European Commission views on cryptography

Philip Greenspun's Homepage : Philip Greenspun's Homepage Discussion Forums : 6805 : One Thread
Notify me of new responses
Note the fact that the EC wants to lift domestic controls, but will
accept export restrictions if member states want to do that.

And exp[ecially note the endorsement of open source software.

= Hal

******************************


Speech by Mr Erkki LIIKANEN Member of the European Commission for
Enterprise and Information Society Trust and Security in Electronic
Communications : The European Approach Information Security Solutions
Europe (ISSE 99)Welcome Address Berlin, 4 October 1999


DN: SPEECH/99/122 Date: 1999-10-05


TXT: EN
PDF: EN
Word Processed: EN

SPEECH/99/122

Speech by Mr Erkki LIIKANEN

Member of the European Commission for Enterprise and Information
Society

Trust and Security in Electronic Communications : The European
Approach

Information Security Solutions Europe (ISSE 99) Welcome Address

Berlin, 4 October 1999

1. INTRODUCTION

Ladies and gentlemen,

To start with, I would like to congratulate The European Forum for
Electronic Business and Teletrust for organising this conference. A
comprehensive European event on security held on a yearly basis was
much needed in Europe. I therefore wish that ISSE will become a major
event in Europe when it comes to discussing information security
issues, not only amongst the converted, but also, and hopefully
increasingly, the laymen.

The very launch of this event, and the broad audience it attracted on
its first edition, already demonstrates a few things:

First, that there is a growing interest for information security
issues in Europe. This is a direct result of the rapid growth of the
Internet and electronic commerce in Europe. The latter is good news
for Europe considering the growing importance of the networked
economy in terms of growth and employment.

Second, that European Union policies have been successful. I don't
mean to take all the credit for the take-up of the Internet and
electronic commerce in Europe especially since our conviction is that
the development of the information society must, and can only be
market-led. Yet it is clear that the liberalisation of
telecommunications in the Union has created the right conditions for
the expansion of the Internet and electronic commerce.

2. WHY IS CRYPTOGRAPHY SO IMPORTANT?

Cryptographic technologies are at the heart of information security.
A few years ago, cryptography was still an arcane topic restricted to
a closed circle of people in the known. It is only recently, with the
growth of the Internet, that cryptography and on-line security has
made it to the headlines.

Why? Simply because cryptography is the preferred, if not only, means
to ensure authenticity and confidentiality in electronic
communications. Without it, there will be no safe electronic
communications.

The bottom line is: no security, no trust, no notable shift towards
commercial and financial transactions on the Internet! And all the
impressive forecasts we have seen regarding the growth of electronic
commerce will remain pie in the sky.

With close to 200 million Internet users, there is already, today, a
strong market basis for security products and services. This is
clearly indicated by the multiplication and the impressive growth
figures of cryptographic companies. For the time being, the security
market largely remains a corporate one. This is no surprise since
business-to-business activities carried out over proprietary networks
still account for over 85% of the total electronic commerce market.

But the security market will only really explode once it becomes a
mass market.

The odds are, that the Internet will be everywhere in Europe in a
matter of five years or so. We can expect half of the European
population to be hooked on the Internet by 2005. Not only that there
will be a computer connected to the Internet in half of Europe's
homes. But access terminals become increasingly diversified and
include, not only the computer, but increasingly the digital TV set-
top box, the personal assistant or the mobile phone, and very soon
cars and even home appliances.

But then again, who will routinely shop on-line if the credit card
number cannot be transmitted safely? If there is no guarantee that
the orders placed will be not fed into a marketing database to create
a highly detailed buyer's profile?

The same applies to simply surfing the Net. For how much longer will
Internauts accept to leave footprints on every Web site they visit,
allowing outsiders to track down their every move and interest? How
many people will be discouraged from getting on-line by the fear of
loosing their privacy?

This means that all along the chain of Internet services, there is an
essential need for security features.

Since the technology is there, this doesn't seem to be a problem,
only a breath-taking business opportunity for the cryptographic
industry. But actually no! The situation can be compared to
telecommunications services in Europe: Their growth is directly
linked to the creation of a fully liberalised and coherent EU-wide
market. Take mobile phones for example: The GSM technology may be
great, but there wouldn't be 100 million GSM users in Europe today if
it hadn't been for a comprehensive EU policy.

In the same spirit, we are now working towards an Internal Market for
cryptography.

3. WHAT DOES THE COMMISSION DO ABOUT IT?

More and more EU-based companies, including a growing number of SMEs,
now think in terms of a Europe-wide market. This means that, at a
time when companies increasingly rely on electronic communications to
carry out their day-to-day business, incompatible national solutions
in the field of cryptography create impediments that lessen the
benefits of the Internal Market. Not to mention the problems creates
for the cryptographic industry itself, whether it concerns, for
instance:

suppliers of encryption products engaged in intra-Community trade;

or service providers that have to provide their clients with
certificates that are legally valid throughout the Union.

