[High Tech]

The Ottawa Citizen
Wednesday, April 8, 1998
(High Tech Supplement)

Industry asks: What price security?

Customer confidence in having safe Internet runs up against need to control illegal activities

Security operations like Ottawa's Communications Security Establishment fear encryption technology will hurt detection of illegal activity.

Brian O'Higgins wants export controls eliminated.

Export approvals take too long and deter customers, Ron Walker says.

International agreements must be liberalized, Tim Hember says.

When Julius Caesar sent commands to his generals more than 2,000 years ago, he encrypted the messages by shifting the letters of the alphabet a set number of characters.

This system was considered state-of-the-art, but it was also relatively easy to decrypt. In fact, in wasn't until fairly recently that computers allowed for the development of virtually impenetrable encryption.

Last summer, 78,000 Internet computers collaborated on a project to decode a message encrypted with Data Encryption Standard (DES), a mathematical formula that uses a 56-bit decryption key. The effort took 96 days.

Cracking a message encrypted with more advanced 64-bit technology would take considerably longer -- an estimated 67 years, according to a recent federal document.

Such technical virtuosity is richly appreciated by individuals and corporations that value privacy. It has also triggered huge growth in electronic commerce, which depends heavily on customers' confidence that their transactions will not be tampered with.

However, security for customers has a flip side. The more secure the system, the more difficult it is for law enforcement agencies and international electronic monitoring agencies such as the federal government's Communications Security Establishment to track and control illegal activities.

At the moment, the balance of power lies with the enforcement agencies. Not only are there a variety of restrictions on the ability of encryption software companies to export their products, but enforcement agencies, especially in the U.S., are pressing for the right to compel all corporations to back up their digital data and provide access to the encryption keys that unlock it.

The burgeoning Canadian cryptography industry is naturally concerned that such restrictions will hurt it.

The top dozen or so Canadian cryptography firms posted an estimated $125 million in sales last year, according a recent federal survey, with sales expected to top $750 million by 2000 -- assuming the firms are reasonably free to ply their trade.

Here's the problem: Canada is one of 33 countries that in 1995 signed the Wassenaar Agreement, which provides a framework for dealing with security threats in the wake of the fall of the Soviet Union. Under this agreement, Canada has agreed to restrict exports of encryption products to most countries. The United States, a close ally, is an exception. There is free trade in cryptography products across the U.S.-Canada border. Not surprisingly, the U.S. has emerged as the major market for most Canadian firms that specialize in security products.

However, the same group of companies is trying to boost exports to Europe and Asia in the face of the Wassenaar requirement that such sales be accompanied by export permits. Getting rid of these restrictions would give Canadian firms an edge over their U.S. counterparts in these markets -- which is why the U.S. would view a unilateral move by Canada very unfavorably.

The federal government recently began trying to devise a new cryptography policy that will allow Canada's young cryptography industry to thrive while, at the same time, giving law enforcement officials some confidence they'll still be able to decode electronic files in a new era of 128-bit technology.

A working group in Industry Canada is accepting submissions from all parties until April 21. A dozen representatives from the country's top cryptography firms met last week in Ottawa to prepare a joint response.

The public meeting was sponsored by industry giant Entrust Technologies Inc. and moderated by Alan Pickering, the former director-general of the Communications Security Establishment. The Citizen's senior technology writer, James Bagnall, attended the proceedings. The following is an edited digest.

Alan Pickering: The federal government wants Canada to be a world leader in electronic commerce by 2000. To achieve this, we must expand the use of electronic commerce internally within Canada as well as globally. Therefore, we must have global market access. Canada also has a desire to be recognized as best in class in the electronic commerce world. Companies around this table have gone a long way in making that happen already. On Feb. 23, Industry Canada set out a number of possible options.

There are three topics where the government particularly asked for input:

Brian O'Higgins, executive vice-president and chief technology officer, Entrust Technologies: We believe the export controls should be eliminated. We believe there should not be any mandated (system) that would give the government automatic access to encryption keys. What law enforcement officials would like is access to encrypted data, any time, anywhere in the world: Effectively, they have a copy of everyone's encryption key nicely available to them; they could just go in and get it. So that would be their ideal.

And on the other end of the spectrum are freeware products that sit on the Internet. One example is Pretty Good Privacy -- it will encrypt data and there are no keys stored (which would give law officials access to the data). If products like PGP were around everywhere, that would really create a problem for law enforcement.

But commercial cryptographic products will start to emerge (to address this problem). In fact, Entrust is a very good example -- we encrypt data for storage, and the ability to recover the key is built right into the product. If law enforcement officers need to get access to the key, they would simply knock on the door of the company and we will give it to them. And we believe that this meets say, 90 per cent of all the law enforcement requirements.

