Governmental Restrictions on the Development and Dissemination of Cryptographic Technologies: The Controversy Over the Digital Signature Standard David L. Sobel* On August 30, 1991, the National Institute of Standards and Technology ("NIST") published a notice in the Federal Register proposing a federal digital signature standard ("DSS"). The NIST proposal, and details of the standard setting process that recently have come to light, raise substantial questions concerning the future of U.S. information policy in general and cryptographic technology in particular. The Impact of Government Encryption Standards The DSS provides a means of authenticating the integrity of electronically transmitted data and the identity of the sender. According to NIST, the standard is "applicable to all federal departments and agencies for the protection of unclassified information," and is "intended for use in electronic mail, electronic funds transfer, electronic data interchange, software distribution, data storage, and other applications which require data integrity assurance and data origin authentication."1 With governmental and commercial transactions increasingly dependent upon the reliability and integrity of such telecommunications applications, authentication techniques are indispensable. As NIST's Associate Director for Computer Security, Lynn McNulty, has said, digital signature technology "will be an important part of re-engineering the business practices that we've used for so many years in government and other parts of society. ... The signature will be absolutely critical in certain areas where, because of statute or practice, we currently require a written signature on paper."2 While use of the proposed DSS would be mandatory only for federal agencies, its adoption by the government would have a substantial impact on the private sector. Vendors will need to offer products for the government that meet the federal standard and are thus likely to design all of their products to conform to its requirements.3 Thus, the Data Encryption Standard ("DES"), which was adopted by NIST's predecessor, the National Bureau of Standards, as a government standard in 1977, was quickly adopted by the American National Standards Institute and became the worldwide industry standard. "National Security" Interests In its Federal Register notice, NIST stated that it had selected the DSS after evaluating several alternatives and that the agency had "followed the mandate contained in section 2 of the Computer Security Act of 1987 that NIST develop standards and guidelines to ' ... assure the cost-effective security and privacy of sensitive information in Federal systems.'"4 The reference to the Computer Security Act was significant because, in enacting the statute, Congress sought to vest civilian computer security authority in NIST and to limit the role of the National Security Agency ("NSA").5 When Congress enacted the legislation, it expressed particular concern that NSA, a military intelligence agency, would improperly limit public access to information in a manner incompatible with civilian standard setting.6 The House Report notes that NSA's natural tendency to restrict and even deny access to information that it deems important would disqualify that agency from being put in charge of the protection of non- national security information in the view of many officials in the civilian agencies and the private sector. NSA's reputation for secrecy is well-known and well-deserved. In the years following the Second World War, the making and breaking of secret codes became increasingly important to the U.S. national security establishment.7 The National Security Agency, based at Fort George C. Meade, Maryland, was created by order of President Truman in 1952 and tasked with primary responsibility for communications intelligence (COMINT) -- intercepting and deciphering the secret communications of foreign governments. By some accounts, NSA is capable of acquiring and automatically scanning most, if not all, of the electronic messages that enter, leave or transit the United States.8 The agency itself refuses to confirm or deny published information concerning its capabilities. In the 40 years since its creation, NSA has enjoyed a virtual monopoly in the area of cryptographic technology within the United States. Believing its mission requires that such technology be closely held, the agency has actively sought to maintain its monopoly and to suppress the private, non-governmental development and dissemination of cryptography. The motivation behind NSA's efforts to suppress cryptographic know-how is obvious -- as the ability to securely encrypt information becomes more widespread, the agency's collection work becomes more difficult and time- consuming. NSA's efforts to maintain its monopoly have extended into the area of export and trade policy. The export of software products containing cryptographic features is governed by the International Traffic in Arms Regulations ("ITAR"), administered by the Office