Site Presented By
Tuesday, Oct 7, 2008
We can't stop terrorists from using uncrackable codes. So we shouldn't even try.
Feb 4, 2002 | Here's a tip for Treasury Department agents tracking al-Qaida's finances: You might want to pay a visit to the volume discount department at Dell Computer. Al-Qaida, it seems, has been an avid consumer of computers over the last several years, and is especially fond of laptops. It isn't hard to understand why. With his hectic, on-the-go lifestyle, no self-respecting terrorist can function without a computer that fits comfortably on an airplane tray table. Alleged "20th hijacker" Zacarias Moussaoui, for instance, used his to research crop dusters, quite possibly in preparation for a biological attack on a densely populated American city. Ramsi Yousef used a laptop he accidentally left in a Manila apartment to plan his extensive itinerary, which included assassinating the pope in the Philippines, attacking an Israeli Embassy in Thailand, and bombing the World Trade Center in 1993.
It's not surprising, then, that the seizure of computers has become a primary goal for U.S. soldiers scouring Afghan caves and ambushing Taliban and al-Qaida operatives. Ironically, though, winning possession of this equipment on the battlefield may be the easy part; terrorists today have the capacity to protect data with encryption schemes that not even America's high-tech big guns can crack. The number of possible keys in the new 256-bit Advanced Encryption Standard (AES), for example, is 1 followed by 77 zeros -- a figure comparable to the total number of atoms in the universe.
Luckily, not all encryption is hopelessly secure. Ramsi Yousef was careless in protecting the password to his encrypted files, giving the FBI relatively easy access to their contents. It took the Wall Street Journal only days to decrypt files on two Al-Qaida computers that used a weak version of the Windows 2000 AES cipher in Afghanistan. The U.S. cannot, however, count on such carelessness indefinitely.
But recent changes in U.S. policy have actually reduced restrictions on the spread of sophisticated encryption. In January 2000, for instance, the Clinton administration ruled that "retail products" that undergo a one-time, 30-day government review can be exported to nearly all countries (with the exception of Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria) without any government licensing requirement. Revisions published later that year relaxed even these limitations for products exported to the 15 nations of the European Union and several of their major trading partners. The practical effect of these reforms has been that the industrial-strength Windows 2000 128-bit High Encryption Pack is now freely available over the Internet to anyone, including Hamburg residents such as presumed Sept. 11 ringleader Mohammed Atta.
Since Sept. 11, some commentators and lawmakers have suggested that the U.S. reverse itself once again, and redouble efforts to control encryption. On the surface, this sentiment is understandable -- it is difficult to argue against any moves that may prevent future terrorist attacks on the scale of the WTC disaster. This position is, however, dead wrong.
Quite simply, the U.S. regime of strict encryption controls didn't make sense before Sept. 11, and it doesn't make sense now. The starkest illustration of this reasoning is the case study of Israel, which is simultaneously a leader in encryption product exports and a major focus of terrorist attacks.
Get Salon in your mailbox!