Most ordinary mortals wouldn't want to tangle with the National Security Agency. Jim Bidzos did, and in a way he may already have won the day.
Mr. Bidzos has been a thorn in the side of that secretive agency, but not in the sense of being subversive or unpatriotic. In criticizing the U.S. government's NSA-influenced policies on information security, Mr. Bidzos has only been sounding the American bedrock themes of free speech, personal privacy, and commercial opportunity for his company, RSA Data Security Inc. of Redwood City, Calif.
Though he may not have completely humbled the forces responsible for "sigint" (that's spyspeak for signals intelligence), Mr. Bidzos has at least forced them into a dialogue about those principles - one indication of how he has come to wield an influence in the datacom world that is far out of proportion to RSA's 40 employees and 1995 revenue of less than $20 million.
This privately held company has essentially set the standard for public key cryptography, the mathematical technique of using complex algorithms to shield electronic messages from prying eyes.
Bankers routinely use data encryption - and systems that invariably have RSA technology at their heart - to secure funds transfers. Bankers and others view encryption as a key element of electronic commerce, as a way of smoothing their path onto the information highway.
But many encryption systems on the market are not as strong as they can be. That knowledge, compounded by publicity about some hackers' success at cracking encryption codes, makes many consumers and business people reluctant to fully embrace the on-line possibilities.
The blame isn't with the technology, say Mr. Bidzos and his many allies. They lash out at limitations that stem from government fiat or meddling.
Export controls, holdovers from the Cold War, limit the key length - the stream of computer digits that determines how easy it is to break a code - in encryption systems that can be sold to other countries. Meanwhile, the National Security Agency and some domestic counterparts apparently would prefer that a U.S. military or law-enforcement agency be able to read any message in a crisis.
"The government doesn't want this stuff used," Mr. Bidzos said in a recent interview.
But even the National Security Agency, the world's biggest employer of mathematicians, the "puzzle palace" as it was described in a book by that name, may be powerless against the march of technology.
"I used to be worried about how they might slow it down," Mr. Bidzos said. "Now it's out of control" because of the advances in, and proliferation of, powerful computers and high-capacity data networks.
"You might say the Internet is the best thing that ever happened to RSA, and the worst thing that ever happened to NSA."
He said the "trap door" approach - the way NSA could get access to encrypted messages - "just won't work on the Internet."
Mr. Bidzos reduces his indignation to a practical question: "Would you give the government a key to the file cabinets in your office?"
Even as Mr. Bidzos makes the noises of a pit bull, there is a twinkle in his eye and a genuine respect for his adversaries in the encryption debate.
He acts as if notoriety has been serendipitously thrust upon him by headline-making controversies like Internet security breaches and the government's Clipper chip proposal, and by the products of popular culture like "Sneakers" and "The Net" whose plots revolve around data security.
RSA applications are everywhere, though not often obvious to the naked eye - in Lotus Notes and Netscape Navigators, in Digicash's Ecash and Cybercash's electronic wallet, in the connections between home banking providers and Quicken software users, in the credit card associations' Secure Electronic Transactions protocol.
"MasterCard and Visa are betting the ranch on RSA to protect their brands in cyberspace," Mr. Bidzos said.
Licensing activity has gone through the roof, with well over 200 companies - ranging from giants like IBM and Microsoft to specialized electronic commerce vendors like Premenos and V-One - embedding RSA systems in theirs.
"We're surprised by everything that's happening," the chief executive said, not least by the fact that 1,200 people turned out for RSA's annual conference in San Francisco in January, more than double the previous year.
"Our little company was described in the past as something of a cult," he said. "The technology is turning out to be more important than anyone would have thought."
At age 41, though relatively young for a corporate president, Mr. Bidzos has been in the job 10 years. He can draw on his long memory to strike a statesmanlike, even diplomatic pose.
"We have the technology to adopt any policy there needs to be with respect to encryption," he said in his opening remarks to that January conference in what might be the closest thing to an annual "state of commercial cryptology" address.
"There won't be simple solutions," he said. "They will be developed over a period of years. And there will be a lot of compromises along the way."
Mr. Bidzos indicated his openness to discussion by asking Edward A. Hart, who had just retired as deputy director of the National Security Agency, to follow him on the podium.
Mr. Bidzos said he had personally benefited from a visit to hostile territory - a speaking invitation he got to a National Institute of Standards and Technology conference in late 1995 - and decided to return the favor.
Having crossed over to the private sector, Mr. Hart sounded anything but unreasonable. Now heading Science Applications International Corp.'s center for corporate information protection in McLean, Va., the 33-year NSA veteran argued that the government has national security concerns that remain paramount. In that regard, the concept of key escrow - which would let government agencies unlock secure data, presumably only in extenuating circumstances - remains very much alive, to the chagrin of civil libertarians and privacy advocates.
But Mr. Hart allowed that government could implement key escrow for its own purposes, while the commercial sector is free to come up with a different or modified approach.
