Index

Statement of Matthew Bowcock
Baltimore Technologies

Summary

Cryptography is being incorporated into more and more technology products every day. The general technology boom, and the Internet in particular, fuels this explosive increase in use of crypto. It is apparent to everyone that a regulatory system designed to apply to a small number of specialist products cannot be sustained into the future.

As a leading global supplier of information security products, Baltimore Technologies encourages free trade and open markets in relation to products incorporating encryption technology.

The underlying framework of world commerce requires a reasonable regulatory environment that transcends national boundaries. This framework has to be acceptable to the twin requirements of international governments and the freedom of the individual.

The SAFE Act will completely revolutionise e-commerce and the Internet internationally. It will potentially give every computer user in the world access to full strength cryptography for web access, email and a range of other applications.

US encryption and security companies do compete in the non American marketplace. Baltimore Technologies competes with them every day of the week. Companies such as RSA Data Security Inc., Entrust, Cylink and Network Associates have all purchased technology companies outside the US and continue to compete in most world markets.

It is paramount that this or any other subcommittee is not misled by industry or other interested parties with regard to non-US companies. We welcome the opportunity as a non-American company to debate some of the assertions made in the course of the general crypto export debate. Baltimore Technologies refutes suggestions often made that non-American companies flourish solely because of current export policy.

The proposed change to export restrictions will lead to an incompatibility with the Wassenaar Arrangement, signed by 33 countries including the United States. This will throw the attempt at harmonisation into disarray and may reduce the international spirit of co-operation on this matter.

It must be recognised, as the SAFE Act does, that there should be a difference in the regulation of general products that incorporate cryptography to pure cryptographic products.

Baltimore welcomes the US prohibition on mandatory key escrow while recognising the fact that key/data recovery systems may be a desirable option for some organisations.

Baltimore welcomes the protection of the right to sell and use cryptographic products within the US, a right that should exist throughout the world.

Introduction

The House Armed Services Committee has requested that Baltimore Technologies present testimony on the SAFE Act.

We would like to thank the committee for the opportunity to present views and assist the committee with its work. As a leading non-US originated developer of security and encryption products with sales throughout the world, including the United States of America, we can provide a different perspective on the implications of this legislation. We are not encouraging the members to vote in a particular direction.

Cryptography is being incorporated into more and more technology products every day. The general technology boom and the Internet in particular fuel this explosive increase in use of crypto. It is apparent to everyone that a regulatory system designed to apply to a small number of specialist products cannot be sustained into the future.

Baltimore Technologies is a publicly listed company with headquarters in Ireland, UK, Australia and the USA. As a leading global supplier of security products for use in enterprise and e-commerce systems, we welcome all attempts to encourage worldwide open markets for cryptographic products. As a global company, we wish to compete on a level playing field and let the consumer choose the best product and supplier.

Baltimore Technologies, along with many other non-American originated companies, has no reservations with the underlying concepts in the SAFE Act. Indeed, we would welcome the global availability of products such as browsers, secure email and emerging technologies that will encourage the environment for world e-commerce.

A large portion of Baltimore’s business comes from customers who are free to choose products from our competitors from the USA, Canada, Europe. These customers are either American corporations or financial institutions who can obtain export licenses for US products. We believe that a very small percentage of our business comes as a direct result of American export restrictions.

Baltimore has technology and business relationships with many world-leading technology companies. These relationships are based on mutual business benefits and not because Baltimore is a non-US company. In the past three years we have worked with companies such as Intel, Cisco, IBM, RSA Data Security Inc., Netscape. These relationships exist both inside the United States and in other countries where Baltimore operates.

(A) Comments on SAFE Section 2: Sale and Use of Encryption

As a growing supplier of security and cryptographic products within the USA, Baltimore Technologies welcomes the provisions of section 2 which ensure that businesses and individuals will continue to have the right to buy and use security products for legitimate personal or business use.

The prohibition on mandatory key escrow is also welcomed. Key recovery has certain legitimate uses in commerce and it remains an important optional security system for certain industries.

(B) Comments on SAFE Section 3: Exports of Encryption

Baltimore Technologies does not develop products in, nor re-export products from the USA. As such the provisions in the SAFE Act will not change the manner in which we do business – but it will completely change the way US companies compete in the global market.

