The encrypted jihad

We can't stop terrorists from using uncrackable codes. So we shouldn't even try.

Published February 4, 2002 8:30PM (EST)

Here's a tip for Treasury Department agents tracking al-Qaida's finances: You might want to pay a visit to the volume discount department at Dell Computer. Al-Qaida, it seems, has been an avid consumer of computers over the last several years, and is especially fond of laptops. It isn't hard to understand why. With his hectic, on-the-go lifestyle, no self-respecting terrorist can function without a computer that fits comfortably on an airplane tray table. Alleged "20th hijacker" Zacarias Moussaoui, for instance, used his to research crop dusters, quite possibly in preparation for a biological attack on a densely populated American city. Ramsi Yousef used a laptop he accidentally left in a Manila apartment to plan his extensive itinerary, which included assassinating the pope in the Philippines, attacking an Israeli Embassy in Thailand, and bombing the World Trade Center in 1993.

It's not surprising, then, that the seizure of computers has become a primary goal for U.S. soldiers scouring Afghan caves and ambushing Taliban and al-Qaida operatives. Ironically, though, winning possession of this equipment on the battlefield may be the easy part; terrorists today have the capacity to protect data with encryption schemes that not even America's high-tech big guns can crack. The number of possible keys in the new 256-bit Advanced Encryption Standard (AES), for example, is 1 followed by 77 zeros -- a figure comparable to the total number of atoms in the universe.

Luckily, not all encryption is hopelessly secure. Ramsi Yousef was careless in protecting the password to his encrypted files, giving the FBI relatively easy access to their contents. It took the Wall Street Journal only days to decrypt files on two Al-Qaida computers that used a weak version of the Windows 2000 AES cipher in Afghanistan. The U.S. cannot, however, count on such carelessness indefinitely.

But recent changes in U.S. policy have actually reduced restrictions on the spread of sophisticated encryption. In January 2000, for instance, the Clinton administration ruled that "retail products" that undergo a one-time, 30-day government review can be exported to nearly all countries (with the exception of Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria) without any government licensing requirement. Revisions published later that year relaxed even these limitations for products exported to the 15 nations of the European Union and several of their major trading partners. The practical effect of these reforms has been that the industrial-strength Windows 2000 128-bit High Encryption Pack is now freely available over the Internet to anyone, including Hamburg residents such as presumed Sept. 11 ringleader Mohammed Atta.

Since Sept. 11, some commentators and lawmakers have suggested that the U.S. reverse itself once again, and redouble efforts to control encryption. On the surface, this sentiment is understandable -- it is difficult to argue against any moves that may prevent future terrorist attacks on the scale of the WTC disaster. This position is, however, dead wrong.

Quite simply, the U.S. regime of strict encryption controls didn't make sense before Sept. 11, and it doesn't make sense now. The starkest illustration of this reasoning is the case study of Israel, which is simultaneously a leader in encryption product exports and a major focus of terrorist attacks.

Before President Clinton's 2000 reforms, proponents of encryption export controls were besieged from all sides: on the left and right flanks privacy advocates argued that strong encryption is vital to protecting individual liberty against government intrusion. First Amendment devotees launched a frontal attack in the courts, claiming that encryption code was essentially speech. Most effective, however, was the carpet bombing of lobbyists and campaign contributions from the software industry -- the Microsofts, IBMs and Suns of the world -- who argued that export controls simply drove customers seeking secure products to companies in other countries -- such as Israel. These companies estimated their losses in billions of dollars, and noted the costs to workers as well; even domestic companies were hiring independent overseas software developers to create encryption products.

Though their agendas differed, the above parties were united in their claims that the government's policy stood little chance of significantly controlling criminal use of encryption. First, they noted that producing encryption algorithms takes few resources beyond advanced mathematical training. In fact, sometimes even these skills are not necessary; in early 1999 a 16-year-old Irish high school student named Sarah Flannery developed a new data-encryption algorithm that was 22 times faster than the popular RSA algorithm used in many business transactions today.

Second, reform advocates stressed that there is no practical way to keep encryption within or without the confines of physical borders. For instance, anyone can purchase a copy of the encryption program Crypto II on the streets of Moscow for $5, and then e-mail it to a friend in New York.

Third, legal controls on encryption will bind only those who decide to follow the law. Terrorists who are willing to fly a jet into the side of a building will have no qualms about breaking laws against illegal encryption. Finally, encryption advocates claim that government control stifles development of the strong encryption we need to protect computer networks from attacks by hackers and other criminals, and to secure our systems for air traffic control, electrical distribution, financial markets and telecommunications.

But hasn't Sept. 11 changed the equation? Americans have, after all, now come to accept that they will have to compromise on issues like privacy or economic growth in favor of increased security.

It is specifically in the aftermath of this trauma that where it becomes instructive to look at the policy of Israel, a country defined by its obsession with security. The Israeli predicament is essentially a starker version of that of the U.S. On the one hand, Israel has faced six wars in its first 50 years, and confronts terrorist shootings and suicide bombings virtually every week. Both the Israeli army and the FBI have confirmed that Hamas and other Islamic militants regularly use the Internet to transmit encrypted instructions for terrorist attacks -- including maps, photographs, directions, codes and technical details about how to use bombs. On the other hand, Israel's economy is among the most reliant in the world on high technology exports. In fact, the share of Israel's information technology exports as a percentage of services exports is surpassed only by Japan. All of this has helped earn a country with few natural resources other than potash a per capita GDP of $17,500 -- higher than that of several members of the European Union.

In this context it is significant that in 1998 Israel, too, revised its rather draconian encryption laws, granting regulators a great deal of flexibility to permit the export of strong encryption products -- including a "free means" category for which all license requirements are waived. These changes were prefaced by a government report that noted the futility of limiting "the use of means that can be freely obtained from many public sources," and said that the law should permit Israeli companies to develop and export "competitive products that can be marketed in most of the world's countries as off-the-shelf products." In fact, even before the 1998 liberalization, flexible enforcement had allowed Israeli companies such as Checkpoint Software to dominate the network security field.

The lesson from the Israelis is not how to control terror -- they don't seem to have better answers than anyone else -- but rather how to live with it and continue to function with as little social and economic disruption as possible. If, as President Bush tells us, we're in this war for the long haul, we simply cannot afford to sap our economic strength to prop up the fantasy that we can control the actions of terrorists by fiat. There are some battles we just shouldn't fight.

By Barak Jolish

arak Jolish is an attorney at the Palo Alto intellectual property law firm of Fish & Neave.

MORE FROM Barak Jolish

Related Topics ------------------------------------------

Al-qaida Middle East Terrorism