by Forest Linton

After a late start in embracing the PC, it seemed that Japan might continue to lag its usual 3 to 5 years behind the US in Internet development. To the surprise of many, however, Japan has quickly become one of the world's biggest Internet markets, and is in the forefront of electronic commerce R&D.

Japan is showing signs of becoming a leading player in the global Internet market. (In some respects, Japan is already ahead of Europe.) Although many mass-media journalists have written off Japan's recent Internet boom as just a passing fad, the evidence points to the contrary. With strong government support (the Ministry of International Trade and Industry has a JPY30 billion-plus budget for pilot projects over the next three years) and the synergy of American and Japanese technology, Japan's Internet stands poised for record growth. The infrastructure for conducting electronic transactions is nearly in place, and more and more users are flocking online.

RSA Data Security Inc., a key player in Internet circles (and especially electronic commerce) is just one in a flood of companies to have recognized Japan's fast-paced growth and moved to establish a Japanese presence. The launch of Nihon-RSA is not only great news for Japanese market, and an important sign that Japan's Internet industry is maturing, but also confirmation that electronic payment and Internet commerce are expanding into the global arena.

A world cryptography leader

Founded in 1982 by three former MIT professors who (in 1977) invented the RSA Public Key Cryptosystem -- Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman -- RSA Data Security Inc. is arguably the most important company in the cryptography industry, with more than 75 million copies of RSA encryption installed and in use worldwide. RSA's encryption technology is licensed to hundreds of companies, including Apple, Microsoft, Netscape, Oracle, Intuit, Lotus, NTT, Mitsubishi, BUG, and the US government.

The company's primary products, which form the building blocks of cryptographic applications, are available in a variety of configurations on all major platforms. Its programming toolkits include BSAFE, TIPEM and RSA Secure, while the newly released SET and S/MIME technologies enable electronic payment and secure e-mail, respectively.

In April 1996, in a stock swap worth $200 million, RSA was purchased by Security Dynamics Technologies Inc., a market leader in smart cards and token-based network verification schemes. Wall Street reacted favorably to the news, and Security Dynamics' stock nearly doubled in the following weeks. This strategic merger has made Security Dynamics one of the most important companies in electronic commerce, able to leverage its technologies from the basic algorithm all the way to hardware solutions like smart cards and network protection devices.

RSA is quick to snap up emerging talent and technologies, preferring to embrace them under its own umbrella rather than competing against them. And with Security Dynamics as a parent company, RSA should have a fat war chest for acquisitions.

Key tactics in RSA's drive to be the de-facto standard for cryptography technology include remaining a neutral player in the security industry and not stepping on the toes of its licensees. When applications created internally show signs of becoming revenue streams, they are usually spun off into separate ventures, such as the 1995 formation of VeriSign for marketing digital certificates and offering authentication services founded on RSA technology. This business strategy allows RSA to focus on its core strength: encryption.

An eye on Japan

It quickly became clear to RSA that there was considerable interest in its products coming from Japan. Among its early licensees were some of Japan's largest companies, such as NTT, NEC, and Mitsubishi. Further, Japanese investors had twice shown their commitment with equity investments in both RSA Data Security and VeriSign. In order to properly service these customers, and to be positioned to take advantage of the new technologies being created in Japan, RSA felt that it needed a Tokyo office.

Further, there was the chance that electronic commerce revenues in Japan would speed ahead of those in the US. Japan seems to have a coherent government-led effort to stimulate electronic commerce with generous grants and interest free loans.

Thus it was that in April 1996, RSA established Nihon-RSA, a wholly-owned subsidiary, in Tokyo's Aoyama area. Nihon-RSA currently has just two full-time employees: Yu Makiuchi, director and chief financial officer, and Bharath Ram, chief licensing officer. James Bizdos, RSA Data Security's president and CEO, serves as chairman of Nihon-RSA.

Currently, Nihon-RSA is working full-time to take over existing Japanese accounts signed previously with RSA in the States. Once that is done, the staff will start shopping for new business. ( Since they set up their Aoyama office, however, the phone has been ringing off the hook, so they probably won't have to do much cold-calling of customers.)

Although there is a lot of hype coming out of the US now, a lot of it is vaporware (idle talk about potential systems that may never be realized). In Japan, however, actual tests and pilots are underway. Japan, as usual, has had the advantage of watching what does and doesn't work abroad, and cherry picking the best ideas. This gives Japan a lead over other countries in developing working systems and infrastructure and, as soon as Japan's service providers get over their phobia about Internet security, there will be no stopping the growth.

Nihon-RSA, for its part, is positioned to contribute to, and be a part of, this growth. The company is reportedly about ready to announce several big deals. Be sure not to blink, or you'll miss a chapter in one of the most exciting stories of the Japanese Internet saga.

In late August, Computing Japan spoke with James Bizdos, RSA Data Security president/CEO and Nihon-RSA chairman, and Yu Makiuchi and Bharath Ram of Nihon RSA, about the company's operations in Japan.

