There is considerable interest in the US in a Ministry of Health project which allows health information to be shared securely over the Internet, says Sybase data and communications security director Tom Parenty.
That’s particularly so in very sparsely populated states.
Parenty was instrumental in getting permission from Congress for 128-bit encryption code to be exported to the Ministry of Health, the first time this has happened outside the financial sector.
“The health industry is very interested in seeing how this works,” he says.
The ministry has built an infrastructure, based on Sybase’s SQL Server, Jaguar transaction server and IQ Warehouse, that supports whatever health professsionals need to do to share information. Because of security requirements, there is a strict classification process before anyone can get access.
Parenty has a background in security dating back to the early 1980s when he joined the US National Security Administration. His first work was on nuclear security "making sure that bombs didn’t go off by accident".
For the past three years, he’s been in charge of all security product development at Sybase.
"Security for the internet is a very political issue," he says, having testified to Congress three times about encryption.
In general, he represents the software industry in those hearings. "But my NSA background makes me a more attractive witness."
Parenty is also an adviser to the presidential commission on critical infrastructure, which includes telecommunications and power utilities.
"Getting approval for the export of 128-bit encryption to the Ministry of Health took a number of months," he says. "It was brought up explicitly at three congressional hearings. There was also a second-tier approach to hire a law firm that deals with routine applications."
Approval was gained late last year.
"You have to make a specific application for a specific customer and a specific purpose.
"I found it amusing talking to the NSA staffer who eventually approved the application. He said the New Zealand Ministry of Health wasn’t viewed as a national security threat."
The political issues have arisen because, for the first time, cryptography has become part of the public domain.
"Now, with its availability over the Web to the population at large, law and intelligence agencies have become nervous.
"There’s a rear-guard action to slow as much as possible the deployment of encryption in software throughout the world.
"Usually, 50% of US software sales are made overeseas. If the agencies can cripple half of the market, they will view that as a success
"The fact that strong cryptography is already available overseas seems to be lost on a number of politicians. There’s a sense of chavinism, that anything made in the US must be best."
Parenty says the Director of the FBI has warned that if controls on encryption are loosened, people will die.
"The opposing view is that not exporting will cost jobs and money but that hasn’t resonated well with the policy makers. The thing that has the most resonance is everyone’s right to protect their communication from anyone."
He says the worst agency in the scenario is the US Justice Department, "specifically the FBI".
"In the past foiur or five months, they’ve (the FBI) been more specific. They want to impose domestic controls on software."
In a few months, an encryption Bill will go before the House of Representatives but, says Parenty, at this stage there are five versions, one of which would lift controls. The House rules committee will decide which version(s) goes to debate.
Currently, 40-bit encryption is the export version. Parenty says that can be broken in 12 minutes with some basic equipment and expertise which would cost no more than $US10,000.
But with 128 bits . . . "Say you had a special purpose chip that could access a billion keys a second, and you had a billion of these chips. It would take you longer than the lifetime of the universe."