"The NSA understood this from Day One," Mr. Hart said.
"Even if the government has the will and ability to lead the continuing development of information protection systems, it has to develop the capacity to do so in a timely manner and in communication with all parties."
Mr. Bidzos recalled that on a visit to Mr. Hart's office he saw a "Sink Clipper" poster, a snide reference to the controversial chip that could provide the "trap door" to encrypted messages.
"I said, 'I never expected to see that here,'" Mr. Bidzos said. Mr. Hart replied, "I never expected to see you here."
The RSA president clearly relishes the spotlight and the opportunity to spar with people in high places. He has gotten so bold as to engage in some tongue-in-cheek information warfare of his own - a series of cartoons ridiculing the National Security Agency's supposed compulsion to eavesdrop.
One would never have anticipated what rarefied adventures lay ahead when Mr. Bidzos joined RSA in February 1986.
The company was then four years old. It took its initials from the founding scientists, cryptology pioneers Ronald Rivest, Adi Shamir, and Leonard Adleman.
Mr. Rivest, a professor of computer science at the Massachusetts Institute of Technology, continues to be quite active in RSA affairs. Mr. Shamir has been less involved because his current academic posting is in Israel. Mr. Adleman has been blazing an entirely new trail - DNA computing - though he resurfaced for a rare appearance at the RSA conference in January (and a reunion with professors R and S that had admirers buzzing as if the Beatles had returned).
R, S, and A tried valiantly to make their business go but succeeded mainly at piling up debt. A mutual friend asked Mr. Bidzos, an international marketing consultant who worked previously for IBM and Paradyne Corp., to examine their business plans and help with money- raising.
The company went through typical start-up pains, delaying bill payments and keeping creditors at bay. For a time in 1986, Mr. Bidzos was the only employee. If not for $250,000 in prepaid royalties from Lotus Development Corp. in July, he said, RSA would have gone under.
"In 1987, 1988, and 1989, there were some licensing deals, but not a lot happened until the 1990s," Mr. Bidzos said. "We licensed to Microsoft, Sun Microsystems, and Apple, Lotus Notes started shipping, and then the Internet came into play."
When Netscape Communications Corp. and Cybercash Inc. were in their bootstrap modes, RSA took stock in lieu of payment for its encryption engines. Those companies went public and RSA got rich.
"The Internet really is the driver," Mr. Bidzos said. "Security becomes a bigger and bigger issue, cryptography is central to global issues that affect everybody, and to personal privacy issues. That's why so many people came to our conference."
With so many licensees, with 25 million or more copies of RSA software in distribution, with the company widening its influence through joint venture Terisa Systems and spinoff Verisign (see page 7A), and with RSA creating a logo that could become the "Intel Inside" of encryption, might this fortress be unassailable?
Not quite.
Aside from dodging the obstacles of the intelligence establishment, Mr. Bidzos has had to deflect criticisms ranging from the esoteric to the kooky.
In the courts, RSA has continually fought patent battles. In March it declared victory on a key motion against Cylink Corp., which was seeking license fees on early encryption formulas.
First Virtual Holdings, which took a non-Internet route to electronic- payment security because it didn't trust data encryption, makes vulnerability claims that Mr. Bidzos calls "overblown."
Meanwhile, conspiracy mongers spread stories that RSA was formed by the National Security Agency, supposedly Mr. Bidzos' former employer.
"Anybody who accuses us of NSA-like behavior just doesn't understand our business," he said.
"We are available to anyone who wants us. Microsoft and IBM, Netscape and Open Market, Cybercash and Digicash - people who otherwise hate each other - come together with RSA. Our responsibility is to keep a level playing field."
That makes RSA "almost an institution," he said, its imprimatur something close to what the "Dolby" standard means on sound systems.
As RSA's fame spreads, so might it become a bigger target for the snipers. Mr. Bidzos isn't worried, saying the mission isn't changing and will be vindicated by deeds.
"We'd been working with Visa and MasterCard a long time on encryption matters," he said, culminating in a central role for RSA, Terisa, and Verisign in the recently released secure payment protocol. "Now we're looking at hundreds of millions of credit card transactions - a lot to protect." With the card industry putting its reputation on the line, "we'll find out how good these systems are."
"No software is bug-free, but Visa and MasterCard will be extremely careful," Mr. Bidzos said. "They don't want their problems to be on page 1 of The New York Times.
"There may be a few glitches, but they'll get fixed."
RSA has the power to do more. Mr. Rivest, for example, has come up with a design for micropayments that could add some interesting wrinkles to digital cash proposals like Ecash, MilliCent, and NetBill. But the company's business remains to "add crypto-value."
"Our objective is not growth at any cost," Mr. Bidzos said.
"We don't have venture investors. We won't become a vendor. We won't become a bank. It has been suggested that we have the trust, and we'll make sure we keep it."
