1996 Congressional Hearings
Intelligence and Security



Testimony of Tim Krauskopf

Co-Founder and Chief Technology Officer

Spyglass Inc.

http://www.spyglass.com

on Behalf of the Information Technology Association of America http://www.itaa.org

Before the Senate Commerce Committee

Subcommittee on Science, Technology and Space

June 12, 1996

Introduction: Spyglass and the Internet

Good morning. My name is Tim Krauskopf, and I am the co-founder and Chief Technology Officer of Spyglass, located in Naperville, Illinois. We are a small business employing 137 people and had revenues of $10 million last year. We are growing rapidly, and are in a unique position in the Internet software industry of holding the exclusive rights to the commercial version of Mosaic, originally developed at the National Center for Supercomputing Applications at the University of Illinois at Urbana-Champaign. Mosaic is software that was developed to allow people to navigate the graphical portions of the Internet, specifically the World Wide Web. Spyglass is also unique in that we license our Internet technology to more than 70 companies who incorporate it in various products. So our technology plays a central role in the growth of the broader Internet software industry.

Our company's first product was a suite of data visualization tools used by scientists and engineers. We entered the Internet and World Wide Web market in May, 1994 when we completed our licensing arrangement with NCSA to develop and market a commercial version of NCSA Mosaic. Spyglass was selected for several reasons: First, I had been involved in developing early Internet technology, co-authoring NCSA/Telnet, software that made the Internet accessible for researchers and students. Second, Spyglass had already established a strong track record developing cross-platform software for the commercial marketplace. In August of 1994, NCSA extended its agreement to provide, on an exclusive basis, all future commercial licensing rights to Spyglass. Our core business is to license Spyglass Mosaic technology to other companies to include in their Internet and Intranet-related products. As the Web market has grown and evolved, so has Spyglass and its technologies. You may have heard about our recent acquisition of Surfwatch, the leading provider of filtering and parental control technology.

The Information Technology Association of America

I am here today representing both Spyglass and our primary trade association, the Information Technology Association of America. Spyglass licenses Web technology to many other ITAA member companies such as Oracle Corporation, Computer Associates, IBM, Microsoft, Platinum Technology, and others.

The Information Technology Association of America represents a broad cross-section of the software, Internet, information technology services, telecommunications and systems integration segments of the high-technology industry. ITAA direct and affiliate members number over 9,000 across the U.S. ITAA is the umbrella organization for 25 of the regional high technology organizations in various states, representing them here in Washington, D.C. Member companies include Netscape Communications, Microsoft, Oracle Corporation, Computer Associates, Novell, IBM, AT&T, MCI, and EDS, to name a few.

ITAA's software division has made a name for itself as the leading organization representing the Internet, Intranet and Network-centric business software industry. The largest software companies focusing upon the Internet and Intranet markets are active in the association. Priority issues include encryption, international, federal and state taxation of software, services and the Internet, telecommunications reform, copyright, immigration, and the Year 2000 software crisis.

ITAA Supports the Goals of S. 1726

ITAA supports the goals of S. 1726, the Promotion of Electronic Commerce in the Digital Era (Pro-CODE), because it recognizes that:

1. The issue of encryption and information security over computer networks and the Internet is no longer an esoteric, arcane subject. How security over this network of networks is addressed will have a broad, pervasive impact on the future of the Internet, business and society. Companies have legitimate concerns about protecting their proprietary information from competitors and foreign governments.

2. The Internet is a global medium and the availability of encryption products around the world must be a fundamental factor in setting U.S. export policy. While there are legitimate law enforcement and national security considerations, U.S. policy cannot ignore these market realities.

3. The economic cost of the Administration's current policy on encryption will be enormous not only to U.S. software industry jobs and revenues but will also have an impact on the ability of U.S. businesses to harness the Internet to enter new markets.

We will discuss each one of these points in turn, and then lay out our specific recommendations for moving forward.

The Significance of Information Security and Encryption in a Networked World: The Threat Is Real

A cover story in Business Week last year proclaimed that, "The Web Changes Everything." While that may be a slight exaggeration, the Internet is indeed starting to transform not only how business is conducted but society more broadly.

Within several years, there will be more than 100 million people connected to the Internet. Zona Research estimates that the market for corporate "Intranets" alone - businesses harnessing Internet technology for both in-house and inter-enterprise applications - will grow to more than $6 billion by 1998.

Outdated U.S. export restrictions on encryption is a major barrier to realizing the potential of the Global Information Infrastructure and all it has to offer, such as business communications, financial transactions, healthcare and personal medical information, and consumer privacy.

