Uncle Sam's crypto road show

  • Published on

  • View

  • Download


Network Security March 7 998 Uncle Sams Crypt0 Road Show Wayne Madsen State Department documents released to the Electronic Privacy Information Center (EPIC) illustrate the extensive travels of Ambassador David Aaron, President Clintons former Special Envoy for Cryptography, during 1996 and 1997. On 6 November 1996, Aaron became the Under Secretary of Commerce for international trade. Aaron was charged by the Clinton administration with selling the concept of the unpopular key escrow/key recovery initiatives to governments around the world. This was in addition to his other duties as Permanent Representative to the Organization for Economic Cooperation and Development (OECD) in Paris. Contrary to statements by Aaron and other administration officials, the newly-released documents indicate that many foreign governments were either opposed to the US encryption initiatives, reluctant to make any quick decisions to adopt key escrow, or were not sufficiently informed on the matter to make a decision at all. Even before Aaron was appointed Clintons Special Envoy for Cryptography, US State Department messages indicate that the US was making overtures to various countries via American embassies around the world. These include the diplomatic posts in Canberra, London, Tokyo, Ottawa, Tel Aviv, Paris, Bonn, The Hague and Moscow. One message to these posts announced the revised US cryptography export policy - the key recovery within two years or no export rule (the public announcement was made on 1 October 1996). Following the receipt of the message, the US Embassy Economic Officer in Ottawa 8 briefed Lynda Watson, the Canadian Director of the Export Controls Division of the Department of Foreign Affairs and International Trade (DFAIT), on 2 October 1996. In a message to the State Department classified Sensitive But Unclassified (SBU), it is stated that Watsons reaction to the proposed cryptography policy was one of mild surprise. Watson said that Canada had not expected this outcome at this time. When the Economic Officer asked Watson to provide a list of senior officials for an, at the time, unnamed senior American official to meet, Watson declined, saying that would depend on the rank of the US official. Diplomatic protocol, it seems, actually became a stumbling block to a quick commitment by Canada to readily accept US key recovery proposals. Watson also had a list of questions for the Americans to pose to their Government concerning key recovery, including the reasonable question of when the new American policy was to come into effect. Although the Economic Officer seemed to indicate to Watson that US- Canadian meetings would be coordinated through her, he provided copies of the message outlining the new US key recovery plan to embassy representatives of the National Security Agency (NSA), the FBI and US Customs Service. They were directed to contact their Canadian counterparts directly to seek out Canadian officials who might meet with the unnamed senior US official.(l) In a further embassy message to Washington, MS Watson is reported to not have received a timely response to her questions about US intentions. In the message (subject: US Cryptography Policy: Canadians reiterate their questions), an embassy official reports that Watson, on 29 October 1996, asked him whether the embassy had received answers to her previous questions on US cryptography policy and the identity of the senior official who would be coming to Canada. The message states: The GOC (Government of Canada) would like to be in a position to have a meaningful discussion at a senior level, Watson said. But the lack of any information from the USG (US Government) in the three weeks since the embassy originally approached DFAIT about the potential visit of a senior USG official has made it difficult for DFAIT to prepare for such a meeting. It was essential, she said, that the GOC be given more than just seven to 10 days advance notice to prepare for the visit of the senior official. If DFAIT did not have this information well in advance, Watson said, 0 1998 Elsevier Science Ltd March 7 998 Network Security the senior officials visit to Ottawa risked being less productive than both sides would like. (2) US Government officials had often cited Canada as one of the US allies that was supportive of US cryptography initiatives. Revelations from these released diplomatic cables do not seem to support that contention. The announcement by the White House that the senior US official would be David Aaron was not made until 15 November 1996. State Department message traffic reveals that further US diplomatic posts were brought into the cryptography picture. These include the posts in Budapest, Buenos Aires, Mexico City, Prague, Pretoria, and Seoul as well as American consulates in Strasbourg (the headquarters of the Council of Europe) and Marseilles. They also included the OECD collective address of All OECD Capitals. (3) This prompted the US Embassy in Bern to inquire as to whether they were supposed to arrange meetings between Aaron and officials of the Federal Office of Communications (BAKOM), the lead agency for cryptography issues in domestic legislation. (4) Although there was a name now associated with the US senior official, problems with Americas closest ally would continue. In a 22 November 1996 message to the State Department, the American Embassy in Ottawa reported that it shared the news of Ambassador Aarons appointment with Lynda Watson. However, Watson did not approve of the dates proposed for Aarons visit to Ottawa (lo- 11 December 1996). Watson said that some of the higher-level officials would be out of town that week and most of the DFAIT working-level officials were going 0 1998 Elsevier Science Ltd to be in Vienna for a meeting of Waasenaar Arrangement nations.