For these reasons it is inevitable that the regulation of `cryptography' is doomed, and the sooner the UK follows countries such as Singapore and Switzerland and decontrols the technology, the better.
This raises the question of what sort of other controls might reasonably be put in place, given the Foreign Secretary's commendable declaration that arms exports to unsavoury regimes should be curbed. Two points bear consideration here.
Firstly, there is a general mechanism for preventing the unlicensed export of
military electronics, namely by requiring equipment hardened to operate in the
typical military temperature range of -50 C to +155
C to require a
license regardless of its function. I see no reason why these regulations
should not remain in place and be sufficient of themselves; in my experience
the use of commercial infosec products such as smartcards in military systems
quickly runs into serious robustness problems.
Secondly, if further controls are required (which in my view would have to be proved using evidence rather than argued from hypothesis and assertion), it would be preferable for government to follow the example of the Data Protection Act and regulate the functionality rather than the mechanism. In this instance that would mean regulating `communications secrecy hardware or software' rather than `cryptography'. This would have the advantage of covering other communications secrecy mechanisms (such as low-probability-of-intercept radio components and laser-based tactical communications systems) which have the real potential to hinder British military operations, while not requiring that anyone writing DVD-compatible multimedia software spend months chasing paperwork through the DTI and GCHQ.
The approach of regulating `communications secrecy' systems rather than cryptography was taken by South Africa and the story behind its adoption might be of some interest. Eleven years ago, I was responsible for communications security at Barclays Bank. The South African government suddenly decreed that civilian use of cryptography was forbidden unless copies of both the algorithms and keys were given to the South African Communications Security Agency, SACSA. The response of the banking industry was to call a meeting of all institutions with branches in that country. Having discussed the matter, we sent an Afrikaans speaking representative to Pretoria to meet the admiral in charge of SACSA; the message was that the banks would be delighted for SACSA to assume the onerous duties of key management, but whenever a cash machine was found to be out of balance we would send him the bill.
The admiral's initial response was ``that wasn't what we meant'', that we should ignore the new law and carry on as before. The more considered response, that we received later, was that the regulations applied only to communications secrecy equipment; and as the banking crypto devices we used processed PINs for authentication rather than secrecy purposes, they fell completely outside the scope of the regulations.