Phil Deck, chief executive, Certicom Corporation: You could easily afford to have a government mandate that says companies do have to take steps to make information available. I don't think that's terribly different from what Brian said, but the government shouldn't put in place a system that tells companies how they will make information available should that request ever come through a warrant.

The way that cryptography or information should or may be regulated in Canada is completely separate from the way Canadian companies have to go out and sell their products around the world. If we are going to have a Canadian cryptography industry, 95 per cent of our product sales will come outside of Canada, so what Canada decides to do domestically should have very little to do with how we build and market our products. We can't build our products in a way that is just for Canada.

But when we regulate encryption for export, that's totally different. No one's going to buy products if the Canadian government has control over the keys. The U.S. is the big issue (because it would like to see such a policy implemented in Canada and the U.S.) We may not like or agree with some of the policies in the U.S., but we have to make sure that this market remains open for cryptography products because for all of us it's our biggest one.

So if we can liberalize (our export laws) to the extent possible without retaliation from the U.S., then I think that's in our interest.

Ron Walker, chief executive, KyberPASS Corp: KyberPASS is in the virtual private network software technology field, and we are exclusively dealing with real-time data transmission encryption. The big issue right now for a startup is that we are basically starving to death waiting, not just for the government to make up its mind, but for us all to understand how we are actually going to export this technology.

We're forced into uncertainty when we are dealing with new opportunities to sell the product to a customer. My resellers in Asia and Europe explain Canada's export policy to our potential customers and then we go through a process of getting approval. The delays are promised to be something like five days for a standard cryptography product; it turns into two months, and meanwhile the leads disappear.

The other thing is, we're really selling to a commercial grade customer -- 56-bit DES has to solve their requirement nine times out of ten, or they are not going to buy the product. They'll buy something stronger. They don't know and we don't really know for sure what the Canadian government is going to approve after June (when the trial period allowing the export of 56-bit encryption technology expires), so it's tough to be new in this business when you're not really sure what the rules are going to be three months from now.

This issue of 56-bit DES -- we would really like to see a blanket permit on behalf of Canadian manufacturers. Then we would have a level playing field. Right now a month's delay in getting approval can be the difference in winning or losing a bid. That is an issue, especially when you have any kind of bureaucracy involved with the approval process. It also introduces unfair access in a sense that larger companies can endure a bureaucratic delay better than smaller companies.

Alan Pickering: Comments on Ron's statements?

Brian O'Higgins: Yes, I wanted emphasize that the Canadian government tries very hard to work with industry to eliminate delays -- export delays and so on. Occasionally there's a rough spot if a new question comes up that is maybe not covered by current policy. Then a delay occurs. A delay to a small company is death. You just can't hang on.

Phil Deck: The Canadian government works very hard to try and deal with these issues, but the policy right now is pretty subjective. And there are a lot of different issues that have to be taken into account, and so it is hard to get a fast response.

Ron Walker: I'm not necessarily bashing the government. They do in fact work hard and they've always been very helpful. But the policy exists.

My point was that the export policy appears to be quite clear but there is an awful lot of subjectiveness in how long its going to take to get an approval for an export permit. The delays exist. We experience them. And even if I knew it was always going to be four weeks, that would be okay. I just don't ever know.

Alan Pickering: When you talked about wanting to have a defined time to get an answer, a lot of heads were going up and down around the table. So it's obviously a concern and incumbent upon the government to see what it can do to speed up the process, or at least try to provide some defined time of when you can get an answer. David?

David Jones, president, Electronic Frontier Canada: Electronic Frontier Canada is a federally incorporated non-profit organization. We are firmly opposed to any policy or legislation that would limit or prohibit the manufacture, import, export or use of strong (i.e. 56 bit and above) encryption for either stored data or real time communications. It's our opinion that the most stringent policy options outlined in this framework document would be unconstitutional, harmful to Canadian society, detrimental to the Canadian economy, and in the end simply unenforceable.

A lot of the proposed restrictions on cryptography are based on the largely speculative and somewhat imaginative risk of international terrorists and organized criminals using cryptography to communicate in secret. The greater risk to Canada is if we force Canadians, Canadian companies, and government departments to rely upon weak encryption.

Lynn Anderson, enterprise marketing manager, Hewlett Packard Canada: Encryption is a critical enabling technology for e-commerce. We have reached the point in the commercial demand for encryption where continued delay in resolving the policy issues, is becoming a serious impediment to its deployment.