(5) It is surprising that Aaron would have proposed a trip to Ottawa during a meeting in which cryptography export controls were surely to be discussed! The United States would continue to have trouble with Canada. In a 19 December 1996 message from Aaron to the Department of State, the FBI, NSA. Justice Department and Commerce Department, the ambassador relays the content of a phone conversation he had the day before with John Tate, Coordinator of Security and Intelligence within Canadas Privy Council Office. Tate was responding to the imminent release of the Commerce Departments new encryption export regulations (which were released on 1 October 1996). Tate said that while Canada supported the thrust of the new US encryption policy, If the new regulations take effect on 1 January 1997. Canada will be obligated to lift its own export controls with no follow-up proposal to back it up. Aaron reported that Tate wanted the US to delay its new policy implementation for six months to a year. in the message, Aaron states *. . while I was sympathetic to Canadas position, our own domestic situation did not allow for an extended implementation period. (6) In a follow-up phone call with Tate, Aaron reports that the Privy Councilor reconfirmed, Canada would not be in a position to apply the same type of conditions to its own industryY(7) This indicates that Canada was not prepared to go along with the US proposal to have companies agree to take part in a key recovery programme in order to receive export licenses for cryptographic products. The US Embassy in Tokyo seemed rather strapped for cash in setting up meetings between Japanese Government officials and Aaron. For example, one message from the Tokyo embassy to the State Department cited the scarcity and expenses of interpreters for the meetings. Another said that in order to have an embassy car sent to Narita Airport for a 6:lO am pick up of Aarons party, the embassy would have to pay the driver $150 overtime pay - and it wanted money from Washington in advance. The embassy did suggest that Aaron and his crypt0 party could take the bus to their hotel from the arrival area outside of customs. This was at the bargain rate of $28. Optionally, the embassy said the Aarons four-member delegation could hop on a train from the airport to Tokyo station and then take a cab to the embassy. A truly amazing diplomatic reception for President Clintons personal envoy!(8) The Tokyo mission also reported reservations in Japan concerning US encryption proposals. In a 14 January 1997 message to Washington, the Tokyo embassy reports that Aaron should meet with Japanese industry representatives: A meeting with Japanese industry reps would be a useful opportunity to address some of the misperceptions and fears we have detected concerning US policy, and an opportunity to encourage Japanese industry to join our companies in developing a key-recovery infrastructure. (9) Given the close connection between Japanese industry and Government, it is certain that if 9 Network Security March 7 998 Japanese industry had reservations about key recovery, the Japanese Government shared these sentiments. Perhaps this was what was behind the request by the Japanese Government for Aarons trip to Tokyo to *be kept low-key. The Japanese also requested that there be no press activities regarding encryption policies, (10) In an October, 1996 Tokyo embassy message to Washington, it is reported that Ministry of Foreign Affairs Non- proliferation Officer, a Mr Sekiguchi, told US embassy officials, regarding domestic key recovery . . . the issue will have to be reconciled with the sensitive issue of privacy, which is strictly protected by the Japanese Constitution. The Ministry of International Trade and Industry also indicated it had reservations with the US approach. It asked a US embassy official to ask Washington, *Once use is made of a third-party key, wont all future communications of that user be compromised? The Ministry of Posts and Telecommunications and Ministry of Justice weighed in by rhetorically asking, What is to prevent people from creating their own encryption products based on publicly available algorithms? Ironically, the best question was posed by the National Police Agency, rumoured to be Washingtons only ally on encryption in Japan, How does the new US (encryption policy) affect the status of publicly posted encryption programs such as PGP?