The encrypted jihad

Tue Feb 12 17:43:56 EST 2002

http://www.salon.com/tech/feature/2002/02/04/terror_encryption/print.html

The encrypted jihad
We can't stop terrorists from using uncrackable codes. So we shouldn't even
try.

- - - - - - - - - - - -
By Barak Jolish

Feb. 4, 2002 | Here's a tip for Treasury Department agents tracking
al-Qaida's finances: You might want to pay a visit to the volume discount
department at Dell Computer. Al-Qaida, it seems, has been an avid consumer
of computers over the last several years, and is especially fond of
laptops. It isn't hard to understand why. With his hectic, on-the-go
lifestyle, no self-respecting terrorist can function without a computer
that fits comfortably on an airplane tray table. Alleged "20th hijacker"
Zacarias Moussaoui, for instance, used his to research crop dusters, quite
possibly in preparation for a biological attack on a densely populated
American city. Ramsi Yousef used a laptop he accidentally left in a Manila
apartment to plan his extensive itinerary, which included assassinating the
pope in the Philippines, attacking an Israeli Embassy in Thailand, and
bombing the World Trade Center in 1993.

It's not surprising, then, that the seizure of computers has become a
primary goal for U.S. soldiers scouring Afghan caves and ambushing Taliban
and al-Qaida operatives. Ironically, though, winning possession of this
equipment on the battlefield may be the easy part; terrorists today have
the capacity to protect data with encryption schemes that not even
America's high-tech big guns can crack. The number of possible keys in the
new 256-bit Advanced Encryption Standard (AES), for example, is 1 followed
by 77 zeros -- a figure comparable to the total number of atoms in the
universe.

Luckily, not all encryption is hopelessly secure. Ramsi Yousef was careless
in protecting the password to his encrypted files, giving the FBI
relatively easy access to their contents. It took the Wall Street Journal
only days to decrypt files on two Al-Qaida computers that used a weak
version of the Windows 2000 AES cipher in Afghanistan. The U.S. cannot,
however, count on such carelessness indefinitely.

But recent changes in U.S. policy have actually reduced restrictions on the
spread of sophisticated encryption. In January 2000, for instance, the
Clinton administration ruled that "retail products" that undergo a
one-time, 30-day government review can be exported to nearly all countries
(with the exception of Cuba, Iran, Iraq, Libya, North Korea, Sudan and
Syria) without any government licensing requirement. Revisions published
later that year relaxed even these limitations for products exported to the
15 nations of the European Union and several of their major trading
partners. The practical effect of these reforms has been that the
industrial-strength Windows 2000 128-bit High Encryption Pack is now freely
available over the Internet to anyone, including Hamburg residents such as
presumed Sept. 11 ringleader Mohammed Atta.

Since Sept. 11, some commentators and lawmakers have suggested that the
U.S. reverse itself once again, and redouble efforts to control encryption.
On the surface, this sentiment is understandable -- it is difficult to
argue against any moves that may prevent future terrorist attacks on the
scale of the WTC disaster. This position is, however, dead wrong.

Quite simply, the U.S. regime of strict encryption controls didn't make
sense before Sept. 11, and it doesn't make sense now. The starkest
illustration of this reasoning is the case study of Israel, which is
simultaneously a leader in encryption product exports and a major focus of
terrorist attacks.

Before President Clinton's 2000 reforms, proponents of encryption export
controls were besieged from all sides: on the left and right flanks privacy
advocates argued that strong encryption is vital to protecting individual
liberty against government intrusion. First Amendment devotees launched a
frontal attack in the courts, claiming that encryption code was essentially
speech. Most effective, however, was the carpet bombing of lobbyists and
campaign contributions from the software industry -- the Microsofts, IBMs
and Suns of the world -- who argued that export controls simply drove
customers seeking secure products to companies in other countries -- such
as Israel. These companies estimated their losses in billions of dollars,
and noted the costs to workers as well; even domestic companies were hiring
independent overseas software developers to create encryption products.

Though their agendas differed, the above parties were united in their
claims that the government's policy stood little chance of significantly
controlling criminal use of encryption. First, they noted that producing
encryption algorithms takes few resources beyond advanced mathematical
training. In fact, sometimes even these skills are not necessary; in early
1999 a 16-year-old Irish high school student named Sarah Flannery developed
a new data-encryption algorithm that was 22 times faster than the popular
RSA algorithm used in many business transactions today.

Second, reform advocates stressed that there is no practical way to keep
encryption within or without the confines of physical borders. For
instance, anyone can purchase a copy of the encryption program Crypto II on
the streets of Moscow for $5, and then e-mail it to a friend in New York.

Third, legal controls on encryption will bind only those who decide to
follow the law. Terrorists who are willing to fly a jet into the side of a
building will have no qualms about breaking laws against illegal
encryption. Finally, encryption advocates claim that government control
stifles development of the strong encryption we need to protect computer
networks from attacks by hackers and other criminals, and to secure our
systems for air traffic control, electrical distribution, financial markets
and telecommunications.

But hasn't Sept. 11 changed the equation? Americans have, after all, now
come to accept that they will have to compromise on issues like privacy or
economic growth in favor of increased security.

It is specifically in the aftermath of this trauma that where it becomes
instructive to look at the policy of Israel, a country defined by its
obsession with security. The Israeli predicament is essentially a starker
version of that of the U.S. On the one hand, Israel has faced six wars in
its first 50 years, and confronts terrorist shootings and suicide bombings
virtually every week. Both the Israeli army and the FBI have confirmed that
Hamas and other Islamic militants regularly use the Internet to transmit
encrypted instructions for terrorist attacks -- including maps,
photographs, directions, codes and technical details about how to use
bombs. On the other hand, Israel's economy is among the most reliant in the
world on high technology exports. In fact, the share of Israel's
information technology exports as a percentage of services exports is
surpassed only by Japan. All of this has helped earn a country with few
natural resources other than potash a per capita GDP of $17,500 -- higher
than that of several members of the European Union.

In this context it is significant that in 1998 Israel, too, revised its
rather draconian encryption laws, granting regulators a great deal of
flexibility to permit the export of strong encryption products -- including
a "free means" category for which all license requirements are waived.
These changes were prefaced by a government report that noted the futility
of limiting "the use of means that can be freely obtained from many public
sources," and said that the law should permit Israeli companies to develop
and export "competitive products that can be marketed in most of the
world's countries as off-the-shelf products." In fact, even before the 1998
liberalization, flexible enforcement had allowed Israeli companies such as
Checkpoint Software to dominate the network security field.

The lesson from the Israelis is not how to control terror -- they don't
seem to have better answers than anyone else -- but rather how to live with
it and continue to function with as little social and economic disruption
as possible. If, as President Bush tells us, we're in this war for the long
haul, we simply cannot afford to sap our economic strength to prop up the
fantasy that we can control the actions of terrorists by fiat. There are
some battles we just shouldn't fight.

- - - - - - - - - - - -
About the writer
Barak Jolish is an attorney at the intellectual property law firm of Fish &
Neave in Palo Alto, Calif.

-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com