CMP Media: Sun Microsystems Ready to Take on Feds Over U.S. Encryption Regulations; Move Could Help Ignite Electronic Commerce Over the Internet

May 19, 1997

Sun Microsystems (NASDAQ: SUNW) is prepared to take on the federal government this week when it discloses plans to offer a product from Russia that provides 128-bit and triple DES encryption over the Internet, according to an exclusive report in CMP Media's CommunicationsWeek.

Sun's software, CommunicationsWeek's John Fontana reports, could help ignite electronic commerce over the Internet because it will enable transaction data to be encoded at security levels currently unavailable via other means. It could also lead to an all-out brawl between Sun and the Feds.

Under current regulations, it illegal for a U.S. company to export encryption software that exceeds 56-bit encoding. But it is legal to import such technology from abroad, presuming the domestic vendor had no role in its development.

"The government will try to link Sun to the development of this product and go after them, or this will open the floodgates on strong encryption," John O'Leary, the Director of Education at the Computer Security Institute in San Francisco, told the newsweekly.

"The government will find that we are in full compliance with the letter of the law," maintained Humphrey Polanen, General Manager of Sun's security and electronic-commerce group. "We took great pains to stay within the legal requirements." Polanen said a key factor was that Sun offered no technical assistance in the development of the software, although it is based on a protocol the company published publicly nearly two years ago.

The product Sun will manufacture is called Secure Virtual Private Network for Windows. Developed by Moscow-based ElvisPlus Co., the product will be sold through Sun channels under the name PC SunScreen SKIP E+. The software is based on Sun's Simple Key Management for IP (SKIP) encryption and key management technology.

SKIP, a published specification, had been submitted to the Internet Engineering Task Force for standardization, but the draft proposals have expired, a source said.

The software manages keys for exchanging encrypted data and can sit on any machine, including desktops, servers and routers. Because it operates at the network level, it can work with any IP transmission and does not require any modification to existing applications.

Sun's plan to import the Russian technology neatly sidesteps current U.S. restrictions. To export encryption software using a key code in excess of 40 bits, a U.S. business must first get government approval.

Furthermore, the would-be exporter must have a plan in place to supply a key recovery model within a two-year time frame before receiving approval. SKIP E+ does not include a model for key recovery, and Sun did not seek government approval for the product, but the computer maker expects to provide the software to the global offices of its U.S.-based customers and others through third-party distributors.

Sun's newly formed Security Group -- and before that its Internet Commerce Group -- has worked for two years with the company's legal and export- compliant government regulatory departments laying the groundwork that led to the deal, and this will be the first time a major U.S. computer company has offered U.S.-based corporations 128-bit and triple DES encryption for global use. Given President Clinton's lack of support for current efforts to lift encryption export restrictions, Sun is anticipating a major backlash from the Clinton administration. A White House spokesperson declined comment.

But a source familiar with the administration's handling of encryption policy was doubtful that the White House would wage a full-scale attack on Sun.

"What Sun had to go through to release a product like this points up the folly of the current policy," commented Rep. Bob Goodlatte (R-Va.), who authored a bill that would prohibit mandatory key recovery.

Last week, Goodlatte's bill, the Security and Freedom through Encryption (SAFE) Act, was approved by the House Judiciary Committee, marking the first time any encryption legislation had made it out of committee. It could take another eight to 12 months, however, before it moves through the full House and Senate and on to the president.

The computer industry and retail and banking groups are vehemently opposed to the export restrictions and have been trying to find ways around them.

Hewlett-Packard (NYSE: HWP), IBM (NYSE: IBM), Glenwood, MD based Trusted Information Systems (NASDAQ: TISX) and others have formed a Key Recovery Alliance as a way to work within the current law pending relaxation of the restrictions. And Redwood City, Calif. based RSA Data Security Inc. has bought a Japanese software vendor, now called Nihon-RSA.

But Sun believes it will be some time before other software companies can match its efforts.

CMP's CommunicationsWeek, the Networking Newspaper, delivers news and analysis that helps Network IT Management translate evolving advances in communications and computing technology directly into business advantage. In addition, the newspaper features Web Commerce, a biweekly section that provides in-depth features and analysis of electronic commerce products, technologies and case studies. Telepath, a monthly supplement to CommunicationsWeek, is directed to the innovators behind converging networks.

CMP Media Inc. provides publishing, marketing and information services to the broad high-technology spectrum -- the builders, sellers and users of technology -- through print and electronic media. All of CMP's publications and online products can be accessed through the company's TechWeb® site on the Web at Print titles include EE Times, Computer Reseller News, InformationWeek and WINDOWS MAGAZINE.

-0- 5/19/97

SOURCE: CMP Media Inc.

CONTACT: Steve Rubel, 516-562-7434, or, or Catherine
Jarrat Koatz, 516-562-7827, or, both of CMP Corporate