(ll) In additional communications. the US Embassy in Tokyo continued to report problems for US encryption proposals. In a 31 January 1997 message. the embassy reports: 10 *Over the past several months, there have been several articles in major newspapers (Nikkeiand Nikkei Sangyo) describing encryption and key recovery issues. According to these reports, Japanese firms are wary of participating in key recovery technology development for fear of appearing to support wiretapping. (12) The Embassy also reported problems that American firms were having meeting Japanese client demands for encryption (an issue which directly affects the US trade balance): A major US software company said it will have to use an NTT-developed product in a MITI-sponsored electronic commerce project it is involved in. Similarly, a recent report notes that WebTV, which has entered a joint venture with Fujitsu, has been forced to ask a Japanese company to develop encryption for its television set-top box, since it cannot export the 128-bit encryption it incorporates into its US product.(l3) A message from the US Embassy in Rome proposes that the US attempt to actually influence the Italian legislative process in developing an encryption policy for that country. In a 6 December 1996 message to the State Department, the embassy informed Washington, As Italy is currently formulating its encryption policy, we have a good opportunity to inform and influence the process. However, the message contains a warning: We were told that the encryption issue is being treated delicately since Italian authorities are concerned about a potential blowback on a matter which affects the privacy of personal data. The Justice Ministry is trying to establish principles which maintain the constitutional right to privacy but also allows effective action against criminal organizations by legal authorities, We were told that the Ministry is looking at a double keyapproach, similar to the US concept. (14) The message from Rome also identifies Italian Government officials who would be likely targets for an American lobbying effort on encryption policy. They are: Antonio Mirone (Justice ministry Undersecretary); Luigi Scotti (Justice Ministry Chief Legislative Officer); Gianfranco Anedda (Deputy, National Alliance Party(15) and Lower House Reader of the Law); and Senator Salvatore Senese (Democratic Party of the Left and the Senates Reader of the Law). A Rome embassy message to Washington dated 20 December 1996, suggests that Aaron meet with neo-Fascist deputy Anedda.(l6) The Netherlands seemed to hedge on any quick acceptance of US key escrow/recovery proposals. In an American Embassy The Hague message dated 11 December 1996, it is revealed that Dutch Ministry of Economic Affairs official Mark Hoevers had reservations about the efficiency of proposed consultations in the absence of an official US (and Dutch) encryption policy. (17) By early January 1997, it seemed that Aaron was not having too much luck convincing the big players to support US encryption 0 1998 Elsevier Science Ltd March 7 998 Network Security policy goals. In a 8 January 1997 message to US embassies in Copenhagen, Dublin, Helsinki, Moscow, Oslo, Seoul, Vienna and Wellington, Aaron requests those posts to identify representatives from the respective governments with whom he might hold informal bilateral discussions on the margins of the RSA Conference (San Francisco) scheduled for 28-29 January, (18) There was also a suspicious meeting on 12 November 1996 between Aaron and OECD official Jean Pierre Tuveri. Aaron discussed Tuveris recent trip to Estonia, Latvia, and Lithuania. The crypt0 envoy must have brought up the Baltics policies on the use of cryptography during that session, although Aarons released day book entries do not indicate cryptography was discussed. However, immediately following the meeting with Tuveri. Aaron, his assistant, and key embassy officers held a meeting on cryptography. Additionally, while in the midst of high-level cryptographic discussions in Paris, Aaron found time for a 27 November 1996 meeting with the counsellor of the Latvian embassy in Paris. The released traffic indicates that one of the strongest proponents for the US key escrow policy in Australia was Peter Ford of the Attorney Generals Office. Ford tried to get the Federal Minister of Communications Senator Richard Alston and Fords boss, Attorney General Daryl Williams, to meet with Aaron. However, the US embassy reported that the Attorney General was travelling to Perth during Aarons visit and was not available to meet with the US crypt0 ambassador. Alston apparently had other more pressing commitments. Even Norman Reaburn, the Deputy Secretary of the Attorney Generals Department and the OECD Cryptography Committee of Experts Chairman, was unavailable to meet with Aaron. In diplomatic terms, such snubs represent a virtual statement of no-confidence. To add insult to injury, the chief law enforcement official of Australia apparently decided to place the entire Australian continent between him and the US cryptography proposals. Aarons itinerary also kept him in his country of diplomatic residence, France. While French