Why did you choose Japan as the first country in which to open a subsidiary?

Jim Bizdos: Japan was first due to the tremendous demand for cryptography, driven by electronic commerce, which was fueled by MITI. Also, many Japanese companies wanted to do business with RSA, so it was easier -- and there was enough interest -- to set up a subsidiary in Japan. Our goals are to license our technology, develop localized products, and offer standards support.

Which of the electronic commerce projects and pilots in Japan most interest you?

Bizdos: All the e-commerce projects interest me, primarily because they are motivating Japanese companies to adopt strong security. The reason, I believe, that Japan is developing so quickly is that there are no politics as there are in the US. The Japanese government plays a supportive role -- not a "spoiler" role, as does the US government.

What are your plans for growth in the next year, and what are your goals?

Yu Makiuchi: We hope to have 10 big companies as minority investors, and six to eight additional staff by the end of the year.

Bharath Ram: Our goals for the Japanese market are the same as in America and other countries: to establish RSA as the world's de-facto encryption standard. We will do this by remaining neutral and supplying technology to any and all companies.

Take the stereo industry, for example. "Dolby encoding" can be found in practically any stereo system. Components are manufactured by a number of different companies, like Sony, Matsushita, Toshiba, or Victor. They all license their noise reduction system from Dolby, which has established itself as the leader in quality and image.

We want to be the Dolby of the security industry -- the de-facto standard.

Will Nihon RSA do any product development of its own, or will it be primarily a marketing and sales organization?

Bizdos: Nihon-RSA will develop localized versions of our crypto toolkits as well as other vertical crypto products, like SET and S/MIME.

In summer, there was some excitement in the press regarding a chipset that was created in Japan by a group including NTT companies, and possibly RSA. For the record, who created the chipset, who is selling it?

Bizdos: NEL (a subsidiary of NTT) built its own RSA chips. We licensed them, and will likely be the exclusive source for those chips in the US, but we did not help in the development.

What are the ramifications, if any, regarding the US export limitations?

Bizdos: It seems to show that it is time for the US to relax export controls [though] it is too early to tell what impact the chips themselves will have on US policy. Export issues are complex, and difficult to fully understand. While e-commerce and financial applications are fairly easy to export, there are still serious problems for US industry.

Ram: Export limitations depend on the application in question. For example, encrypting an e-mail for privacy (so that it can't be read by others) is the most regulated form of encryption, currently limited to a 40-bit key length. However, encryption used for authentication (to verify a party's identity) can be exported in as high as 1,024-bit key lengths.

Makiuchi: For example, in the case of SET (primarily an authentication protocol), there is, for all intents and purposes, no real key restriction. People overestimate the threat of export controls; in reality, only about 1% of all software is affected.

A security system is only as strong as its weakest point. And in most environments, even a 40-bit key length is the strongest point. Data can be compromised at many places, like sniffing the wires of the network, gaining access to a terminal, or getting in a backdoor of a server. In most situations, encrypted transmissions are not even an issue, since other areas are so exposed.

Ram: Everyone is running around trying to lock the windows of their house, but they are leaving the front door wide open. There is no use putting a bigger lock on the window until you get the door closed. People's time would be better spent securing their various systems before they worry about stronger encryption algorithms.

Will Nihon RSA work with RSA America's partners who are also here in Japan, like VeriSign?

Makiuchi: Yes, we are cooperating with VeriSign KK on a regular basis. Their offices are in the same building, just a few doors down from ours.

From a sales and marketing point of view, what are some of the problems unique to Japan?

Ram: Japan is a place with a lot of trust, high security, low crime rates, etc. In that respect, it is hard to convince the layman why he should pay money for something that he takes for granted. [Japanese people] believe that security should be free.

We have to teach them that there is this big, bad world called the Internet that they will want to connect to, and at some point in time they will need to protect their information -- their assets. We have to convince them that data security is something worth paying for.

Introducing VeriSign Japan

In May 1995, RSA's authentication and Digital ID technologies were spun off into an independent company, VeriSign Inc. The range of investors included Ameritech, Mitsubishi, Security Dynamics, and VISA International. VeriSign quickly became a key industry player by establishing digital certificates as a viable form of authentication, and selling licenses to Microsoft and Netscape for incorporation of certificates into their web browser software.

Less than a year later, in February 1996, due to market demand, VeriSign Japan was formed as a subsidiary of VeriSign, Inc. Its financial partners in Japan include NEC, Mitsubishi, NTT, Nissho Iwai, Softbank, Nippon Steel, and Sumitomo Credit. As of October, VeriSign Japan had about 10 full-time employees

VeriSign Japan will localize VeriSign Inc.'s services for the Japanese market, and essentially mirrors the operations in the States by offering public Digital IDs and private label certificates (which can be customized for applications such as electronic credit payments or home banking). To this end, VeriSign Japan will act as a local certificate Authority (CA) for the Japanese market. In addition to individual authentication services, VeriSign Japan provides products and services for corporations deploying secure intranet applications.