In considering liberalising cryptography export policy the committee should consider the following:

Passing the SAFE Act will not solve all export problems for US corporations and will not create the international environment that is fundamental for world commerce. US companies develop, manufacture and distribute products from many countries worldwide. The SAFE Act will enable export from the US, but thereafter companies will have to comply with the export regulations of other countries. It is fundamental to the success of world commerce that the SAFE Act is consistent with the regulatory environment in all key world economies.

The US’s current export stance impacts the vast majority of computer users worldwide. For example the overwhelming majority of Internet access is conducted using US products such as Microsoft Windows and Internet browsers that remain crippled at 40-bit encryption outside of the US.

This Act will completely revolutionise the Internet and e-commerce internationally, giving international free access to full strength secure Internet browsers and email along with a range of other products.

The passage of this Act may encourage other countries to bring their export regulations in line with the USA. This will create a freer market for cryptographic products worldwide.

Most countries have a cryptography export policy. These policies vary from country to country, but it is wrong to assume that the US is currently out of step with the rest of the world. The unique part of the US export system is the use of restricted key-lengths.

It is true that all security and encryption companies are prone to losing business as a result of export, import and usage restrictions imposed by national governments. It is important to recognise that US companies are not unique in this regard. The United States, as the largest exporter of software and high-technology products in the world, feels the effects of export restrictions more noticeably than other countries.

The SAFE Act, if passed, may contradict the terms of the recently agreed Wassenaar Arrangement signed by the governments of 33 leading nations, including the USA. While the Wassenaar Arrangement imposes unwelcome restrictions on cryptographic products, Baltimore welcomes the attempts at international consistency and harmonisation.

The SAFE Act correctly distinguishes between products that include cryptographic functionality and pure cryptographic products.

Many technology products now include cryptographic elements in order to provide security for Internet users. These products provide functionality that is simply made secure by crypto. For example Web Browsers and conventional email systems are in widespread use, but they also include cryptography which can secure communications if necessary.

Pure cryptographic products, on the other hand, can be used in a more general-purpose manner and can be used to build a wide range of security systems for almost any use.

Other Commentary

The US cryptography debate has generated a great deal of interest and debate, but there is much misunderstanding of the global situation.

It is misleading to state that non-American companies are flourishing because of the current US policy. Surveys are often presented stating the number of programs available internationally that include strong crypto (e.g. PGP, Fortify). What these surveys neglect to mention is that the dollar value of the sales of all these products is very small when compared with sales of similar products in the US. The United States dominates the world’s software market and will continue to do so. While there is no argument that some US companies are obviously limited in their non-US markets for strong-crypto products, it is not the case that non-US companies are flourishing at an exaggerated rate.

Most countries do have effective export restrictions that regulate export of cryptographic products. Baltimore Technologies has to deal with three export administrations in Ireland, the UK and Australia who regulate encryption product exports in different ways.

US Companies operate in the best global environment to develop and sell high-technology products including cryptography. A US software development company can operate without any restriction on use of cryptography. US companies have unregulated access to a market of 260 million people who are the most advanced and wealthy consumers in the world. Contrast this with the situation of non-US developers who cannot access the security building blocks provided in operating systems. For instance, Baltimore Technologies cannot utilise the cryptographic subsystem offered in Microsoft Windows, the most popular operating system in the world.

Non-US companies have always been at a distinct disadvantage to their US counterparts, and have only succeeded by building better products.

Operating in the international market, Baltimore deals with an array of cryptographic regulations that require us to modify our products. We, as well as being developers of cryptographic systems, support competitive cryptographic systems from many other vendors.

Baltimore will welcome the global availability of strong-crypto versions of popular software such as browsers, email programs etc. The widespread availability of these products will encourage secure e-commerce and will enable Baltimore and other American and non-American companies to expand their business of providing security systems based around these software systems.

In our experience, export licenses are generally available to US companies for a great number of sales that Baltimore bids for throughout the world. Additionally, many US companies have bought foreign companies or establish non-American corporations to enable them to sell to a wider market. American companies are a formidable force in the global security marketplace.