policy on encryption was more draconian than Americas in many respects, Aaron found total confusion among French industry and government sectors on how to address the issue. At a 6 February 1997 roundtable hosted by Aaron at the Paris Trade Show Information Technology Forum/COMDEX, Aaron discussed cryptography with representatives of Alcatel, IBM France, Oracle France, Microsoft France, Hitachi Computer Europe, Netscape. CompuServe and French law firms. In a 5 March 1997 Paris embassy message to Washington, the highlights of these discussions were disclosed. In answer to a question from a Microsoft executive, Aaron pointed out that the US could not mandate encryption policy in the same manner as the French, but would seek a market solution whereby key recovery encryption technologies became dominant throughout the world. He added that this was not inconsistent with French objectives. The message cited * balkanization of French industry on the encryption issue as a significant problem. The message states: Executives from the sectors most closely concerned with encryption - telecoms, hardware and software manufacturers, and Internet Service Providers - are simply not talking to each other. Voicing concerns that we hear most frequently from our telecoms contacts, a member of the AMCHAM (American Chamber pf Commerce) Telecoms Committee complained of the lack of transparency of the GOFs (Government of Frances) encryption policy, and the GOFs unwillingness to consult with the private sector. (19) The representative of IBM France said that the proposed French encryption decrees, which require that all encryption devices imported and used in France be approved by the government, was a first step, a good building block. But the IBM official added that IBM wanted full liberalization for all 40-bit products and minimal delays in French Government approvals of import licenses and encryption authorizations. Many French industry executives complained that one of the chief opponents of liberalized encryption regulations was the Direction de Surveillance de la Territoire (DST), the French domestic intelligence service. The business leaders stated that the Ministry of Industry was their best ally in their arguments with the spook community. Concerning the French requirement for Trusted Third Parties (TTPs), the Microsoft official decried the fact that foreign companies were not authorized to be TTPs. However, the IBM France official said that, as a French company, his firm could qualify as a lTP under French law. He also said that large French 0 1998 Elsevier Science Ltd 11 Network Security March 7 998 companies like Michelin, would be permitted to self-escrow their keys. (20) The Netscape executive complained about non-OECD countries acting as free riders in the event strong crypt0 controls were adopted by the OECD nations. He cited Israel, Russia and Singapore as examples. Aaron responded by stating that he would be visiting non-OECD countries during his encryption consultation missions. He added that Russia had strong laws, but an enforcement problem; Israel had strong domestic controls but an export problem; and Singapore was adopting legislation in line with the OECD guidelines. He also cited India and Argentina as potential concerns. In a 13 February 1997 meeting with officials of Oracle France, that company noted strong demand for encryption products in France among their financial, industrial, and military clients. They told Aaron they were concerned about French efforts to restrict the import and distribution of US-made encryption (i.e. %-bit and above). They stated they would use Ireland as an export platform for US-made encryption products if France attempted to place unreasonable restrictions in legitimate imports. Citing the 1994 European Union Directive on dual-use goods, they said that France was prohibited from imposing national restrictions on dual-use goods that circulated freely in any EU country, i.e. Ireland. Under export control regimes dual-use items are those which have both civilian and military applications(21) The released State Department traffic indicates that France has imposed in its encryption policy hidden benefits for its intelligence and police agencies. For example, a 12 September 1996 message from the Paris Embassy to Washington explaining the details of a meeting between the US embassy Economic Counsellor and General J.L. Devigne, the Director of the Information Systems Security Service (SCSSI), (22) is almost entirely redacted (whited out). One paragraph eliminated deals with Slow Progress on Encryption in the OECD.(23) Another meeting with the SCSSI officials followed on 26 September 1996. The venue was an OECD Paris meeting on cryptography. US and French officials met at a working breakfast meeting. On the US side were Scott Charney (Department of Justice); Ed Appel (National Security Council); and Mike Nelson (White House Office of Science and Technology Policy). Representing the French were General Devigne, Philippe Dejean, and Francois Belorgey of the Ministry of Industry and Telecommunications.