The Commission has addressed these issues in a pragmatic way,
establishing a distinction between authentication and
confidentiality, even though they both rely on the same cryptographic
technologies.

For authentication, we have tabled a draft Directive on electronic
signatures which will secure the Internal Market for certificates and
certification services. The aim is to have the European rules
transposed into the national legislation of the 15 EU Member States
by the end of the year 2000

Things get more sensitive when it comes to confidentiality. The
scrambling of electronic communications has raised some
legitimate public security concerns. Hence some reflections on how to
ensure lawful access to encrypted data.

Most of the proposed schemes have proved impracticable, a view the
Commission has expressed in a policy paper in October 1997. This has
been confirmed by the findings of EU-funded research projects in the
field of cryptography.

Member States are now increasingly sharing this view. The French
government in particular has pledged to lift all restrictions to the
use and supply of encryption products.

Notwithstanding these developments, the Commission, under the
Amsterdam Treaty, will work with Member States to ensure that, in a
liberalised domestic environment, public safety will be fully
guaranteed.

What would then remain are export controls:

For external trade, encryption products are controlled in accordance
with the Wassenaar Arrangement.

But there are also controls on shipments of encryption products
within the Internal Market. We would like these intra-Community
controls to be strictly limited. Indeed, create to burdens for
European companies industry red tape, delays, uncertainty, etc. which
put them at a competitive disadvantage.

We hope Member States will soon come to an agreement on the new Dual
Use Regulation, which aims to lift almost all controls on intra-
Community shipments of encryption products.

4. WHAT ELSE CAN WE DO?

Finally, I would like to focus on two other crucial issues. The first
issue concerns the European cryptographic industry. It is a strong
industry, it has state-of-the-art technology, and it has therefore
the potential to impose itself on world markets. It would certainly
highly benefit from improved regulatory conditions, but there is
another major obstacle to its expansion.

Currently, the desktop computing market is dominated by a few
systems. This wouldn't be a problem in itself if those weren't
proprietary systems. Building security solutions for systems when one
has no access to the source code is certainly a major challenge. In
fact, it means that there is a whole range of security products which
European industry cannot supply.

The solution to this problem certainly lies in non-proprietary and
open source systems. This is the key to unlocking the potential of
the desktop computing security market. This would also clearly be in
the end users' interest. Not only would users enjoy a wider choice of
security solutions, but they would also have a greater safety
guarantee.

How can governments, and in particular the Commission, contribute to
promoting non-proprietary systems?

One way is to raise awareness about them and their benefits

Another could be to ensure that public tenders for computer equipment
no longer specify particular systems.

This issue is also closely linked to technology developments.
Ultimately, the market will chose the more appropriate technological
solutions. That is another area were we can help, notably under the
Fifth Framework Programme, through our Information Society Technology
Programme.

Let me share with you my views on a second issue. I said earlier that
the explosion of the cryptography market is pending a widespread take-
up of the Internet by the wider public and SMEs. Awareness is one
requirement, to which I hope ISSE will contribute. The other is
trust!

In many other sectors of the economy, consumer trust is achieved
through quality labels, for instance for foodstuff, toys or electric
appliances. These can be industry-led or based on government rules;
they can be attributed nationally or at European level.

If security devices are to enter every home, they would certainly
benefit from labels demonstrating that they are in conformity with
quality requirements. This would greatly enhance consumer trust and
confidence by allowing consumers to immediately identify safe
information security products and services.

5. CONCLUSION

Ladies and gentlemen,

What I wanted to do today is to demonstrate that the Commission is
fully committed to the development of Internet security. I also
wanted to show that, whether you are suppliers or users, we are
trying hard to understand your needs. Finally, I wanted to get a few
messages across and point at a few directions which we must further
investigate. Let me wrap them up in a few words:

1. Security is the key to securing users trust and confidence, and
thus to ensuring the further take-up of the Internet. This can only
be achieved if security features are incorporated in Internet
services and if users have sufficient safety guarantees.

2. Securing the Internal Market is crucial to the further development
of the European security market, and thus of the European
cryptographic industry. This requires an evolution of mentalities:
Regulation in this field transcends national borders. Let's "think
European".

3. European governments and the Commission now have a converging view
on confidentiality. We see this in Council, in Member State policies
and in the constructive discussions we have. We must take this debate
further and focus of the potential of encryption to protect public
security rather than mainly seeing it as a threat to public order.

4. Finally, the promotion of open source systems in conjunction with
technology development is certainly one important step towards
unlocking the potential of the desktop security market for the
European cryptographic industry.

I wish you all a great conference.


-- Hal Abelson, October 6, 1999