DTI to ban electronic export of crypto from the UK!

[Brian Gladman]

John Young <jya@pipeline.com> wrote:

>On Brian's proposal to separate controls of defense crypto from
>commercial: NSA stated in its press release on Skipjack/KEA
>declassification that it would use the AES winner for unclassified
>security needs but not for classified. Unleash of Skipjack, NSA
>claimed, was to foster commercial products for featherweight
>government/industry use.


The publication of Skipjack in the US shows that NSA recognise the
importance of controlling defence costs by using commercial market forces to
do this.  Although this is understood within the UK defence community, the
need to go down this path is NOT accepted by the UK National Security
authority - GCHQ - because their thinking is still dominated by the need to
maintain their ability to act as pirates on the information infrastructure.
Because of this their policy aim is to promote strong cryptography for (UK)
government use and weak cryptography elsewhere and they hence oppose any
policy that seeks to align government and commercial interests in
cryptographic information protection.  Moreover, it is in the nature of UK
government policy formulation that this dangerous (to the UK) and
counterproductive policy will continue for decades beyond its 'sell by'
date.  How any nation that is truly serious about information protection can
put 'gamekeeper' responsiblities under the control of 'poachers' is beyond
belief.

A few centuries ago the maritime nations, including the UK, all privately
sponsored piracy on the high seas. Eventually, however, it was recognised
that this was undermining the development of world trade and was not in the
real interests of any of the nations involved in it.  In consequence state
sponsorship ceased and the rule of law was established on the high seas.  At
the moment we have some of the 'large' nations of the world acting as
pirates on the information infrastructure and we are trying at the same time
to develop this infrastructure as a basis for electronic commerce and the
information society.   As happened a few centuries ago, nations will have to
stop sponsoring 'information piracy' if we are ever to move forward to the
global information society that we all hear so much about. This change is
inevitable but it is not clear how long it will take.

In this respect I believe that NSA is far more in tune with the real world
than GCHQ ever is - as a result NSA does change its policies whereas GCHQ
does not.  The reason for this is that the latter has been largely insulated
from forces for change by a government and civil service infrastructure in
the UK that is unable to identify or react to the need for changes,
particularly in areas where technology is involved.  In this respect I
welcome the formation of the Foundation for Information Policy Research
(FIPR) and I am hoping that this organisation will sponsor an early study of
UK government policy in this field.

I see the publication of Skipjack in the US in two ways.  At one level this
is a positive development since we need to align the interests of
governments, commerce and private citizens in the cryptography field.  NSA,
GCHQ and others have enormous experience in cryptographic information
protection - this is expertise that we taxpayers own (governments own
nothing) and it needs to be used in our interests ***as we judge them to be
***.  In my view this now means that it has to be used to support the
development of strong published algorithms and strong commercial products.
This is happening in the US with the AES process (DES replacement) and I
congratulate NIST and NSA for their far sighted support for this activity
(and, rightly or wrongly, I do believe that NSA is truly supporting this).

However publication can also be seen as a worrying development since it
blurs the distinction between commercial and government cryptographic
products.  If I were still in MOD I would welcome this change as a major
step forward but now I am fearful that it will cloud the argument for
removing commercial cryptographic products from 'dual use' controls.
However I did recently check whether there would be any change in ***UK***
policy on the use of published algorithms and was told that this was not
going to happen.  The fact is that UK security authorities will lag behind
the US by four or five years in reacting to market pressures because, as I
have already explained, the UK government and civil service system has
evolved to be excessively resistant to change.

>
>The US still controls "military-grade" encryption (whatever that may
>be) under the International Traffic in Arms Regulations (ITAR), while
>lesser strength, dual-use is handled by the Export Administration
>Regulations (EAR)'s Commerce Control List. Is a similar two-tier
>system used in the UK? Or would that information be an Official Secret?
>

This is a question that I would hope Nigel can answer.

>Moreover, isn't it the case that  under the Wassenaar Arrangement
>all signators are obliged to march to the same crypto cadence?
>Until, to be sure, the campaign to remove crypto from WA is
>successful.


It is clear now that commercial uses of cryptography are growing rapidly
that diferent nations interpret their Wassenaar responsibilities very
differently.  Although, therefore, all signatories are supposed to pursue
identical policies, they are not doing so as we have recently seen with the
statements about the policy of the Irish government.  It is now very clear
that cryptography, like electronics and computer systems, is a mass market
technology that cannot be subject to the sort of controls envisaged in the
Wassenaar agreement. We now have to ensure that the next Wassenaar round
moves in this direction and not towards a more repressive regime.  In the UK
in particular it is now essential that we seek a UK government policy that
removes all controls on cryptography other than when this is specifically
designed or intended for defence or weapons use.

I apologise for the length of this post but John's points gave me an
opportunity to expand on some of the very important issues involved.

    Brian