Govt. makes it a bit easier to export encryption for some companies

By Ellen Messmer
Network World Fusion, 10/21/98

The Department of Commerce this week eased its export restrictions on cryptography a bit.

The department said it will allow a dozen vendors, including Cisco Systems, to export firewalls and gateway products for IP encryption to customers in 40 friendly nations a little more easily.

Under new rules expected to be finalized by year-end, U.S. corporate customers buying virtual private network and firewall gear won't have to apply on a case-by-case basis anymore for approval to ship certain 128-bit encryption products to friendly nations. Moreover, foreign commercial firms are expected to easily buy equipment this way, too for use overseas.

However, the case-by-case approval is still required for sales to foreign governments, telecommunications companies or Internet service providers.

Cisco and its allies -- including Ascend, 3Com and Intel -- called the Commerce Department decision a 'good first step' that should boost U.S. exports abroad. The vendors calls themselves the "Alliance for Network Security" and they began lobbying in July for an easing of the restrictions.

Cisco, which led the charge in putting forward the industry's arguments for export liberalization, said it will now be able to more easily sell its encryption-capable IOS routers abroad.

According to Daniel Scheinman, Cisco's vice president of government relations, the U.S. government expects to simply be able to present a network manager or administrator with a legal warrant to turn off the encryption feature in the routers if suspicion merits it.

"The organization would be served, and the network manager could decide to comply or not," Scheinman said. The network manager "would just have to press the 'clearzone' feature on the router" and the encryption would be turned off.

Scheinman pointed out that the export deal with the Commerce Department centers on products that encrypt data in transmit, not ones that encrypt on the desktop. "If a person encrypts at the desktop, and there happens to be a duplicate encryption process that takes place in the network, the only data that would be decrypted is the data in transit," he said.

Scheinman noted that Cisco did not have to make any changes to its products to win a deal with the Commerce Department on encryption export.

Dan Burton, vice president of government relations for Novell, noted that network managers at foreign companies aren't compelled to respond to a U.S. law enforcement warrant, but the U.S. government is confident that through relationships with foreign nations' law agencies it will be able to obtain reciprocal agreements for international purposes.

Burton noted that the new more liberal arrangement doesn't cover products that encrypt at the desktop level.

RedCreek Communications, Inc., which also expects to benefit from export advantages under the deal worked out with the government, got its RedCreek Ravlin VPN line approved for more general export under the same decision.

But the Commerce Department's decision doesn't mean everything will become absolutely simple.

"There is still a tremendous bureaucracy associated with this because we will have to keep track of where the products go, and how they're resold," said Agnes Imregh, vice president of marketing at RedCreek. She said that vendors have to report the users buying their products to the Commerce Department. "And we can't send out demo or evaluation copies. But we can sell to more people," she said.

Imregh thinks the Commerce Department's insistence on shutting foreign ISPs and telcos out of the new deal on encryption may be related to the fact that overseas many service providers are owned and regulated by governments.