|
Introduction: Spyglass and the Internet Good morning. My name is Tim Krauskopf, and I am the co-founder and
Chief Technology Officer of Spyglass, located in Naperville,
Illinois. We are a small business employing 137 people and had revenues
of $10 million last year. We are growing rapidly, and are in a unique
position in the Internet software industry of holding the exclusive
rights to the commercial version of Mosaic, originally developed at the
National Center for Supercomputing Applications at the University of
Illinois at Urbana-Champaign. Mosaic is software that was developed to
allow people to navigate the graphical portions of the Internet,
specifically the World Wide Web. Spyglass is also unique in that we
license our Internet technology to more than 70 companies who
incorporate it in various products. So our technology plays a central
role in the growth of the broader Internet software industry. Our company's first product was a suite of data visualization tools used by scientists and engineers. We entered the Internet and World Wide Web market in May, 1994 when we completed our licensing arrangement with NCSA to develop and market a commercial version of NCSA Mosaic. Spyglass was selected for several reasons: First, I had been involved in developing early Internet technology, co-authoring NCSA/Telnet, software that made the Internet accessible for researchers and students. Second, Spyglass had already established a strong track record developing cross-platform software for the commercial marketplace. In August of 1994, NCSA extended its agreement to provide, on an exclusive basis, all future commercial licensing rights to Spyglass. Our core business is to license Spyglass Mosaic technology to other companies to include in their Internet and Intranet-related products. As the Web market has grown and evolved, so has Spyglass and its technologies. You may have heard about our recent acquisition of Surfwatch, the leading provider of filtering and parental control technology. The Information Technology Association of America I am here today representing both Spyglass and our primary trade
association, the Information Technology Association of America.
Spyglass licenses Web technology to many other ITAA member companies
such as Oracle Corporation,
Computer Associates, IBM, Microsoft, Platinum Technology, and
others. The Information Technology Association of America represents a broad
cross-section of the software, Internet, information technology
services, telecommunications and systems integration segments of the
high-technology industry. ITAA direct and affiliate members number over
9,000 across the U.S. ITAA is the umbrella organization for 25 of the
regional high technology organizations in various states, representing
them here in Washington, D.C. Member companies include Netscape Communications, Microsoft, Oracle Corporation, Computer Associates, Novell, IBM, AT&T, MCI, and EDS,
to name a few. ITAA's software division has made a name for itself as the leading
organization representing the Internet, Intranet and Network-centric
business software industry. The largest software companies focusing
upon the Internet and Intranet markets are active in the association.
Priority issues include encryption, international, federal and state
taxation of software, services and the Internet, telecommunications
reform, copyright, immigration, and the Year 2000 software
crisis. ITAA Supports the Goals of S. 1726 ITAA supports the goals of S. 1726, the Promotion of Electronic
Commerce in the Digital Era (Pro-CODE), because it recognizes
that: 1. The issue of encryption and information security over computer
networks and the Internet is no longer an esoteric, arcane subject. How
security over this network of networks is addressed will have a broad,
pervasive impact on the future of the Internet, business and society.