(24) There was a follow-up meeting between US and French encryption policy officials on 23 October 1996. Attending from the US side were Susan Eckert of the Commerce Department and William J. Denk of Commerces Bureau of Export Administration. On the French side were Philippe Dejean, Michel Ferrier, Director of Technology and Strategic Export Controls at the General Secretariat for National Defense (SGDN), and representatives of the DST and French foreign intelligence service, the DGSE.(25) In a keynote address to the RSA Data Security Conference in San Francisco on 28 January 1997, Aaron declared US allies support 12 the concept of lawful access by governments of encrypted files and communications. He also said, many governments in the interest of public safety, want stronger controls than we have. The release by the State Department of Aarons detailed papers and diplomatic traffic are at variance with the ambassadors contention. Most countries visited by Aaron either showed a lack of resolve on the key recovery issue or were just outright indifferent. Moreover, as can be seen from some US embassy traffic, Americas own diplomatic representatives (e.g. Japan) were apprehensive about pushing key recovery in countries that opposed it. As a result of his travelling road show, most countries just decided they were not going to buy Ambassador Aarons magic tonic of key recovery. References (1)American Embassy Ottawa Cable (Operational Immediate - Sensitive - Number 004391, 2 October 1996). (2)American Embassy Ottawa Cable (Routine - Sensitive - Number 004819, 29 October 1996). (3) These include Madrid, Lisbon, Athens, Copenhagen, Oslo, Helsinki, Reykjavik, Wellington, Vienna, Warsaw, Dublin, Ankara, and Luxembourg. (4) American Embassy Bern Cable (Routine - Number 005191, 25 November 1996 - Subject: Special Envoy for Cryptography - Travel to Switzerland?) (5) American Embassy Ottawa Cable (Operational Immediate - 0 1998 Elsevier Science Ltd March 7 998 Network Security Sensitive - Number 00517522 November 1996). (6) American Embassy Paris Cable (Priority - Number 029026, 19 December 1996). (12) American Embassy Tokyo Cable (Priority - Originally Confidential - Number 000880,31 January 1997). (13) Ibid. (7) American Embassy Paris (14) American Embassy Rome Cable (Priority - Number 029226, Cable (Priority - Number 011869,6 20 December 1996). December 1996). (8) American Embassy Tokyo Cable (Priority - Number 000480, 21 December 1997). (9) American Embassy Tokyo Cable (Priority - Number 00346, 14 January 1997). (15) This party is generally referred to as the neo-Fascist party. One of its leaders includes Vittorio Mussolini, the son of the former Fascist leader. (10) American Embassy Tokyo Cable (Priority - Number 000480, 21 December 1997). (16) American Embassy Rome Cable (Priority - Number 012256, 20 December 1996). (1 1) American Embassy Tokyo Cable (Priority - Originally Confidential - Number 009585, 16 October 1996). (17) American Embassy The Hague Cable (Routine - Number 005239,ll December 1996). (18) American Embassy Paris Cable (Routine - Number 000422, 8 January 1997). (19) American Embassy Paris Cable (Priority - Number 005109.5 March 1997). (20) bid. (21) Ibid. (22) The counsellor also met with Philippe Dejean, SCSSIS Cryptographic Division Chief. (23) American Embassy Paris Cable (Priority - Number 20381,12 September 1996). (24) American Embassy Paris Cable (Priority - Number 22577, 7 October 1996). (25) American Embassy Paris Cable (Priority - Originally Confidential - Number 025048,31 October 1996). Manag,ing Network Security - Red Teaming Fred Cohen Over the last few years, computing has changed to an almost purely networked environment, but the technical aspects of information protection have not kept up. As a result, the success of information security programmes has increasingly become a function of our ability to make prudent management decisions about organizational activities. This series of articles takes a management view of protection and seeks to reconcile the need for security with the limitations of technology. Many people in the information security industry, myself included, offer Red Teaming services to their clients. In simplest terms, these services provide information on and demonstrations of vulnerabilities, but it isnt really that simple. The real challenge with Red Teaming is getting value for your money. The cheap and dirty Red Team Lots of people believe that the most important impacts of Red Teaming are in the effects of the results on management with a graphic demonstration of the vulnerabilities faced by the organization. The information security specialists know that there is a big problem, but they are having difficulty making management understand. So they decide to do a sample penetration to make the impact of vulnerabilities clearer. Naturally, they call in a consultant rather than doing it themselves... Joe:Joes security consulting... Joe speaking. You: Hi Joe, can you break into my computers? Joe: Sure, but itll cost you a pretty penny. You: How much? Joe: That depends on what you want me to do. What did you have in mind? You: We want to show the boss that we could lose millions if a hacker broke in. 0 1998 Elsevier Science Ltd 13