Cryptography, though among the most arcane of information-technology disciplines, has become a political football. And as it gets tossed back and forth between Washington and Silicon Valley, the banking industry appears to be somewhere in Virtual Nebraska.
The market for software and hardware that protects information and communications from prying eyes has grown dramatically in recent years as businesses and individuals seek the kinds of safeguards historically available mainly to the military and the financial industry.
The federal Data Encryption Standard, dating from the 1970s, has been the banking industry's data-security mainstay. However, newer, more powerful cryptography engines are reaching the commercial market just as technologists claim that networks of ever-more-powerful computers can be used to crack messages based on the federal standard.
The merchandising of encryption technology has created friction between free-marketeers and the government. The Clinton administration has followed the lead of its predecessors in wanting to limit the availability of stronger forms of encryption so that they can't get into the hands of criminals, terrorists, and enemy nations.
The debate puts bankers in an awkward position. As regulated financial institutions, they are required by the Right to Financial Privacy Act of 1978 to cooperate with law-enforcement officials seeking financial records in criminal investigations.
While cooperating in that regard, the industry has not been limited to 40-bit encryption keys-the maximum length of the message locking and unlocking codes that the government has authorized for export. Banks have been allowed to use 56-bit keys, which are much harder to break, for international financial transactions.
With the rise of the Internet has come global demand for stronger encryption, and technology companies like Netscape, Sun Microsystems, and RSA Data Security have vocally opposed even the Clinton administration's recent loosening of the old 40-bit rule.
The Commerce Department will now permit export of 56-bit encryption systems and, eventually, 128-bit technology, but on one condition: Law enforcement agencies with court orders have to be able to get access to decryption keys.
International Business Machines Corp. organized a consortium, the Key Recovery Alliance, to help the industry meet that condition and thereby accelerate exports of longer, more secure keys.
Still, strong-encryption advocates derisively call the key recovery system a "broken protocol," seeing it as no different than the custodial approach, "key escrow," that became the subject of ridicule when the Clinton administration tried to institute it.
Financial institutions obviously prefer maximum encryption to pursue their electronic commerce strategies. But at the same time, they don't want to bite the hands that regulate them.
"Silicon Valley has left (the banking industry) twisting in the wind on this issue," said a money-center banker who asked not to be identified. "Financial firms have historically been the biggest buyers of encryption systems, and while we normally applaud efforts to reduce government regulation, it appears the 'cryptos' are fighting a battle they can't win."
And there may be a new source of tension between bankers and the bureaucrats.
Kawika Daguio, federal representative at the American Bankers Association, said the encryption directive issued by Vice President Al Gore last fall contained a sentence assuring bankers they would be able to export the most powerful encryption systems available to them, even before a key recovery system is in place.
But export regulations recently put out for comment by the Commerce Department don't specifically make that assurance, Mr. Daguio said. He said the ABA is sending the agency a critical letter.
Commerce Department officials are believed to be sensitive to the U.S. financial industry's data security needs, but in light of the heated debate on the issue they don't want to appear to be giving banks favorable treatment, Washington insiders say.
"We're responding to the proposal that's out there, even though we know there's more there than meets the eye," Mr. Daguio said.
Until Washington and the computer industry can make peace on the encryption issue, banks will be stuck in digital no-man's-land. This article previously appeared in American Banker's Web edition