A New York Times editorial this week made the point effectively: "Once largely the domain of governments and their intelligence services, encryption technology is now commonly used by corporations, banks, securities firms and individual computer operators. It is time to revise Government encryption policy to fit this new universe."

The recent, authoritative report of the National Research Council (which includes former Attorney General Benjamin Civiletti and Ann Caracristi, a former Deputy Director of the National Security Agency) also pointed out the growing pervasive impact of communications networks upon global society:

"As the availability and use of computer-based systems grow, so, too, does their interconnection. The result is a shared infrastructure of information, computing, and communications resources that facilitates collaboration at a distance, geographic dispersal of operations, and sharing of data. …Today, the rising level of familiarity with computer-based systems is combining with an explosion of experimentation with information and communications infrastructure in industry, education, health care, government, and personal settings to motivate new uses and societal expectations about the evolving infrastructure."

In short, we are going through a paradigm shift in which the importance of protecting the security of information on computer networks is growing at a geometric rate.

The threat to the security of information on the Internet is real. Companies are concerned not only about the ability of competitors to gain access to proprietary information, but also foreign intelligence agencies. Two former Directors of France's intelligence agency have stated that they gather economic intelligence, including information from certain companies that have been targeted. Attached is a box included in the National Research Council report laying out the "Threat Sources."Last August, a French student was able to crack a 40-bit encryption scheme distributed by Netscape Communications by using computers at his university in his spare time (it took him 8 days to break the code). A group of computer scientists released a report recently that $10,000 worth of computer hardware can break a 40-bit key in 12 minutes. The group estimates that a 56-bit key using a $10 million corporate computer could be broken in 12 seconds. Such costs could be justified by a foreign company or intelligence agency trying to steal financial information, trade secrets or valuable technology.

In meeting the threat, our responsibility is three-fold: to understand the shifts taking place in society, to identify the new vulnerabilities, and to put in place the technology solutions necessary, including strong encryption, to counteract inappropriate or illegal behavior.

The Internet is a Global Medium and Foreign Availability Must Be a Fundamental Factor in U.S. Policy

The Internet does not stop at the U.S. border. It is a global medium that does not recognize the boundaries between states, countries or continents. If information or products are made available somewhere on the Internet, it is accessible to anyone regardless of geographic location. S. 1726 allows U.S. software and computer companies to compete on a level playing field with our foreign competitors in this rapid growth global marketplace. We are particularly pleased that S. 1726 recognizes that distributing software over the Internet will grow in volume and economic significance and should be used as a factor in determining whether a product is generally available around the world.

One of the most perplexing aspects of the Administration's position is that it has decided to turn a blind eye to the issue of what strength of encryption products are broadly available outside of the U.S. The Administration's position is reminiscent of the Reagan Administration's decision to ban the export of Apple II computers to Eastern Europe in the 1980s. The Clinton Administration used foreign availability as a key factor in its decision last year to change the definition of supercomputer and relax its control on the export of computer workstations. It has elected to stick its head in the sand and ignore this key factor in its deliberations on encryption.

Basing its research on a study originally conducted by Dr. Lance Hoffman of George Washington University in conjunction with the Software Publishers Association in 1993, Trusted Information Systems (TIS) has identified 1181 encryption products worldwide (the full study is available at http://www.tis.com). TIS has found 497 foreign products from 28 countries. 193 of these products use DES, which has a 56-bit key length and is not permitted for export by U.S. companies. A recent study by the Commerce Department and National Security Agency comes to similar conclusions.

Anecdotal examples underscore why U.S. companies are losing market share rapidly. There is a foreign product called Sioux on the market in which the company uses U.S. export restrictions as a major selling point to customers. The company's Web page (http://www.thawte.com/products/sioux/) proclaims that, "The U.S. ITAR regulations prohibit the export of strong encryption technology from North America. This means that companies such as Netscape, Microsoft and Open Market have to ship "Export Versions" of their software which have limited encryption capability - using 40-bit keys which can be trivially deciphered…since Sioux was developed outside of the ITAR framework it ships with full encryption enabled all over the world. Why limit your security?" These are real competitive handicaps faced by U.S. companies.

This past Sunday, working from home on my PC, I went to the World-Wide Web to see what was easily available for downloading. I had heard there was a free application with SSL called "Apache" and a search on Digital's AltaVista catalog for "Apache with SSL" quickly led me to the names and locations on the web. Here is a summary of what I found.