Recommendations

The SAFE Act export provisions will let the "genie out of the bottle" in an inconsistent manner to that of other countries. An international approach to addressing the regulation of cryptography already exists in the form of the Wassenaar Arrangement.

Baltimore Technologies suggests that the issue of cryptographic export regulations be addressed on an international basis rather than in isolation. This is not a matter of the USA versus Rest-of-the-World . The twin concerns of the government and citizens of the United States are not dissimilar to those in other countries. US-based security companies have by-and-large similar experiences to that of non US-based companies.

Baltimore Technologies suggests that the differences in regulations between general products that include cryptography (e.g. Browsers) and pure cryptographic products are maintained.

As the leading nation in world commerce, the United States of America has an opportunity to create a global framework for e-commerce that incorporates the appropriate encryption policy.

APPENDICES

Oral Presentation

Baltimore Technologies Information

Resume

ORAL PRESENTATION

Good morning Mr. Chairman and Members of the Committee.

My name is Matthew Bowcock and I am the Executive Vice President Corporate development for Baltimore Technologies. I am testifying today to provide the viewpoint of a leading information security company that originates from outside the USA.

I would like to put my comments in context by giving you a brief introduction to Baltimore Technologies.

Baltimore Technologies is a publicly listed company on the London Stock Exchange. We develop and market commercial security products for use in business and e-commerce – most of these products use encryption technology. We have software and hardware development centres in Ireland, the UK and Australia and have sales offices in 16 cities worldwide and customers in over 40 countries. Many of these customers are governments, government bodies and some of the world’s leading financial institutions. We have business and technology relationships with many companies including US corporations such as Intel, Cisco, IBM, Netscape and Security Dynamics/RSA. While we do not develop software inside the USA, we are successfully selling our products and growing our business throughout America. We are one of the leading, global security companies in the world today.

We export the majority of our products from the country of development. These exports are regulated by the national government of the relevant country, all of which are signatories to the Wassenaar Arrangement. Accordingly, Baltimore has unrivalled experience of operating in the most international of export regulated environments. Our business objective is to provide the world with the underlying electronic security infrastructure to support world commerce.

The underlying framework of world commerce requires a reasonable regulatory environment that transcends national boundaries. This framework has to be acceptable to the twin requirements of international governments and the freedom of the individual.

Encryption is now a common requirement for almost any Internet or e-commerce product. This is in contrast to just a few years ago when encryption was only necessary for specialist products. It is now clear to everyone that the regulatory system designed to control cryptography in the past cannot be sustained into the future. The next move is highly important. Baltimore will encourage and support all initiatives to develop a structure that supports the requirements of industry and governments.

The SAFE Act will completely alter the nature of the security market, both inside the USA and in the rest of the world.

We welcome the use of cryptography for the development of a secure e-commerce structure within the United States as proposed in the SAFE Act. Security and trust are essential parts of commerce and cryptography is an essential part of e-commerce. The prohibition on mandating key escrow will also remove a potential technological obstacle to the adoption of secure systems.

The export provisions of the SAFE Act will potentially revolutionise the worldwide Internet and e-commerce markets. It will clear the way for full strength encryption in a vast range of security and general-purpose applications including Web Browsers, Email and File Encryption.

This Act will enable the vast majority of non-American businesses and consumers to conduct business with each other over the Internet using strong security.

However, this unilateral move comes soon after 33 leading countries, including the United States of America, agreed to harmonise a base level of crypto regulation in the Wassenaar Arrangement. The SAFE Act may solve a single problem of US export, but may cause other difficulties in selling and using US security products between other countries as many US companies have development, manufacturing and distribution facilities throughout the globe.

This is not a US versus the Rest of the World issue. The US has a unique position in that it is the largest single market for development, export and purchasing of high-technology products.

I would encourage the committee to consider a more international approach to the export section of the SAFE Act so that we recognise the international aspect of the industry and the Internet.

I also wish to refute the widespread perception that non-US security companies flourish solely because of perceived inability of US companies to export products with strong crypto. As part of my research for this testimony, I was astounded by some of the claims presented as testimony to other subcommittees. It is vital that that this sub-committee is not misled into developing legislation based on incorrect information.