HP supports policies that depend on market drivers to facilitate the inclusion of law enforcement access mechanisms. As a practical matter, the cost of such features will be manageable if law enforcement finds ways to draw on features that exist solely by the virtue of market demand. Furthermore, regulations should be kept to an absolute minimum.

Meaningful export control relief is required now. The widespread availability of encryption products, as well as the technical wherewithal to create new ones, suggests the effectiveness of controls is greatly diminished. Continuing the controls as they are, may damage Canadian industry's competitiveness.

For most communications systems today, encryption is only used to secure transmissions over the air. Once in the public network, the transmissions are decrypted. So long as this remains true, no changes are required. If more restrictive laws are chosen, they must be written to apply evenly across all affected industries and should not specify any particular technological approach.

Ron Koblovsky, vice-president, Marketing, Milkyway Networks: Each of us here is motivated by the opportunity to share in a piece of the information security pie that by all accounts will be very large. The issue is not whether or when the market opportunities will emerge, but will Canadian companies like MilkyWay be allowed to emerge on the world stage and reap the benefits of the emerging market opportunities.

My plea in response to the government request for feedback is "Give us a level playing field on which to compete."

Design and manufacturing capabilities are emerging in many nations. Existing government policy is inconsistent, complicated and open to interpretation. Despite good intentions, the result is often a time consuming and barrier-ridden bureaucracy. As a result we have found ourselves in competitive situations where time is of the essence and our inability to respond quickly puts us at a competitive disadvantage.

Companies like Network Associates of Islandia, New York, have found ways to get around the export issue through a Netherlands subsidiary. Sun Microsystems tried something similar with a Russian company. In the absence of clear policy or direction and in the face of growing revenue opportunities, companies will find ways to circumvent or bend the rules to their own purpose.

Brian O'Higgins: What Network Associates has done to get around U.S. export law deserves more emphasis. In this case, it was the Pretty Good Privacy product. It is not possible to export that since it uses 128-bit crypto-graphy, but Network Associates published the source code in a text book with machine-readable fonts. Printing a textbook is not illegal; it's public domain information, so it goes around the world.

What we need is a made-in-Canada policy. We've heard a couple comments here that while Canada probably doesn't want to annoy trading partners and the U.S., it should follow U.S. policy. Well, there's an example of a total workaround under U.S. regulations, and we need a made-in-Canada policy that is good for Canadians and good for Canadian companies.

Benita Baker, manager of marketing communications for Chrysalis-ITS: This whole notion of a level playing field affects us a great deal. Most of our products are greater than 56-bit DES. We require export permits for just about everything we do. We had an incident whereby a subsidiary of an American company in Japan wanted our products and we could not get an export permit to send it there; in order to get around it, we had to ship our product to the U.S. company, which then shipped it to Japan.

That was kind of frustrating, to say the least. One of the things we've come to realize is that at this point similar products to ours are available through U.S. companies that have been able to get around the U.S. regulations, which are at this point a bit more lenient than ours.

U.S. companies for the next two years can export greater than 56-bit DES provided they make satisfactory commitments to develop and market (encryption) key recovery products. That's funny, because it makes it so easy for American companies to get around the current restrictions. There's even one company that boasts about the fact that they've been able to get around the U.S. policy and it will help people to do the same. So this is the kind of issue that we're up against on a regular basis.

Alan Pickering: Thank you Benita. It's interesting. If products are available in foreign countries, you as a Canadian company have already lost a lead if you will, and you're now in a catch-up mode. Brian?

Brian O'Higgins: Yes, I just want to really emphasize that one. In the Internet world, the rule is, the first company in, wins.

Paul Van Oorschot, chief scientist, Entrust Technologies: Regardless of what ends up happening with U.S. policy, people will be able to buy crypto-graphy elsewhere. If we're just going to follow the U.S., it might mean that we just have to give up on trying to be number one.

Tim Hember, chief executive, TimeStep Corp: The problem here is that the U.S. has a written policy that differs from a kind of a backdoor policy that governs what companies do. So we can't define our policy based on their written policy because we'll always be playing catch up.

Phil Deck: One of the problems with the whole export control debate is its always been centred in the U.S., though export control happens everywhere. One good thing the Canadian government could do is to work much better with other developed countries so that at least we could have the same kind of relationship with the U.K., Germany and Japan that we have with the U.S., where there's an open border. Maybe its better to make the debate a little more specific to where the real markets are.

Alan Pickering: Okay, Dermot do you want to make a few comments?

Dermot Kavanagh, manager, regulatory standards, Nortel: Nortel recognizes and supports the need to balance the interests of electronic commerce, privacy and law enforcement, but we also believe that while Industry Canada is trying to do this, there are a few other things that it needs to throw into the equation.