[SSL, or secure sockets layer, is a protocol for protecting any amount of data during transmission between client and server programs. SSL provides server authentication, data encryption and message integrity. It was designed by Netscape Communications for use in Internet applications. It is a highly desired feature for our customers, and Spyglass provides a compatible product. Encryption libraries allow software developers to build secure applications using various operating systems and platforms.]

I found a WWW server, which roughly matches the feature set of our own Spyglass Server, called Apache. At an Oxford University site, I found a version which can be configured with SSL if you have an SSL library. At that site, I found pointers to Australia for obtaining SSL. I also found pointers to a commercialized version of that product available from South Africa, called Sioux. I consider this product a direct competitor to our own.

In particular, I downloaded the "SSLeay" library. Though written in Australia, I downloaded from a site in Japan because the network link was faster. Copies can be found at sites in Korea, Germany, Taiwan, the UK, Japan, and of course, Australia. URLs: ftp://ftp.psy.uq.oz.au/pub/Crypto/SSL/ (Original Australian site) ftp://ftp.epistat.m.u-tokyo.ac.jp/pub/Crypto (Japanese mirror site)

This library contains source code to implement to any encryption bit length, DES, RC2, RC4, IDEA, and RSA encryption schemes. The documentation brags about being interoperable with all US implementations even though none of the code is derived from any US source. They simply had people inside the US test the results. I was able to download the 500K file, peruse and compile the source code without any problems in about 30 minutes. I don't believe I broke any laws because I only imported the code, never exported it.

The conclusion is that these algorithms and source code are fully available to anyone who has access to the Internet. Because they are available in source code form, even 64-bit or 128-bit capabilities may have trouble competing.

ITAA believes that the issue of foreign availability is a key element in changing the Administration's policy. S. 1726 permits the export of encryption that is "generally available," but we believe that this section of the legislation may require more detailed definitions. We are announcing today that we will work with Congress to craft a detailed, specific way to assess the global availability of encryption products. Such legislation must ensure that the analysis is objective and has teeth. This assessment must be timely and conducted at least three times a year given the pace of technological and market development. There's a joke in the Internet industry that the pace of technological change and market growth is so rapid in our business that each calendar year is really more like seven years, or a dog's year. We need to assess foreign availability on a continual basis to ensure that U.S. industry is not placed at an unfair disadvantage in the global marketplace.

The Impact of the Administration's Encryption Policy upon U.S. Jobs, the Software Industry and Small Businesses

The U.S. software industry leads the world. U.S. firms hold more than 70 percent of the global market for pre-packaged software. The software industry has created more than 500,000 jobs across the U.S. The U.S. is also dominant in the emerging Internet software market, with ITAA member firms like Netscape, Microsoft, Spyglass, IBM, Oracle and others leading the world.

The Computer Systems Policy Project estimates that unless U.S. policy on encryption is relaxed, this will cost 200,000 jobs and $60 billion in revenues over the next four years. As the world relies increasingly upon software used and shared across computer networks instead of stand-alone workstations, the impact of U.S. restrictions on encryption upon the U.S. software industry grows larger and larger.

The impact of a restrictive U.S. export policy will have an impact beyond just the U.S. software industry, however. It is anticipated that U.S. small businesses will rely increasingly on the Internet as an effective way to help them enter foreign markets. One of the greatest potential benefits of Internet business communications is that it lowers the barriers for small businesses to enter these new markets. As more and more companies begin to rely upon digital commerce, efforts to protect confidential and sensitive company information carried on this network grow in importance.

The Administration's policy allows the export of encrypted software above a 40-bit key length limit if a company permits a government-certified third party to hold the "keys" that unlock the encrypted information. [As demonstrated above, a 40-bit key length is too weak to ensure the protection of information over the Internet.]

The cost of such a key escrow scheme would be paid for by individual companies. So, companies would be faced with either choosing 1) a level of security for their information that is not 100% secure or accepting a 2) significant administrative burden and additional costs. In addition, such a key escrow requirement could become a "de facto" global standard which would create, in effect, an international Internet "tax." This "tax" would be part of the cost of doing business on this global network of networks.

So the Administration's policy would raise the costs and the barriers for small businesses to enter new markets. S. 1726 recognizes this fact by rejecting mandatory key escrow schemes. ITAA is conducting a survey of small businesses to gather more information on the importance of the Internet to them and the impact of the Administration's encryption policies (see http://www.itaa.org). We will also be analyzing in greater detail the costs associated with the Administration's key escrow scheme.

