Computer Security: Deciphering the FUD Factor[continued]Encrypting Japan To that list we can add a number of Japan's leading IT (information technology) vendors. In 1996, RSA entered the Japanese market by teaming up with 11 local companies (including NEC, Sony, Sharp, Tokyo Mitsubishi Bank, and Matsushita Electric), who jointly hold a one-third stake in the RSA Japan subsidiary. As a result, says Bharath Ram, director of business development for RSA Japan, these companies and others are now embedding RSA encryption technology into products they market. One major end user of RSA encryption is Amway Japan, a subsidiary of Michigan-based Amway Corp., a $5.8 billion direct sales company. Amway Japan has over one million "distributors" throughout Japan, with 300,000 of them actively selling household and personal care products. In order to prepare this sales army for the 21st century, Akira Kinoshita, head of Amway Japan's technical infrastructure department, has begun outfitting them (13,000 so far) with pen-based, Internet-ready Amity VP notebook computers from Mitsubishi Electric. [See "Mobile Computing and the Internet" in our October 1997 issue, page 31, for more on this.- Ed.] "Amity met the short-term needs of enhancing our order processing, and it meets our long-term vision of being leaders in the 21st century," says Kinoshita. He adds that hooking up to the Internet also helped reduce the company's investment costs. But while the Internet provided a ready-made network for the sales force to hit the ground running, "It created a new challenge - security," cautions Kinoshita. After investigating possible solutions, including Mitsubishi Electric's MISTY encryption software, Kinoshita chose RSA "because it's a kind of de facto standard." So far, so good. But then, the US government steps into the picture. In order to use RSA encryption outside the United States, prior approval is required from the US Department of Commerce, Department of State, and various administrative committees in charge of export license approval. The US government is nervous about advanced encryption technology falling into the hands of international crooks and terrorists. These government-imposed restrictions hamper business, says RSA Japans Ram, while the extra costs involved have to be factored into the price of licensing. "The situation is the worst it can be right now, so things can only get better," he says optimistically. "What they [the US government] dont seem to understand is that the [encryption] genie is already out the bottle: RSA has put its algorithms in the public domain, so someone in Japan or Timbuktu could use them to write encryption software and export it back to the US!" In the case of Amway Japan, approval to use the RSA encryption software came only after three-and-a-half months of hard work. Made-in-Japan encryption Another US company active in the Japanese market is McAfee Associates. The company recently merged with General Networks to become Network Associates, Inc. (NAI), though it retains the McAfee brand. In December 1997, NAI bought Pretty Good Privacy, Inc. (for $37 million) to add PGP encryption software to its own in-house security software offerings. "Encryption," McAfee Japan's LaLonde stresses, "is like a condom for AIDS. You have to protect yourself. You can't trust other companies to do it." According to LaLonde, the company takes a different marketing tack to RSA: It offers packaged applications, and licenses out technology that works with encryption software from other vendors. "Companies outside the US dont necessarily want to rely on the US government for their security, so we offer products that let you use our encryption, or you can choose your own encryption scheme," says LaLonde. McAfee is hedging its bets further by working with a domestic software vendor of encryption called Laurel Intelligent Systems Co., Ltd. "This lets us get past the US export restriction," says LaLonde. Laurel Intelligent Systems is only one of a number of Japanese companies busy creating their own encryption schemes. Mitsubishi Electric has gained domestic prominence with its MISTY technology, and most of the major computer vendors are developing in-house next-generation encryption technology as well as working with companies like RSA and McAfee to push the current technology. Fujitsu, for instance, has established a basic research and development group dubbed the S Project Group ("S" stands for "security"). "Security is a combination of many technologies, and is a key issue, so were engaged in R<&>D in this area," says Hiroshi Muramatsu, general manager of the S Group, which is located in Fujitsu Laboratories in Kawasaki. And given encryption is now a key element in a wide range of applications - wireless communications, e-mail, audiovisual products like satellite TV and DVD, and even in the semiconductor business - Muramatsu says research into encryption "is the kernel of the S Project's work." At the government level, the Ministry of International Trade and Industry (MITI), the Ministry of Posts and Telecommunications (MPT), the Foreign Ministry, and the National Police Agency all got together to discuss the issue of computer security earlier in the decade. One result of these discussions, partly as the result of US government pressure, was a move by the government to tighten export restrictions on encryption technology. Probably more important, though, was the establishment of several major industry projects (some of them directly competing against each other) organized by the rival ministries. According to one government insider, these include a heavily funded, hush-hush project by the National Police Agency. One MITI-backed project is a three-year program ending this month (March). Its two purposes are to help Japan move ahead in encryption, and to create a domestic Certification Authority technology (to verify the validity of electronic transactions and the ownership of public keys). Mitsubishi Electric, aided by NEC and Chuo and Yokohama Universities, was richly funded by MITI to develop advanced encryption technology. Matsushita Electric assisted in the project by freely donating its know-how in next-generation elliptic curve encryption technology. All these public and private sector endeavors come at a critical time. RSAs competitors gleefully note that the companys patent on its encryption technology is due to expire in the near future. These same rivals also maintain that as RSA increases its keysize bit-length -- its current BSAFE toolkit provides developers with variable key sizes ranging from 256 to 2048 bits Ñ in order to stay ahead of the computer power available to hackers, the speed of encryption slows significantly. This is one reason so many Japanese labs are now busy exploring alternative, faster technologies like elliptic curve. Decoding the future So, does all this domestic activity indicate Japan is preparing to go its own way in computer security? According to Gartner's Nagatsuna, there are two schools of thought in the industry right now. "If the US government allows the export of stronger encryption to Japan, one opinion says Japanese companies should go with industry de facto standards," notes Nagatsuna. "The other opinion says that Japanese companies should have their own technology, and not let the US dominate." An understandable desire, perhaps, but its not going to help dispel the FUD factor surrounding computer and communications security. John Boyd is a Japan-based freelance writer who covers the local IT scene for a variety of publications. He writes the monthly Industry Eye column for Computing Japan.
|
