IP: more on Re:: re crypto policy impact

[David Farber <farber () cis upenn edu>]

> From: shapj () us ibm com
> X-Lotus-FromDomain: IBMUS
> To: farber () cis upenn edu
> Date: Mon, 6 Sep 1999 18:14:52 -0400
> Subject: Re: IP: re crypto policy impact
>
> > The following [note concerning export of Apple's G$ processors]
> > is from a legitimate Apple dealer in Russia
>
> Dave:
>
> Since some of your readers may not know, I just wanted to take note that this
> isn't really a crypto issue.
>
> The US maintains export controls on three categories of things related to
> computers (and probably several others):
>
> 1. Cryptographic technology
> 2. High-performance processors
> 3. Secure operating systems
>
> Cryptographic technologies see regular discussion in your list, and I won't
> belabor them further.
>
> The high-performance processor issue doesn't appear to be an issue 
> of "speech",
> and probably will never be challengable under first ammendment 
> grounds.  It's a
> fatally flawed policy; it is simply too easy to send students or buyers to
> countries that have high-performance machines and buy them for 
> transport or use
> them in place.  Further, I'm not aware of controls that prohibit remote access
> from proscribed countries over (say) the internet. [Perhaps someone 
> on your list
> can expand on the last issue.]
>
> The success and widespread availability of things like Beowulf -- a 
> project that
> links ordinary machines into a networked "supercomputer" -- is making the
> definition of "supercomputer" increasingly suspect.  Why bother 
> controlling the
> export of G4 processors when a few suitably linked Pentiums work just as well?
> The export controls were designed to make it difficult to do things 
> like nuclear
> bomb simulations and decryption.  Both problems are parallelizable; 
> it may even
> be that a Beowulf cluster is a better solution than a G4 class processor.  The
> Beowulf technology is not subject to export control.
>
> The secure operating system issue is a case of good intentions ill considered.
> It is legitemate to worry about what would happen if, say, Iran had access to
> operating systems that the US could not crack.  Worrying won't help. 
> Today, such
> technology is available piecemeal on the web, and getting better integrated
> daily. Court rulings on cryptographic technology have so far been careful to
> avoid impacting the export of operating systems.
>
> The downside to the secure OS issue is that it is *also* desirable 
> to be able to
> ship products that cannot be tampered with by the end user or a 
> third party.  An
> adequately secured air traffic control system, for example, cannot 
> be abused by
> terrorists.  An adequately secure banking software suite is significantly less
> susceptible to electronic attack.
>
> There have been several highly secure operating system products that have been
> dropped because of export controls.  A company has no incentive to go for real
> security when this means that expense is increased and the product 
> must then be
> restricted to the US market.  Digital (now Compaq) built and dropped an
> A1-capable virtual machine monitor for the VAX line that is a good case in
> point.  Combine such policies with the Pentagon's increasing 
> emphasis on use of
> COTS (commercial off the shelf) software in the interests of cost 
> reduction and
> you have a clear-cut disaster in the making.
>
> This particular export restriction remains in force because of an executive
> order signed by Clinton when the earlier law went out of force. 
> While opinions
> are now split, many individuals at NSA now believe that this law was 
> a mistake.
>
> A compelling case can be made that this law effectively prevents the 
> widespread
> dissemination of secure systems, and that in the face of current activities
> against our nation's electronic infrastructure the continuation of this law
> constitutes a clear and present danger to our nation.
>
>
> Jonathan S. Shapiro