Our Specific Recommendations and Principles Moving Forward

We support the goals of S. 1726, the Pro-Code legislation. Below is our position on the Administration's policies and our recommendations, followed by a set of principles on information security that we endorse. It should be noted that Spyglass as a company has a position that goes beyond the ITAA stance, which I will expand upon as well.

  • The Administration's position misses the reality that a de facto global standard for encryption exists today which is DES: a 56-bit encryption method. Increases in computational power are causing consumers to look for strong encryption, and 40-bit key lengths have been broken recently. DES is widely available throughout the world, and many end-users are demanding security for their communications beyond this 56-bit standard. These realities are market-driven and will not change as a result of U.S. government intervention. Given these market realities, the Administration should decontrol immediately the export of 64-bit key length encryption software with no strings attached.

  • Even this level of decontrol will have to be addressed again in the not too distant future given the march of technology and rapid increases in computing power.

  • S. 1726 prohibits the federal government or any state from imposing a mandatory key escrow requirement as a condition of sales in interstate commerce. We also oppose such a "Big Brother" approach. In addition, if industry were to agree to a government requirement to invest in and build a potentially expensive and technically complicated key escrow scheme in exchange for the right to export, non-escrow technology could be placed at a disadvantage in the domestic marketplace. Such a development could suppress technological innovation and slow development of more powerful levels of information security. The Administration's key escrow requirement could also encourage a change in policy that today allows for unlimited encryption within the U.S. without key escrow.

ITAA endorses the following industry principles on encryption developed by the United States Council for International Business:

  • Free Choice - Users Free to Choose
  • Open to the Public - Unclassified Algorithms
  • International Acceptance - Widely Accepted by Business and Governments
  • Flexibility of Implementation - Hardware or Software
  • User Key Management - User Manages Keys

While Spyglass supports fully the ITAA recommendations and all of the supporting reasoning presented here, I would like to go one step beyond the ITAA position because of Spyglass' unique position in the market.

Spyglass only has 72 customers. Nearly half of them receive source code to our WWW technologies as part of our service to them. Companies like NEC, Nippon Telephone and Telegraph, Dacom, and Siemens-Nixdorf do not receive our full product. We eliminate all of the encryption libraries and any references to them. Spyglass can compete against the free Apache WWW technology or the Sioux product by providing additional features over and above what can be obtained for free on the network. We cannot compete when certain features cannot be legally shipped. More WWW technologies appear weekly and more and more of them include encryption features.

A source code customer of ours, JSB, a British company, told me last week that they required an SSL (Secure Sockets Layer) library with encryption for use in their product. He is willing but cannot purchase it from us. I am convinced that he will find one available from outside the US. I am more worried about how many other companies there are who have not contacted us.

Spyglass would add the following recommendations:

A) For RC2, RC4, DES, and RSA encryption schemes, release all capabilities at all key bit lengths. The source code to these algorithms (or equivalent) is available all over the world on the Internet today. My reading of S. 1726 is that it would accomplish this goal.

B) For all cases, eliminate the restrictions on software "hooks" which call the encryption libraries. Spyglass would then be able to ship source code to SSL and other Internet security schemes along with binary libraries which use restricted key lengths (or key escrow). Ironically, by not letting us make it easy for our customers to use short key lengths, we are forcing them to find foreign alternatives which do not have key length restrictions (or key escrow). While S. 1726 would accomplish this end, the Administration could eliminate the restrictions tomorrow by changing the language in the International Traffic in Arms Regulations or ITAR (see 22 CFR Section 121.1).

In conclusion, let me say that we recognize the concerns of both the law enforcement and national security communities. But the Administration's current policies do not and will not be successful by ignoring the explosive growth and nature of the global Internet and the pace of technological change. And the Administration's policies would also prove devastating to the U.S. software industry.

A New York Times editorial makes the point that "The best way for the Government to protect its ability to eavesdrop on domestic and foreign criminals is to stay technically ahead of them…The export restrictions do nothing to keep encryption software out of the hands of criminals and hostile governments, but needlessly drive American exports out of foreign markets." The National Research Council also advocates that the U.S. Government fund robust research programs to keep our law enforcement and intelligence agencies ahead technologically. ITAA endorses this recommendation, as well as the provision in S. 1726 directing the Secretary of Commerce to "prohibit the export or re-export of computer software and computer hardware…" if it will be diverted or modified for foreign military or terrorist use.

Thank you, and I look forward to your questions.