Companies have legitimate concerns about protecting their proprietary
information from competitors and foreign governments. 2. The Internet is a global medium and the availability of
encryption products around the world must be a fundamental factor in
setting U.S. export policy. While there are legitimate law enforcement
and national security considerations, U.S. policy cannot ignore these
market realities. 3. The economic cost of the Administration's current policy on
encryption will be enormous not only to U.S. software industry jobs and
revenues but will also have an impact on the ability of U.S. businesses
to harness the Internet to enter new markets. We will discuss each one of these points in turn, and then lay out our specific recommendations for moving forward. The Significance of Information Security and Encryption in a
Networked World: The Threat Is Real A cover story in Business
Week last year proclaimed that, "The Web Changes Everything." While
that may be a slight exaggeration, the Internet is indeed starting to
transform not only how business is conducted but society more
broadly. Within several years, there will be more than 100 million people
connected to the Internet. Zona Research estimates that
the market for corporate "Intranets" alone - businesses harnessing
Internet technology for both in-house and inter-enterprise applications
- will grow to more than $6 billion by 1998. Outdated U.S. export restrictions on encryption is a major barrier
to realizing the potential of the Global Information Infrastructure and
all it has to offer, such as business communications, financial
transactions, healthcare and personal medical information, and consumer
privacy. A New York Times editorial this
week made the point effectively: "Once largely the domain of
governments and their intelligence services, encryption technology is
now commonly used by corporations, banks, securities firms and
individual computer operators. It is time to revise Government
encryption policy to fit this new universe." The recent, authoritative report of the National Research Council
(which includes former Attorney General Benjamin Civiletti and Ann
Caracristi, a former Deputy Director of the National Security Agency)
also pointed out the growing pervasive impact of communications
networks upon global society: "As the availability and use of computer-based systems grow, so,
too, does their interconnection. The result is a shared infrastructure
of information, computing, and communications resources that
facilitates collaboration at a distance, geographic dispersal of
operations, and sharing of data. …Today, the rising level of
familiarity with computer-based systems is combining with an explosion
of experimentation with information and communications infrastructure
in industry, education, health care, government, and personal settings
to motivate new uses and societal expectations about the evolving
infrastructure." In short, we are going through a paradigm shift in which the
importance of protecting the security of information on computer
networks is growing at a geometric rate. The threat to the security of information on the Internet is real.
Companies are concerned not only about the ability of competitors to
gain access to proprietary information, but also foreign intelligence
agencies. Two former Directors of France's intelligence agency have
stated that they gather economic intelligence, including information
from certain companies that have been targeted. Attached is a box
included in the National Research Council report laying out the "Threat
Sources."Last August, a French student was able to crack a 40-bit
encryption scheme distributed by Netscape Communications by using
computers at his university in his spare time (it took him 8 days to
break the code). A group of computer scientists released a report
recently that $10,000 worth of computer hardware can break a 40-bit key
in 12 minutes. The group estimates that a 56-bit key using a $10
million corporate computer could be broken in 12 seconds. Such costs
could be justified by a foreign company or intelligence agency trying
to steal financial information, trade secrets or valuable
technology. In meeting the threat, our responsibility is three-fold: to
understand the shifts taking place in society, to identify the new
vulnerabilities, and to put in place the technology solutions
necessary, including strong encryption, to counteract inappropriate or
illegal behavior. The Internet is a Global Medium and Foreign Availability Must Be
a Fundamental Factor in U.S. Policy The Internet does not stop at the U.S. border. It is a global medium
that does not recognize the boundaries between states, countries or
continents. If information or products are made available somewhere on
the Internet, it is accessible to anyone regardless of geographic
location. S. 1726 allows U.S. software and computer companies to
compete on a level playing field with our foreign competitors in this
rapid growth global marketplace. We are particularly pleased that S.
1726 recognizes that distributing software over the Internet will grow
in volume and economic significance and should be used as a factor in
determining whether a product is generally available around the
world. One of the most perplexing aspects of the Administration's position
is that it has decided to turn a blind eye to the issue of what
strength of encryption products are broadly available outside of the
U.S. The Administration's position is reminiscent of the Reagan
Administration's decision to ban the export of Apple II computers to
Eastern Europe in the 1980s. The Clinton Administration used foreign
availability as a key factor in its decision last year to change the
definition of supercomputer and relax its control on the export of
computer workstations. It has elected to stick its head in the sand and
ignore this key factor in its deliberations on encryption. Basing its research on a study originally conducted by Dr. Lance Hoffman of George Washington University in conjunction with the Software Publishers Association in 1993, Trusted Information Systems (TIS) has identified 1181 encryption products worldwide (the full study is available at http://www.tis.com). TIS has found 497 foreign products from 28 countries. 193 of these products use DES, which has a 56-bit key length and is not permitted for export by U.S. companies. A recent study by the Commerce Department and National Security Agency comes to similar conclusions. Anecdotal examples underscore why U.S. companies are losing market
share rapidly. There is a foreign product called Sioux on the market in
which the company uses U.S. export restrictions as a major selling
point to customers. The company's Web page (http://www.thawte.com/products/sioux/)
proclaims that, "The U.S. ITAR regulations prohibit the export of
strong encryption technology from North America. This means that
companies such as Netscape, Microsoft and Open Market have to ship
"Export Versions" of their software which have limited encryption
capability - using 40-bit keys which can be trivially
deciphered…since Sioux was developed outside of the ITAR
framework it ships with full encryption enabled all over the world. Why
limit your security?" These are real competitive handicaps faced by
U.S. companies. This past Sunday, working from home on my PC, I went to the
World-Wide Web to see what was easily available for downloading. I had
heard there was a free application with SSL called "Apache" and a
search on Digital's
AltaVista catalog for "Apache with SSL" quickly led me to the names
and locations on the web. Here is a summary of what I found. [SSL, or secure sockets layer, is a protocol for protecting any
amount of data during transmission between client and server programs.
