Until recently, cryptography has been of interest mainly to the intelligence-gathering community. Both the revolution in information technologies and the growth of computer networks have resulted in increasing interest in cryptography on the part of business and the public, and this increased interest has, in turn, created the need for a comprehensive study of US national cryptography policy, a subject that has generated considerable controversy in the past few years. At the request of the US Congress, the National Research Council’s Computer Science and Telecommunications Board formed the Committee to Study National Cryptography Policy.
This volume presents the Committee’s report. It can be reviewed as either a report or as a comprehensive volume on security policy issues. Due to the scope of this journal, I will focus on the book’s potential value for professionals in computing and related fields.
The book consists of a preface, the main body, appendices, and an index. The main body, approximately half of the volume, presents an executive summary and three parts. The first part, “Framing the Policy Issues,” consists of three chapters. The first identifies the need for the study (growing vulnerability in the information age); the second describes its object (identifying the roles, market, and infrastructure of cryptography); and the third explains the need for access to encrypted information. The second part, “Policy Instruments,” includes three chapters dedicated to export controls, escrowed encryption, and other dimensions of national cryptography policy. The two chapters of the final part, “Policy Options, Findings, and Recommendations,” present an analysis of policy options for the future, as well as synthesis, findings, and recommendations.
The National Academy Press and the authors have done a marvelous job of online publishing. The entire book is available at the Web site http://www2.nas.edu/cstbweb/28e2.html.
While the governmental, military, and intelligence perspectives on cryptography policy are well represented in the book, the viewpoints of the general public are given less attention. Cryptography policy may be viewed as a means by which not only to provide security, but also to promote freedom. Numerous public initiatives, such as the Internet Privacy Coalition, the Electronic Frontier Foundation, the Center for Democracy and Technology, and the Citizens Internet Empowerment Coalition, base their activities on issues such as the relationship between cryptography policy and the First Amendment. These initiatives are playing an increasing role in determining the direction of US cryptography policy, and thus deserved more attention. In the same spirit, the OECD Cryptography Policy Guidelines state that the fundamental rights of individuals to privacy, including secrecy of communications and protection of personal data, should be respected in national cryptography policies and in the implementation and use of cryptographic methods.
A potential reader should be aware of the US orientation of the book. This orientation is justified in view of the mandate of the underlying report, but the book title can be misleading. At the Ministerial Conference “Global Information Networks” in Bonn, July 6–8, 1997, all of the participants, as well as the US Secretary of Commerce, stressed the importance of globalization as an aspect of policy, making it clear that, in the global networks, no individual regulations can be efficient. Finally, from a book perspective, a full bibliography might have been useful.
The 14 appendices are a valuable source of materials for an interested reader. They include the list of contributors to the report, a glossary, a brief primer on cryptography, an overview of electronic surveillance, a brief history of cryptography policy, a brief primer on intelligence, an overview of the international scope of cryptography policy, a summary of important requirements for a public-key infrastructure, an outline of industry-specific dimensions of security, examples of risks posed by unprotected information, an overview of cryptographic applications programming interfaces, a note on looming issues such as digital cash and the protection of intellectual property, federal information processing standards, and, finally, a major appendix covering relevant laws, documents, and regulations. In nearly 200 pages, this last item collects important US statutes, executive orders, memoranda of understanding and agreement, and regulations that might otherwise be difficult to access.
This book is a valuable source of information on US cryptography policy and related legislation from the governmental, military, and intelligence points of view. It also represents many business aspects of the above issues. Therefore, it may be a good choice for professionals in computing and related application areas, especially given its reasonable price. However, it is government- and US-oriented. The important aspects of promoting privacy and globalization receive less attention, so the interested reader may wish to consult other sources.
