decrypted information when necessary to prevent or deter serious
    crime.  Procedures for judicial review prior to granting government
    access must be defined in law."


Important 3rd bullet also: it provides for individual rights of redress when
such access is abused!


Read the words carefully; the 2nd bullet does not call for key escrow or key
recovery; it simply observes that law enforcement should have access to the
decrypted information and by implication, however it is obtained; e.g.,
pinching the keys, cryptanalysis, lawful court-ordered access to corporate
key recovery records, using an informant to snitch the key.  It most
assuredly does not support the broad scope posture that the FBI technical
memorandum to the House committees proposed.  And the sense of the
discussion is oriented toward businesses.


Importantly also, (first full paragraph from bottom of page 2), the
Commission calls for strong encryption as an "essential element [for]
the information on which critical infrastructures depend."  In the same
paragraph, the Commission does call for key recovery systems but the
statement is set in the context of businesses for self-protection; and the
following phrase certain connects lawful access to business-oriented key
recovery schemes.  No where does the word "mandatory" appear.


In the same paragraph, the Commission calls for a key-management
infrastructure which unfortunately, is a term with somewhat ambiguous
meaning and scope.  It can mean the certificate-authority and public-key
management aspects for digital signatures -- which everyone agrees will have
to come into existence.


On balance, it strikes me that the Commission walked a very treacherous
line very carefully.  It did endorse strong encryption as essential to a
digital commerce world; it did call for lawful access to decryption keys in
the business setting; it did NOT call for a sweeping solution such as
proposed by the FBI; it mandated nothing.  It said what needed to be said
about cryptography as an aspect of the Commission's charter; it properly
avoided what (probably) many would have wished that it had said on
cryptography as a national policy issue.


Moreover, the Commission certainly could not risk obscuring its central
message and mission objectives for protecting the critical infrastructure.
A broad policy position on cryptography could have aroused all manner of
dialogue and opposition that might easily detract from its other findings.
After all, encryption is [what ??] something like 0.001% of the
Commission's broad tasking?


True, one could, I suppose, imagine ways in which the words could have more
carefully honed (e.g., clarify what was meant by KMI), but given the
emotional and confused dialogue on cryptography as it now exists, the
Commission position strikes me as an appropriate position on a difficult
issue.


My thoughts derive from watching the scene and listening at the gateposts.
Needless to say, the above doesn't reflect any sponsors, other hats that I
might be associated with, and it's not a paid announcement.:-))


                                                   Willis










**************************************************
"Photons have neither morals nor visas"  --  Dave Farber 1994
**************************************************