To a German national raised in the Cold War’s heyday, the idea of crossing a border between two countries every morning to get to work might not have seemed unusual. But to Niels Provos, a researcher at the University of Michigan studying encryption in the 1990s, he never expected that those two countries would be the U.S. and Canada. Though the recent debate on encryption has largely focused on law enforcement access, history shows that domestic regulation on encryption has unintended consequences and may force internet security research, and in the case of Mr. Provos, researchers to other countries.
The public debate in the US over encryption has focused almost exclusively on law enforcement officials’ concerns that they will not have access to information that could help solve crimes. But there has been little discussion of the known real world impact of mandates in this area. In the 1990s, when then FBI Director Louis Freeh lobbied Capitol Hill and the Clinton Administration for greater law enforcement access to communications, regulations were put in place to prohibit U.S. citizens from exporting strong encryption products to other countries. While this prevented U.S. companies from using encryption that law enforcement couldn’t access, it did not stop foreign companies from building advanced encryption tools, and creating new security markets in countries like Israel, Canada and Russia.
The unintended effects of the regulation were to cut U.S. companies out of the market and to slow U.S. research on Internet security. Because of the regulations, US researchers were simply not allowed to collaborate or work on encryption technologies that would advance security beyond the point that could be easily cracked. Niels Provos, then a researcher at the University of Michigan was developing one of the most widely used security protocols on the Internet, OpenSSH. However, because Provos was a German national, he was prohibited under the regulation from working on advanced encryption tools in the U.S. The picture of a widely-respected researcher leaving his U.S. colleagues to cross the border to an office in Windsor, Canada because the US government would not allow him to develop protocols in Ann Arbor, that are today central to Internet security, is a telling example of the absurd consequences of this policy.
Unfortunately, we still feel the unintended consequences of this regulation today, more than twenty years after it went into effect. For instance, in 2015 the disclosure of the “Freak” and “LogJam” vulnerabilities sent worried technology companies scrambling to patch flaws in the basic design of transport layer security, widely used to secure functions like online payments. These vulnerabilities took advantage of weak encryption keys that hackers could break in short order. The weak keys were remnants of the very same encryption regulation imposed in the 1990s at the behest of law enforcement; researchers continue to uncover security vulnerabilities embedded in widely used products as a result of the regulation. Rather than making the nation and its citizens safer, ironically, the 1990s regulation created a legacy of subpar internet security that still puts users at risk today.
The regulation also spurred the development of innovative foreign encryption products and new companies. Studies over that time found that the development of cryptographic products around the world increased and new companies took advantage of the shifting market forces. For instance, Check Point Software Technologies, an Israeli internet security firm started in 1993, now employees close to 3,000 people and has a market capitalization over $13 billion. Moreover, security companies located abroad benefitted by marketing their new technologies to emphasize that they were not constrained by “political restrictions,” suggesting that U.S. products had been compromised by the regulation.
In 2000, the Clinton Administration changed the rules to allow greater export of encryption, and US companies and researchers began trying to catch up to their foreign counterparts. But the damage was done. Internet security products were weaker than they should have been and the U.S. had lost out on the ability to demonstrate excellence in a marketplace that now directly impacts our national security.
Some policymakers seem to have forgotten these lessons. Calls to force companies to build backdoors for law enforcement and to regulate encryption have many of the same problems of the past. They will force those that want secure products to look to non-US vendors. Research will once again be sent overseas out of fear that U.S. security researchers will not be able to share their research with the community or make their products open source without possible interference from law enforcement or other government entities.
On the other hand, we have to continue to acknowledge that law enforcement and the US intelligence community do face real problems in the future.
But instead of mandating technical solutions and impacting research, we need to develop encryption solutions that encourage a robust US security marketplace. As many Internet security experts have suggested, we could invest in greater research by government so that it can find more vulnerabilities in our systems themselves and, eventually, share these with the vendors. We could enhance the technical know-how of state and local law enforcement officials so that they understand how current technologies process information and what they can lawfully access under the current regime. We could build closer ties among researchers, the FBI and local law enforcement to find novel solutions to access information without building back doors.
These solutions will not solve every problem, but they will start us down the path of allowing law enforcement to adapt to the continuing changes in new technologies without creating the unintended consequences that we’ve faced in the past.
Schwartz is Managing Director for Cybersecurity Services at Venable LLP. He was formerly Senior Director for Cybersecurity Policy and Special Assistant to the President for Cybersecurity on the National Security Council from 2013-2015.
The views expressed by Contributors are their own and are not the views of The Hill.