of Defense Trade Controls at the Department of State.9 In addition to software products specifically designed for military purposes, the ITAR "Munitions List" includes a wide range of commercial software containing encryption capabilities.10 Under the export licensing scheme, the NSA reviews license applications for "information security technologies" covered by ITAR.11 While the agency denies the charges, industry representatives claim that NSA-imposed restrictions are stifling innovation in an area that is increasingly important to the computer industry. They further contend that the controls on the export of encryption technology are forcing U.S. companies to lose markets to foreign competitors. As economics writer Robert Kuttner has noted, [r]estricting the ability of domestic manufacturers to commercialize and export new technologies no longer assures that advanced technologies will stay out of unfriendly hands: it only diverts the business to Japanese or European manufacturers who don't share America's view of technological security. This has the most far-reaching implications for American competitiveness, because it is precisely the most militarily sensitive technologies -- super-computers, semiconductor architecture and fabrication, fiber-optics, advanced machine tools, cryptography -- that are also key to the competitiveness of America's commercial industry.12 Considerations of "national security" can also play a role in the patent system and inhibit the technological innovation that system is intended to foster. The Invention Secrecy Act, a little-known provision enacted in 1952 (the year of NSA's birth), authorizes the Commissioner of Patents and Trademarks to withhold a patent and order that an invention be kept secret "for such period as the national interest requires." Violation of a patent secrecy order is punishable by two years' imprisonment and a $10,000 fine.13 As a Justice Department representative told a congressional subcommittee in 1980, "[w]hat the Invention Secrecy Act says in effect is that there are some inventions that are too dangerous to be disclosed in the way that a patent normally discloses the invention ...."14 The number of secrecy orders issued under the Invention Secrecy Act remained relatively constant from 1952 until 1979. Since then, the number of active secrecy orders has increased: a total of 4,685 orders were in effect in 1986 compared with 3,513 in 1979.15 While information concerning the substance of patent secrecy orders is obviously difficult to obtain, cryptographic technology clearly has been the subject of many such orders issued at the insistence of NSA.16 These restrictions in effect exempt cryptography from the underlying purpose of the patent system: to "stimulate ideas and the eventual development of further significant advances in the art."17 NSA's objective has been to suppress, rather than stimulate, advances in civilian cryptography. NSA Involvement in the Development of Security Standards As noted, Congress was cognizant of NSA's propensity toward extreme secrecy when it passed the Computer Security Act and sought to remove the impediments to technological innovation in the civilian sector. Congress specifically intended to "greatly restrict" the influence of the military intelligence agencies "while at the same time providing a statutory mandate for a strong security program headed up by [NIST], a civilian agency."18 The House Report on the legislation noted that NSA's involvement in the development of civilian computer standards could have a chilling effect on the vigorous research and development that is on-going in the academic community and our domestic computer industry. This industry has been one of the most viable segments of our economy. Its rapid technological advances have been due in large part to being free to openly exchange ideas without government interference. NSA's inherent tendency to classify everything at its highest level is bound to conflict with this broader goal. The development of the digital signature standard is, to a large extent, the first real test of the Computer Security Act. Unfortunately, information that has recently come to light suggests that the barrier Congress sought to erect between the civilian and military agencies can easily be breached. The Federal Register notice announcing the proposed DSS last August made no explicit reference to NSA and clearly implied that NIST had developed the standard. In an effort to analyze the federal standard setting process, Computer Professionals for Social Responsibility ("CPSR") submitted a Freedom of Information Act request to NIST for records related to DSS. In response to the request, the agency initially asserted that all of the materials related to the evaluation of technology in choosing a digital signature standard for computer security are documents that are advisory and predecisional in nature, and are therefore exempt from disclosure under [FOIA]. In addition, some of the materials pertain to pending patent applications and are