The following findings have been adopted by the PECSENC as a
reflection of conditions of international competition prior to the
U.S. Government's liberalization of encryption export controls
announced on September 16, 1998. The liberalization may affect many
of these findings, and the findings will be used as a baseline for a
review of the effects of the liberalization in future sessions of the
1. The difference between U.S. encryption controls and those of
other nations is a serious -- but not the only -- factor determining
success in the computer security market. With or without controls,
both U.S. and foreign products are likely to continue to coexist, and
other factors are likely to continue to slow deployment of security
Many foreign companies, for example, especially those
influenced by governments, will continue to favor domestic security
solutions, and many computer users will not deploy serious security
technology until there have been major incidents with losses that can
be attributed to lack of encryption.
2. Nonetheless, the adverse impact of controls on U.S. industry is
palpable. For many software applications, business customers simply
demand security and encryption; it is a checklist item, and its
absence is a deal breaker.
While simply counting the number of
foreign encryption software products in the market is not an accurate
measure of the impact of controls, one particularly serious risk is
that non-U.S. companies will use their ability to export stronger
encryption as "leverage" to dominate particular applications.
This has happened in at least one field - Internet banking - and
may occur in other areas of electronic commerce. Brokat, a German
company that scarcely existed four years ago, now has 250 employees
and offices in several countries including the United States.
Brokat's specialty is Internet banking and electronic commerce, but it
broke into that business on the strength of being able to offer
stronger encryption than German banks could obtain in Netscape or
Brokat is now a major player in this niche, with 50%
of the European Internet banking market and enough U.S. customers to
justify a 20-person U.S. branch office. Meanwhile, encryption
constitutes 10% or less of Brokat's revenue, and it has expanded its
initial Internet banking offerings to include support for other forms
of electronic commerce. Loss of U.S. competitiveness in the electronic
commerce software market obviously raises concerns not just about
encryption software but other software opportunities. Indeed, it
foreshadows a weakening of the U.S. position as a leader in electronic
3. The persistent emphasis in U.S. export control policy over the
past two years on key recovery, or "lawful access," has also taken a
toll on the credibility of U.S. security products. Key recovery
continues to find a market. Business wants to ensure that data are
available for corporate purposes, including litigation. Key recovery
is seen as an important feature for stored business data (though not
for communicated data in transit).
But the use of export controls to drive the key recovery market
further than it would go by itself is hurting U.S. industry. Foreign
governments and competitors, particularly in Europe, have
misinterpreted this U.S. policy, perhaps deliberately.
foreign customers are told often by their governments as well as local
security companies that all U.S. encryption products come with a back
door allowing the U.S. government to read the contents. In part this
is the result of outmoded "Recovery" supplements to U.S. export rules
that demand an unrealistic level of U.S. government access to key
recovery products. In part it reflects the hostility of many foreign
governments toward U.S. key recovery and access policies. It also
reflects the fact that some countries will simply never rely on
security products that are not home-grown, and misunderstanding U.S.
key recovery policies may simply be a handy stick to beat U.S.
products with. But it is unfortunate that the U.S. government has
provided such a large and easily wielded stick.
4. U.S. controls are driving many U.S. companies into "cooperative
arrangements" with foreign encryption suppliers. These cooperative
arrangements allow U.S. companies to provide complete security
solutions by encouraging their foreign partners to marry foreign-made
crypto with U.S. commercial applications.
arrangements are highly risky under U.S. law, but they are not
unlawful per se. Given the stakes, many companies have been prepared
to take risks under U.S. law, and it is expected that more will do the
The result is that U.S. policy has fostered the development of
cryptographic software and hardware skills outside the United States.
German, Swiss, Canadian, Russian, and Israeli cryptography companies
have all benefited form this unintended consequence of U.S. encryption
5. The U.S. government has made efforts to "level the field" of
disparate export controls for encryption through negotiations under
the Wassenaar Agreement.
The U.S. proposal that 56-bit encryption
become a new "floor" for encryption exports under Wassenaar, while
certainly better than current policy, is likely to be implemented at
least a year and perhaps several years too late. In response to the
U.S. KMI initiative, which conditionally decontrolled 56-bit
encryption in December 1996, other countries also decontrolled 56-bit
DES but more or less unconditionally.
The countries include Canada
and apparently the United Kingdom. And by 1996, other countries, such
as Germany, already were approving the export of 56-bit DES to
virtually any country for virtually any purpose. Most recently, the
exhaustion of a 56-bit DES key using a machine built for a quarter
million dollars has entirely discredited DES as a serious security
tool for valuable secrets.
Single DES remains a useful tool for
assuring privacy against a wide variety of potential adversaries and
snoops, but decontrolling 56-bit encryption will not provide a
significant boost to the competitiveness of U.S. technology for
serious security applications.
6. Process and timing: In 1995, the State Department approved
routine license applications for the export of encryption in less than
a week on average. This was when the State Department had
jurisdiction over encryption and NSA staffed the State Department's
office and handled all encryption license applications.
This is no longer the case. The Commerce Department has staffed up
heavily in the encryption field, but its processes now include
parallel reviews by the FBI and NSA under a 30-day deadline that can
be extended further with a simple "no" vote by either agency. For
whatever reason, these agencies are now taking the full 30 days -- and
often 90 days. Against a backdrop of continued export liberalization
over the past four years, this degradation in export control
performance strikes a jarring note.
The Commerce Department's performance in this area is not
necessarily out of line with the performance of other countries. The
German government often takes two to three months to approve a license
for a new product and six weeks to approve a license for routine
The difference is that German companies know with
certainty that a license will be issued at the end of the process; and
the German government imposes no key recovery requirement on
exporters. Therefore, they can make commitments to deliver products
that require a license even before they get the license. In the United
States, both the FBI and NSA have at times cast votes intended to roll
back existing policies, and they have at a minimum managed to stall
licenses that seemed to fit existing policy.
A key recovery policy,
for example, has been applied sporadically to U.S. multinationals and
with some inconsistency to other exports. For this reason, it is not
prudent for exporters to assume that a license will be issued or to
make commitments on the assumption that the license will be issued -
even when existing policy makes it seem likely that a license will
eventually be granted.
Because an RFP by a foreign company may
provide only 30 days for responsive proposals, and the proposals often
must include an assurance that an export license will be obtained,
some U.S. companies lose bidding opportunities simply because the U.S.
government does not process licenses quickly enough.
In other respects, of course, Commerce Department practice is a
large improvement over State's performance. This is particularly true
for controversial licenses, on which Commerce typically forces a
decision over a course of months.
In contrast, State Department
licenses could be held up for months without any explanation and there
were no deadlines for resolving interagency disputes. Nonetheless, it
seems clear that the Commerce Department and the other participants in
the encryption licensing process should adopt additional procedures to
speed the granting of relatively non-controversial licenses.