SSL provides server authentication, data encryption and message
integrity. It was designed by Netscape Communications for use in
Internet applications. It is a highly desired feature for our
customers, and Spyglass provides a compatible product. Encryption
libraries allow software developers to build secure applications using
various operating systems and platforms.] I found a WWW server, which roughly matches the feature set of our
own Spyglass Server, called Apache. At an Oxford University site, I
found a version which can be configured with SSL if you have an SSL
library. At that site, I found pointers to Australia for obtaining SSL.
I also found pointers to a commercialized version of that product
available from South Africa, called Sioux. I consider this product a
direct competitor to our own. In particular, I downloaded the "SSLeay" library. Though written in
Australia, I downloaded from a site in Japan because the network link
was faster. Copies can be found at sites in Korea, Germany, Taiwan, the
UK, Japan, and of course, Australia. URLs: ftp://ftp.psy.uq.oz.au/pub/Crypto/SSL/
(Original Australian site) ftp://ftp.epistat.m.u-tokyo.ac.jp/pub/Crypto
(Japanese mirror site) This library contains source code to implement to any encryption bit length, DES, RC2, RC4, IDEA, and RSA encryption schemes. The documentation brags about being interoperable with all US implementations even though none of the code is derived from any US source. They simply had people inside the US test the results. I was able to download the 500K file, peruse and compile the source code without any problems in about 30 minutes. I don't believe I broke any laws because I only imported the code, never exported it. The conclusion is that these algorithms and source code are fully
available to anyone who has access to the Internet. Because they are
available in source code form, even 64-bit or 128-bit capabilities may
have trouble competing. ITAA believes that the issue of foreign availability is a key
element in changing the Administration's policy. S. 1726 permits the
export of encryption that is "generally available," but we believe that
this section of the legislation may require more detailed definitions.
We are announcing today that we will work with Congress to craft a
detailed, specific way to assess the global availability of encryption
products. Such legislation must ensure that the analysis is objective
and has teeth. This assessment must be timely and conducted at least
three times a year given the pace of technological and market
development. There's a joke in the Internet industry that the pace of
technological change and market growth is so rapid in our business that
each calendar year is really more like seven years, or a dog's year. We
need to assess foreign availability on a continual basis to ensure that
U.S. industry is not placed at an unfair disadvantage in the global
marketplace. The Impact of the Administration's Encryption Policy upon U.S.
Jobs, the Software Industry and Small Businesses The U.S. software industry leads the world. U.S. firms hold more
than 70 percent of the global market for pre-packaged software. The
software industry has created more than 500,000 jobs across the U.S.
The U.S. is also dominant in the emerging Internet software market,
with ITAA member firms like Netscape, Microsoft, Spyglass, IBM, Oracle
and others leading the world. The Computer Systems Policy Project estimates that unless U.S.