withheld under [FOIA] ... [and] are also protected under the provisions of [patent law].19 After CPSR filed suit in federal court to compel disclosure of the DSS materials, NIST acknowledged for the first time that the bulk of relevant documents in its possession in fact originated with NSA -- 142 pages of material were created by NIST while 1,138 pages were created by NSA.20 For reasons not explained by the agency, NIST dropped its FOIA exemption claims and released 140 pages of its own material and referred the remaining documents to NSA for processing. In response to news media scrutiny, NSA has now also acknowledged the leading role it played in developing the proposed DSS. In a letter to MacWeek magazine, NSA's Chief of Information Policy acknowledged that the agency "evaluated and provided candidate algorithms including the one ultimately selected by NIST."21 While NSA steadfastly insists that its role in developing the digital signature standard is consistent with the letter of the Computer Security Act, the fact that the agency actually "provided" the DSS algorithm to NIST raises questions as to whether the spirit of the legislation has been followed. At least one authoritative observer does not believe it has. Rep. Jack Brooks, who was a driving force behind the Computer Security Act while serving as Chairman of the House Government Operations Committee (and who now serves as Chairman of the Judiciary Committee), recently held hearings on DSS. He noted that [u]nder the Computer Security Act of 1987, the Department of Commerce [through NIST] has primary responsibility for establishing computer security standards including those dealing with cryptography. However, many in industry are concerned that in spite of the Act, the NSA continues to control the Commerce Department's work in this area. For example, Commerce (at the urging of the National Security Agency) has proposed a "digital signature standard" (DSS) that has been severely criticized by the computer and telecommunications industry.22 The criticism of DSS alluded to by Rep. Brooks goes to the heart of the matter -- whether NSA's involvement in the standard setting process has resulted in the adoption of a flawed standard. Comments submitted to NIST by industry and academic cryptography experts were overwhelmingly critical of the proposed DSS. The vast majority of these experts expressed the view that the proposed standard is inferior to the established and widely used RSA public-key technology, which many have characterized as the de facto international standard.23 Professor Martin Hellman of Stanford University, the co- inventor of public-key cryptography, wrote that he was "deeply concerned by faults in the technical specifications of the proposed DSS and by its development process." He noted that NIST has lost considerable credibility with the non-military cryptographic research community and, unless the revision process of DSS is carried out in a much more rapid and open fashion, NIST is likely to become totally ineffective in the setting of cryptographic standards.24 NIST documents released to CPSR under the Freedom of Information Act suggest that the agency's own experts recognized the superiority of the existing RSA technology and its status as an emerging de facto authentication standard. An internal NIST evaluation of existing technology conducted in late 1989 noted that the RSA technique is "widely known and widely used" and is "a most versatile public-key cryptosystem."25 Indeed, IEEE Spectrum magazine recently reported that the RSA technique had been readied by NIST as the [federal] standard for several months and was dropped in December 1989 with no alternative in sight. Not until early spring of 1991 did NSA present the algorithm of choice to NIST. Even on background, sources declined to detail reasons behind the decision, although one mentioned that legitimate national security factors had come into play.26 The questions surrounding DSS -- both technical and procedural -- are so significant that even NIST's Computer System Security and Privacy Advisory Board has expressed reservations about the proposed standard. The Board has called for a "national level public review" of cryptography policy and has deferred approval of the proposed DSS "pending progress on the national review."27 The Undersecretary of Commerce for Technology, Dr. Robert M. White, agreed with the Board's recommendation and called upon NIST to organize public workshops on cryptography issues. This review of national cryptography policy comes at a critical time. In the Cold War atmosphere that prevailed for 45 years, cryptography was seen as a vital national interest and most policymakers were willing to permit the National Security Agency and the military establishment to maintain a monopoly in the field. With the end of the Cold War, the military and intelligence considerations have changed. Indeed, Congress recognized the need for reform when it enacted the Computer Security Act in 1987, even before the demise of the Soviet