America infinitely changed on Sept. 11 when terrorists stabbed deep into the country's financial heart by destroying the World Trade Center's twin towers and shook the nation's confidence by also attacking the Pentagon. The trickle-down during the two weeks since the attacks on New York City and Washington, D.C. that claimed more than 6,000 lives has impacted every industry and prompted calls for legislation to prevent future, similar infamy.
IT has not been spared. New Hampshire Senator Judd Gregg has reportedly asked Congress to consider clamping down on encryption in the wake of an FBI report that said the terrorists used encrypted messages to coordinate their attacks. Gregg specifically wants to ban strong encryption, or at least provide government with a back door when matters of national security arise. The senator's proposal opens the door for the government to monitor communications and has raised the ire of privacy advocates, encryption experts and industry analysts who are steadfastly opposed. They fear the ripple effect that would impact everything using encryption from communication, e-commerce, e-government and health care.
"Encryption involves changing cleartext into ciphertext in a reversible way," explained security consultant Fred Avolio, president of Avolio Consulting and a searchSecurity expert. "To uniquely encrypt the information, an extra parameter, called a key, is used. A key is a randomly chosen, large number. Cracking encryption -- good encryption, anyway -- involves guessing that number," he said. "Large keys give us a high level of assurance that a brute force guessing attack should take many years (for example, trillions of numbers, given current technology). I imagine law enforcement would like to control the use of very large keys. Practically speaking, this is impossible."
Reports: Crypto was not used in terror attacks
Evidence is eroding that the terrorists used encryption. A Boston Sunday Globe report Sept. 23 refuted the FBI's initial finding that the terrorists used encryption to coordinate their attacks, something that most analysts and experts doubted from the start.
"They would be holding up a red flag to any federal agency that they are doing something they want kept secret," Sayan Chakraborty, vice president of engineering, Sigaba Corp. "Why not send the message into the clear? There would be less chance of calling attention to themselves. It's not that hard to hide on the Net. People who send viruses do it every day. One of the better tools at their disposal is to be anonymous and there are plenty of ways to do that, by getting a Yahoo or Hotmail account where you don't have to provide any personal information."
That said, Senator Gregg's call for encryption ban seems knee-jerk, according to some.
"I would not go as far as to call a senator's actions knee-jerk, but I would observe that people understand and get a grip on the issues and direct their energy toward something more productive," Gartner analyst Bill Malick said. "I don't think it will get anywhere."
Not the first time crypto under attack
Encryption bans have been proposed in the past. In 1994, the National Security Agency developed the Clipper chip initiative for the National Institute of Standards and Technology. The initiative used an algorithm that could be decrypted using two separate keys. The U.S. government attempted to escrow the keys separately, but was turned away. This time, the experts are wondering aloud what good a ban on encryption in the U.S. would do, considering that encryption products are being produced worldwide.
"Say it passes. Are the drug cartels and terrorists going to say they are going to give back the encryption they already have?" Malick said.
Encryption is central to many American privacy initiatives already on the law books, like the Gramm-Leach-Bliley Act that mandates that financial institutions keep transactions private and the Health Insurance Portability and Accountability Act (HIPAA), that acts in a similar fashion for the health care industry. It's also central to any Internet transaction, be it on an e-commerce Web site or in the exchange of confidential or personal materials between corporations and clients.
Security an enabler
Experts question whether legislators understand the premise of IT security.
"A friend of mine once asked 'Why do you think they put brakes on cars?' Most would say to slow down and while that's what brakes do, the reason you have brakes is they allow you to go as fast as you want," Malick said. "Security is supposed to work the same way. It's supposed to allow you to do as much as you can. It's supposed to be an enabler."
The terrorist attacks have spurred emotions most have not felt in America since Pearl Harbor.
"We were left vulnerable and open. All of us feel it and people's response is to look for a way to combat that feeling. One way is to combat encryption," Chakraborty said.
IT's role can be in an educational capacity, according to Malick, who said that vendors of information security products need to explain what encryption products are for and what they do.
"Should we do something to curb the ability of terrorists to go about their grisly business? Of course," Avolio said. "We should be calm and thoughtful and look for measures that maximize effectiveness without walking all over the US Constitution."