Under current regulations, a vendor seeking to export a product using
cryptography first submits an request to the State Department's Defense
Trade Control office. Export jurisdiction may then be passed to the
Department of Commerce, whose export procedures are generally simple and
efficient. If jurisdiction remains with the State Department, further
review, perhaps lengthy, is required before export is either approved or
denied; the National Security Agency (NSA, see Question 3.7.3) may
become directly involved at this point. The details of the export approval
process change frequently.
The NSA has de facto control over export of cryptographic products. The
State Department will not grant a license without NSA approval and
routinely grants licenses whenever NSA does approve. Therefore, the
policy decisions over exporting cryptography ultimately rest with the
NSA.
It is the stated policy of the NSA not to restrict export of
cryptography for authentication; it is only concerned with the use of
cryptography for privacy. A vendor seeking to export a product for
authentication only will be granted an export license as long as it can
demonstrate that the product cannot be easily modified for encryption;
this is true even for very strong systems, such as RSA with large key
sizes. Furthermore, the bureaucratic procedures are simpler for
authentication products than for privacy products. An authentication
product needs NSA and State Dept. approval only once, whereas an
encryption product may need approval for every sale or every product
revision.
Export policy is currently a matter of great controversy, as many software
and hardware vendors consider current export regulations overly restrictive
and burdensome. The Software Publishers Association (SPA), a software
industry group, has recently been negotiating with the government in order
to get export license restrictions eased; one agreement was reached that
allows simplified procedures for export of two bulk encryption ciphers, RC2
and RC4 (see Question 3.8.6), when the key size is limited. Also,
export policy is less restrictive for foreign subsidiaries and overseas
offices of U.S. companies.
In March 1992, the Computer Security and Privacy Advisory Board voted unanimously to recommend a national review of cryptography policy, including export policy. The Board is an official advisory board to NIST (see Question 3.7.1) whose members are drawn from both the government and the private sector. The Board stated that a public debate is the only way to reach a consensus policy to best satisfy competing interests: national security and law enforcement agencies like restrictions on cryptography, especially for export, whereas other government agencies and private industry want greater freedom for using and exporting cryptography. Export policy has traditionally been decided solely by agencies concerned with national security, without much input from those who wish to encourage commerce in cryptography. U.S. export policy may undergo significant change in the next few years.