Union. Electronic communications are now widely used in the civilian sector and have become an integral component of the global economy. Computers store and exchange an ever increasing amount of highly personal information, including medical and financial data. In this electronic environment, the need for privacy- enhancing technologies is apparent. Communications applications such as electronic mail and electronic funds transfers require secure means of encryption and authentication -- goals that can be achieved only through the robust development and dissemination of cryptographic technology free of military interference. To that end, the role of the National Security Agency in civilian cryptography should be eliminated and NIST should be granted the authority and resources to assist, rather than hinder, the development of civilian cryptography in the United States. \ * David L. Sobel is Legal Counsel to Computer Professionals for Social Responsibility ("CPSR") in Washington, DC. This article is adapted from a paper presented at the Twentieth Annual Tele- communications Policy Research Conference. The author wishes to acknowledge the research assistance of CPSR policy analyst David Banisar. 1 56 Fed. Reg. 42981 (August 30, 1991). 2 "Lynn McNulty on Infosecurity Standards: A Talk with NIST's Protection Point Man," ISPNews, (September/October 1992) at 6. 3 See Wright, The Law of Electronic Commerce (Little, Brown 1991) at 192-193. 4 56 Fed. Reg. 42981 (August 30, 1991). 5 See "The Computer Security Act of 1987 (P.L. 100-235) and the Memorandum of Understanding Between the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA)," the Subcommittee on Legislation and National Security, Committee on Government Operations, House of Representatives, May 4, 1989 (testimony of Marc Rotenberg, CPSR Washington Office Director) reprinted in Military and Security Control of Computer Security Issues, 101st Cong., 1st Sess. (1989) at 80. 6 H. Rep. No. 153 (Part 2), 100th Cong., 1st Sess. 21 (1987). 7 See generally Kahn, The Codebreakers (Macmillan 1967). 8 Burnham, The Rise of the Computer State (Random House 1980), at 126. See generally Bamford, The Puzzle Palace (Houghton Mifflin 1982); "The National Security Agency and Fourth Amendment Rights," Hearings before the Senate Select Committee to Study Governmental Operations with Respect to Intelligence Activities, 94th Cong., 1st Sess. (1975). 9 22 CFR Parts 120-130. 10 See generally, Greguras and Black, "The Encryption Export Maze: Red Tape, Requirements, Restrictions," INFOSecurity Product News (June 1992). 11 Adam, "Cryptography = Privacy?," IEEE Spectrum, August 1992 at 34 (reprinted statement of NSA). 12 Kuttner, "Spooks and Science: An American Dilemma," The Washington Post, August 20, 1989, at B8. See, also Kuttner, "How 'National Security' Hurts National Competitiveness," Harvard Business Review, January - February 1991, at 140. 13 35 U.S.C. Sec. 181 et seq. 14 "The Government's Classification of Private Ideas," Hearings before a Subcommittee of the House Committee on Government Operations, 96th Cong., 2d Sess. (1980) (hereinafter cited as "Private Ideas") at 258 (testimony of H. Miles Foy, Office of Legal Counsel, Department of Justice). 15 Hausken, "The Value of a Secret: Compensation for Imposition of Secrecy Orders under the Invention Secrecy Act," 119 Military Law Review (Winter 1988) at 202 n.10 (446 new orders were issued in 1986 compared with 293 in 1979). 16 See "Private Ideas" at 406-431; see also Gilbert, "Patent Secrecy Orders: The Unconstitutionality of Interference in Civilian Cryptography under Present Procedures," 22 Santa Clara Law Review 325 (1982). 17 Kewanee Oil Co. v. Bicron Corp., 416 U.S. 470, 481 (1974). 18 H. Rep. No. 153 (Part 2), 100th Cong., 1st Sess. 7 (1987). 19 Letter from NIST to CPSR dated September 11, 1991. 20 CPSR v. NIST, Civil Action No. 92-0972 (D.D.C.) (agency affidavits filed in support of motion to stay proceedings). 21 Letter from Michael S. Conn (NSA) to Mitch Ratcliffe (MacWeek), October 31, 1991. 22 Opening Statement of Rep. Jack Brooks, Threat of Foreign Economic Espionage to U.S. Corporations, House Judiciary Subcommittee on Economic and Commercial Law, May 7, 1992 at 2. 23 See, e.g., Comments submitted to NIST by Fischer International Systems Corp., dated November 26, 1991. See also "Debating Encryption Standards," Communications of the ACM, July 1992 at 34 ("After years of testing and proven reliability, RSA is now used by the majority of software makers around the world, including IBM, Apple, Lotus, Sun and Microsoft"). 24 Comments submitted to NIST by Professor Martin E. Hellman, dated November 12, 1991, reprinted in Communications of the ACM, July 1992 at 47-49. 25 Memorandum from Roy Saltman to Lynn McNulty dated December 22, 1989. 26 Adam, "Cryptography = Privacy?," IEEE Spectrum, August 1992 at 29. 27 Computer System Security and Privacy Advisory Board, Resolutions No. 1 and 3, March 18, 1992.
Return to: Digital Signature Standard Page Cryptography Policy Page EPIC Home Page