The cost of managing this balance must be sustainable, and any legislation or regulations that are introduced must be simple to understand and implement. They must not put Canadian industry at a competitive disadvantage and must not prevent Canada from being the world leader in electronic commerce.

Tim Hember: I want to take a shot at this. I'm representing TimeStep in making five recommendations.

Paul Van Oorschot: The Wassenaar arrangement actually says that permits are required for certain technologies, and cryptography is one of them. However, it doesn't say that you should or should not grant an export permit.

One of the problems with this arrangement is that some countries implement the Wassenaar arrangement by saying, "Yes, we need a permit, send us a letter, here's your permit."

And other countries say, "Yes, you need a permit," so you request one and then they say, "Well no, in fact, that's not allowed to be exported." So just requiring a permit is very vague and we need to have the details on not only whether a permit is required, but will one be granted, and if so, what are the conditions under which it will be granted.

Tim Hember: I agree Paul. I'm recommending liberalizing within the framework of the Wassenaar arrangement.

Alan Pickering: OK. Do you have anything to say, Todd?

Todd Finch, president of Netscape Canada: I think a lot of people around the table know Netscape's views. Our chief executive, Jim Barksdale, has stated numerous times both in front of Congress and to the public that the regulation and policy of encryption should not be managed by governments. We think there needs to be regulatory control, but we don't think the policies should be mandated by federal governments.

Alan Pickering: Certainly from what we've heard so far, it would appear that the general consensus is no controls. If your view is that you simply want to sell, then that's the easiest and the best way to go. There might be some concern on the part of the people in the federal government who have to deal with other countries, and they've already signed agreements on how some of these things will be done.

Earlier, Phil had made a comment about Canada getting too far out of step with the U.S. in particular. And it's something that I think companies should be considering. While if Canada took an approach that no controls were in place. How would the U.S. react?

It has been stated that the U.S. government has found ways around regulations when it suits its purposes and those of U.S. firms. There's evidence of that having occurred. By the same token, I think it's clear from what we've seen and from the way the U.S. operates in the world that they could be very tough in dealing with people to try to make them accede to whatever objectives they have within the U.S.

And as Phil indicated, it's possible that if Canada went too contrary to what the U.S. objectives are, it's possible that a lot of business could be lost in the United States. So I think you should ask yourselves if you can still survive by selling your products to countries other than the U.S. Maybe other countries will say "If the U.S. won't buy your products, we won't either." I'd like to hear some discussion on that concern.

Robert Koblovsky: Right now, the United States represents about 60 per cent of the worldwide market for my products so, sure, I want to have access to that market. It also happens to be the most competitive market in the world. So there are pluses and minuses. Looking ahead, Europe is probably the fastest growing market for this kind of technology. I know that doesn't answer your question Al.

Alan Pickering: I'm not sure there is an answer. (Laughter)

Robert Koblovsky: I'd like to play in all of those market places but the point here is really, we want an unfettered marketplace where we can freely trade our goods. That's our first choice. In the absence of that, we'd like to be sure that the rules and regulations are consistent.

Alan Pickering: I guess the problem the government faces in trying to create a level playing field, in my view, is that the people who have been involved in the past thought they were doing exactly that. What you are saying is that the playing field is not level because of how the rules are being interpreted or circumvented.

Phil Deck: If you think the Canadian policy or its application is subjective, it's ten times worse in the U.S. When you're competing against an American company, you don't know how it's going to play out because you don't know how the company will be treated under the rules.

And my comment about the U.S. government was not that we should follow U.S. government policy. It's that we just have to take it into account. And I just don't know why the other developed countries don't do more to try and co-operate to try to counter the power of the U.S.

Clearly the computer industry is based in the U.S. There's a lot of influence there, but we're not the only country in this position. The U.K., Germany and other countries are trying to battle the same issues and have the same interests as ours. There could be more co-operation between those countries.

Alan Pickering: Brian?

Brian O'Higgins: I'm still considering your comments about the U.S. position. Yes, we have to consider it, but let's not get too paranoid about it all. If the U.S. doesn't like products from Canada, one approach they might take is to implement import restrictions. That's extremely unlikely. Of course, the U.S. government could decide what it wants to purchase and that, absolutely, that's a very useful tool. But the U.S. is such an open market that people are going to buy what solves their problems and it's very unlikely that there's going to be import restrictions.

Alan Pickering: Yes, I wasn't necessarily supporting the U.S. position, I was being a bit of a devil's advocate, saying that people should go into these things with their eyes open and make some assessment on what's the likelihood of something happening and then go along with whatever you decide.