We welcome any moves to encourage open markets for encryption products throughout the world. The US regulations may appear to give non-American companies a massively unfair advantage, but in truth the advantage gained is slight. US companies dominate in software and technology worldwide and will continue to do so. There are tens of millions of users of Microsoft and Netscape products outside America, most of whom have reduced strength cryptography. Even though freeware products exist to re-instate the strong crypto, a tiny percentage of people have done so.

Baltimore Technologies derives a high percentage of its revenues from the financial sector, where US companies are free to offer strong cryptographic products. We compete successfully in the same way as any technology company does – by bringing the best products to market first. I do not know of any significant non-American companies who deliberately set out to build a business based on the US export situation. The only situations we encounter of companies deliberately sidestepping US regulations are the international subsidiaries of American corporations.

While US companies are subject to export restrictions, they have a domestic market that is the most active and sophisticated in the world comprising 260 million people. Many of Baltimore’s products emanated from our Ireland development centre, with a domestic market of fewer than 4 million people. In many ways we are envious of American companies which can access a vast domestic market in which to develop and sell advanced security products. US companies are not losing the technology race - nor will they. There exist many significant impediments to the development of security products, and many American companies would cite the commercialisation of various patents as being more significant.

The SAFE Act presents a highly significant opportunity to change the security landscape within the United States and beyond. It will impact both US and non-US security and encryption companies and potentially alter the way in which e-commerce and the Internet are secured.

Thank you again for your invitation to present here today.

INFORMATION ON BALTIMORE TECHNOLOGIES

Baltimore Technologies develops and markets security products and services for a wide range of e-commerce and enterprise applications.

Its products include Public Key Infrastructure (PKI) systems, cryptographic toolkits, security applications and hardware cryptographic devices. Baltimore Technologies employs over 400 people across fifteen global locations, has development centres in Europe and Australia, and services over 300 customers across forty countries.

History

In January 1999, Baltimore Technologies merged with Zergo Holdings plc. to form Baltimore Technologies plc (London:BLM). Intel Corporation holds a 6% stake in the company.

Locations

Baltimore Technologies operates from offices in fifteen cities around the world including London, Boston, Washington DC, New York, Denver, Dublin, Dallas, Mountain View, Sydney, Munich, Tokyo and Hong Kong.

World Firsts

Provision of the technology for the world’s first digital signing of an international communiqué between Bill Clinton, President of the USA and Bertie Ahern, Prime Minister of Ireland

Release of world’s first commercial Java Crypto Toolkit (J/CRYPTO); J/CRYPTO is subsequently licensed to RSA Data Security

Release of MailSecure - the world’s first non-US S/MIME product

Release of UniCERT 2.0 - a next-generation Certificate Authority for Internet and Intranet

Development of the world’s first Key Recovery S/MIME email in conjunction with Trusted Information Systems, a U.S. company.

Awards

Corporate - National Innovation Award

Corporate - Irish Software Association Company of the Year 1998

Corporate - Institute of Chartered Accountants Growth in Business Award 1998

UniCERT - IM 98 Information Security Product of the Year

UniCERT - Winner European IT Prize 1998

J/CRYPTO - JavaWorld Editors’ choice Finalist 1997

J/CRYPTO - JavaWorld Editors’ choice Finalist 1998

For further information visit Baltimore Technologies at http://www.baltimore.com

MATTHEW BOWCOCK RESUME

MATTHEW BOWCOCK is Baltimore’s Executive Vice President Corporate Development and is a member of the board of directors.

Matthew has responsibility for the Company’s global strategy, analyst relations and investor relations. He has been instrumental in defining the Company’s strategic marketing plan and in positioning Baltimore as a world leader in cryptographic information security.

With nearly twenty years of international sales and marketing experience in the IT sector, Matthew has a wealth of knowledge and expertise, gained from both the Government and Commercial sectors world-wide.

Prior to joining the Company, Matthew was Managing Director and founder of Security Domain, an electronic commerce security product company which was acquired in 1998. Prior to this, he was the General Manager at Electronic Transactions (Pty) Ltd. In addition, at Digital Equipment Corporation based in Sidney Matthew was responsible for the introduction of all security products into the region. This included classified defence equipment and secure operating systems.

Educated in the UK, Matthew has an Honors Degree in Law.