policy on encryption is relaxed, this will cost 200,000 jobs and $60
billion in revenues over the next four years. As the world relies
increasingly upon software used and shared across computer networks
instead of stand-alone workstations, the impact of U.S. restrictions on
encryption upon the U.S. software industry grows larger and
larger. The impact of a restrictive U.S. export policy will have an impact
beyond just the U.S. software industry, however. It is anticipated that
U.S. small businesses will rely increasingly on the Internet as an
effective way to help them enter foreign markets. One of the greatest
potential benefits of Internet business communications is that it
lowers the barriers for small businesses to enter these new markets. As
more and more companies begin to rely upon digital commerce, efforts to
protect confidential and sensitive company information carried on this
network grow in importance. The Administration's policy allows the export of encrypted software above a 40-bit key length limit if a company permits a government-certified third party to hold the "keys" that unlock the encrypted information. [As demonstrated above, a 40-bit key length is too weak to ensure the protection of information over the Internet.] The cost of such a key escrow scheme would be paid for by individual
companies. So, companies would be faced with either choosing 1) a level
of security for their information that is not 100% secure or accepting
a 2) significant administrative burden and additional costs. In
addition, such a key escrow requirement could become a "de facto"
global standard which would create, in effect, an international
Internet "tax." This "tax" would be part of the cost of doing business
on this global network of networks. So the Administration's policy would raise the costs and the
barriers for small businesses to enter new markets. S. 1726 recognizes
this fact by rejecting mandatory key escrow schemes. ITAA is conducting
a survey of small businesses to gather more information on the
importance of the Internet to them and the impact of the
Administration's encryption policies (see http://www.itaa.org). We will
also be analyzing in greater detail the costs associated with the
Administration's key escrow scheme. Our Specific Recommendations and Principles Moving
Forward We support the goals of S. 1726, the Pro-Code legislation. Below is
our position on the Administration's policies and our recommendations,
followed by a set of principles on information security that we
endorse. It should be noted that Spyglass as a company has a position
that goes beyond the ITAA stance, which I will expand upon as
well.
ITAA endorses the following industry principles on encryption
developed by the United States Council for International
Business:
While Spyglass supports fully the ITAA recommendations and all of
the supporting reasoning presented here, I would like to go one step
beyond the ITAA position because of Spyglass' unique position in the
market. Spyglass only has 72 customers. Nearly half of them receive source
code to our WWW technologies as part of our service to them. Companies
like NEC, Nippon Telephone and Telegraph, Dacom, and Siemens-Nixdorf do
not receive our full product. We eliminate all of the encryption
libraries and any references to them. Spyglass can compete against the
free Apache WWW technology or the Sioux product by providing additional
features over and above what can be obtained for free on the network.
We cannot compete when certain features cannot be legally shipped. More
WWW technologies appear weekly and more and more of them include
encryption features. A source code customer of ours, JSB, a British company, told me last
week that they required an SSL (Secure Sockets Layer) library with
encryption for use in their product. He is willing but cannot purchase
it from us. I am convinced that he will find one available from outside
the US. I am more worried about how many other companies there are who
have not contacted us. Spyglass would add the following recommendations: A) For RC2, RC4, DES, and RSA encryption schemes, release all
capabilities at all key bit lengths. The source code to these
algorithms (or equivalent) is available all over the world on the
Internet today. My reading of S. 1726 is that it would accomplish this
goal. B) For all cases, eliminate the restrictions on software "hooks" which call the encryption libraries. Spyglass would then be able to ship source code to SSL and other Internet security schemes along with binary libraries which use restricted key lengths (or key escrow). Ironically, by not letting us make it easy for our customers to use short key lengths, we are forcing them to find foreign alternatives which do not have key length restrictions (or key escrow). While S. 1726 would accomplish this end, the Administration could eliminate the restrictions tomorrow by changing the language in the International Traffic in Arms Regulations or ITAR (see 22 CFR Section 121.1). In conclusion, let me say that we recognize the concerns of both the
law enforcement and national security communities. But the
Administration's current policies do not and will not be successful by
ignoring the explosive growth and nature of the global Internet and the
pace of technological change. And the Administration's policies would
also prove devastating to the U.S. software industry. A New York Times editorial makes the point that "The best way
for the Government to protect its ability to eavesdrop on domestic and
foreign criminals is to stay technically ahead of them…The
export restrictions do nothing to keep encryption software out of the
hands of criminals and hostile governments, but needlessly drive
American exports out of foreign markets." The National Research Council
also advocates that the U.S. Government fund robust research programs
to keep our law enforcement and intelligence agencies ahead
technologically. ITAA endorses this recommendation, as well as the
provision in S. 1726 directing the Secretary of Commerce to "prohibit
the export or re-export of computer software and computer
hardware…" if it will be diverted or modified for foreign
military or terrorist use. Thank you, and I look forward to your questions. |
|
NEWSLETTER
|
| Join the GlobalSecurity.org mailing list |
|
|
|
