next up previous
Next: Technological Neutrality Up: Trade and Industry Issues Previous: The real applications of

What should be regulated?

For these reasons it is inevitable that the regulation of `cryptography' is doomed, and the sooner the UK follows countries such as Singapore and Switzerland and decontrols the technology, the better.

This raises the question of what sort of other controls might reasonably be put in place, given the Foreign Secretary's commendable declaration that arms exports to unsavoury regimes should be curbed. Two points bear consideration here.

Firstly, there is a general mechanism for preventing the unlicensed export of military electronics, namely by requiring equipment hardened to operate in the typical military temperature range of -50 tex2html_wrap_inline45 C to +155 tex2html_wrap_inline45 C to require a license regardless of its function. I see no reason why these regulations should not remain in place and be sufficient of themselves; in my experience the use of commercial infosec products such as smartcards in military systems quickly runs into serious robustness problems.

Secondly, if further controls are required (which in my view would have to be proved using evidence rather than argued from hypothesis and assertion), it would be preferable for government to follow the example of the Data Protection Act and regulate the functionality rather than the mechanism. In this instance that would mean regulating `communications secrecy hardware or software' rather than `cryptography'. This would have the advantage of covering other communications secrecy mechanisms (such as low-probability-of-intercept radio components and laser-based tactical communications systems) which have the real potential to hinder British military operations, while not requiring that anyone writing DVD-compatible multimedia software spend months chasing paperwork through the DTI and GCHQ.

The approach of regulating `communications secrecy' systems rather than cryptography was taken by South Africa and the story behind its adoption might be of some interest. Eleven years ago, I was responsible for communications security at Barclays Bank. The South African government suddenly decreed that civilian use of cryptography was forbidden unless copies of both the algorithms and keys were given to the South African Communications Security Agency, SACSA. The response of the banking industry was to call a meeting of all institutions with branches in that country. Having discussed the matter, we sent an Afrikaans speaking representative to Pretoria to meet the admiral in charge of SACSA; the message was that the banks would be delighted for SACSA to assume the onerous duties of key management, but whenever a cash machine was found to be out of balance we would send him the bill.

The admiral's initial response was ``that wasn't what we meant'', that we should ignore the new law and carry on as before. The more considered response, that we received later, was that the regulations applied only to communications secrecy equipment; and as the banking crypto devices we used processed PINs for authentication rather than secrecy purposes, they fell completely outside the scope of the regulations.


next up previous
Next: Technological Neutrality Up: Trade and Industry Issues Previous: The real applications of

Ross Anderson
Tue Oct 21 11:00:05 BST 1997