Ralph Doran, vice-president of product development for JetForm Corp: We're coming at this from a different perspective. We're a user of security technology, not a provider. And what's really driving us isn't governments or countries or the desire to get into specific territorial markets, it's global companies.

We primarily sell to multinationals. Many of them are U.S. based and they're driving us to put security features into our technologies because they don't see borders. They don't want to implement special technologies or solutions. So anything that any government is doing that slows the adoption rate of the technology hurts everybody.

I would look to global companies like Coca-Cola and McDonald's and so on to provide pressure on the U.S. and other governments as well as the industry itself. We've got some allies in that field.

Phil Deck: I disagree. U.S. multinationals can buy technology and deploy it anywhere without restriction, so it's a little harder to get their support because Coca-Cola can put absolutely strong encryption in everywhere they operate for their own use. So it's really in dealing with foreign companies that are located other places that we all get into trouble.

And we have a particular problem because we are an original equipment manufacturer (i.e. Certicom's products are embedded in other firms' products) so a lot of our U.S. customers intend to then re-export their product everywhere else in the world. I suspect if the US government gets upset with us, then that would make our lives more difficult.

Alan Pickering: One of the additional topics the (Industry Canada) paper asks us to look at is what government action could accelerate rollout of

infrastructure for secure electronic commerce? And I guess, one of the answers that's been provided already is "Get out of the way." Is that sort of a fair summation of the views around the table?

Tim Hember: They can also promote the proliferation of solutions by their own use. And they are doing that.

Dermot Kavanagh: Yes, the government can stimulate the building of infrastructure by being a role model in the use of electronic services in its dealings with the public.

Alan Pickering: I interpret that as to get out of the way. (Laughter around room.)

Brian O'Higgins: As Tim mentioned, I think the government has a very strong club: its own clout and purchasing power. Government departments are huge and if they are looking to buy an electronic messaging system or whatever, its enough of a bulk purchase that vendors would jump through hoops to provide what it is that they want. Their biggest club, for sure, is their purchasing dollars rather than their legislative approach.

Alan Pickering: When I said get out of the way, I meant as far as controls are concerned and so on. And certainly it has been the government policy for a number of years now to provide that leadership that you've been talking about, Tim, in the introduction of the public-key infrastructure (a system that encrypts electronic messages across the federal government and determines who is permitted to send and receive them). There is also the government's commitment that it will operate and provide services to Canadian citizens electronically certainly by the year 2000.

We're supposed to have PKI implemented by the end of 1998. It will operate between certain departments and then outside of government. There's a lot of discussion going on between the government and the provincial governments and the municipal governments as well about how can they operate together. Of course it's required that good technology and appropriate technology is on either end of communications and distribution of information. So there's a lot of leadership I think coming from government along that line.

Brian O'Higgins: That's absolutely right. The Canadian activity in public key infrastructure is world leading. I don't think the impact is really appreciated in a lot of industry. But it's such a major, major benefit. Electronic commerce can't happen unless you have strong security. And to get strong security you need an infrastructure to really support that. So Canada will be first in the world with that infrastructure.

And of course the whole world is going to implement electronic commerce for all types of transactions. Canadian companies are going to benefit tremendously because they are going to be the first ones to provide all these extra applications that help people get on board.

So, Canada has done a tremendous amount and I just don't want to see leadership squandered by a policy that says "We want to follow." We really need this made-in-Canada policy to help keep things rolling.

Tim Hember: I'm just curious. Is what I hear from people here that we are prepared to take the wrath of the United States and go out on a limb and propose a policy that liberalizes it significantly within the Wasenaar arrangement?

Alan Pickering: Well, that was basically the question I was putting to the table: The consequences that should be faced. Looking at the three areas of discussion, from what I've heard, this group favors a market-driven approach to the encryption of stored data in corporations.

There should be no mandate by the government, in other words, that companies within Canada should be required to keep digital information backed up through key backup and all the rest of it. I believe that's what I heard.

With respect to the encryption of real-time communications, I believe it's the opinion of the group that current laws and procedures should remain. However, there should be selective discussions and applications of rules that would require communications service firms to provide access when required for law enforcement purposes.

I guess one question that comes to my mind there. It used to be that communications were usually on copper wires. Now communications travel all sorts of ways.

Is it appropriate that there be one regime for the electronic commerce side of things but something else for common carrier communication systems? Just a question. But certainly what I heard was the status quo should be maintained.

With respect to exports of cryptography, there should be no controls; that's what most people seemed to favour, if not everybody.

Certainly the government should make sure there's no competitive disadvantage to Canadian companies when they are dealing w \ldots

Copyright © 1998 by The Ottawa Citizen. All Rights Reserved. Reprinted with permission.