EPIC logo

Department of Commerce document obtained by the Electronic Privacy Information Center under the Freedom of Information Act.

A STUDY OF THE INTERNATIONAL MARKET FOR COMPUTER SOFTWARE WITH ENCRYPTION
 
[Note: This is a redacted copy of the original secret document. 
Brackets [] accompanied by the original classifications have 
been used to indicate location and size of excised classified text]
 
Prepared by the U.S. Department of Commerce and the National Security Agency for the Interagency Working Group on Encryption and Telecommunications Policy
 
 
 
EXECUTIVE SUMMARY BACKGROUND
 
In late 1994, the President's National Security Advisor directed that an
interagency report be prepared assessing the current and future
international market for software products containing encryption and the
impact of export controls on the U.S. software industry. The report was to
include an assessment of the impact of U.S. encryption export controls on
the international competitiveness of the U.S. computer software industry
and a review of the types, quality, and market penetration of
foreign-produced encryption software products. This paper presents the
joint efforts of the Department of Commerce/Bureau of Export
Administration and the National Security Agency to complete this tasking.
(U)
 
EXPORT CONTROLS
 
All countries that are major producers of commercial encryption products
control exports of those products to some extent. Control methodologies
and licensing practices vary, however, and a few countries, most notably
France, Russia and Israel also control imports and/or domestic use of
encryption. There is a significant amount of international cooperation in
controlling encryption exports. (U)
 
Some European and other countries apparently treat exports to the United
States of DES- based software more liberally than the United States treats
DES exports to those countries. Some countries have stated that they
generally restrict DES exports to financial end-uses. In general, no
independent verification of these licensing practices was obtained.
However, in some cases the U.S. was able to obtain DES products from them
for non-financial end-uses. It is possible that some countries may allow
these exports based on their political/economic/military relationship with
the destination country (e.g., within the European Community, or former
COCOM), for end uses that are considered legitimate commercial
applications of the technology, or, in the case of exports to the United
States, because DES is a national standard. (U)
 
As the technology and the marketplace have evolved, the USG export control
authorities have relaxed licensing constraints on cryptographic products
several times over the past 10 years. These changes have usually been made
after industry pressures and internal debate to balance national security
and economic concerns. (U)
 
 
DOMESTIC AND INTERNATIONAL MARKETS
 
While presently encryption software accounts for only a small percentage
of the total software market (1-3%), according to numerous information
security experts contacted in the course of the study, the future growth
trend for this sector is expected to be great.
 
The market for encryption in distributed computation, databases, and
electronic mail is beginning to expand exponentially as the U.S. and other
countries develop and popularize electronic commerce, public networks, and
distributed processing. (U)
 
Encryption in these environments will often be implemented in software, as
opposed to hardware, because it is generally less expensive and simpler to
install and upgrade. Absent changes in government standards, for the next
ten years, encryption software will primarily use DES and RSA-licensed
encryption algorithms. Other non-standard and company proprietary
algorithms will be used primarily for security-specific products for
small niche markets. (U)
 
Certain developments are promoting greater use by the general public of
software-based network security features, including encryption, throughout
the industrialized world. They include ever increasing use, fueled by well
publicized "break-ins," of distributed databases, popular acceptance and
usage of global networks, and the development and use of electronic
commerce. (U)
 
These developments are ongoing at one stage or another in practically all
of the countries surveyed for this assessment. Less technologically
advanced countries, where demand for encryption software is reportedly
negligible, will soon undergo widespread development and computerization
leading to increased demand for encryption software within the next 10
years. (U)
 
The overwhelming majority (75%) of general-purpose software products
(e.g., word processors, spread sheet programs, and database programs)
available on foreign markets today are of U.S. origin. Commerce
Department analyses indicate that the U.S. has few viable foreign
competitors for such products, and of those general-purpose products with
encryption features, all were found to be of U.S. origin. (U)
 
In the security specific software market, however, U. S. manufacturers
face competition in several foreign markets from such encryption exporting
countries as the United Kingdom, Germany, and Israel. To a large extent,
markets for these products tend to be "national. " Not only do export
controls affect sales, but local vendors of security-specific products are
at a competitive advantage in that they are better situated to work
closely with end- users and develop encryption solutions tailored to meet
the conditions of the local environment. (U)
 
NSA confirmed the existence of a significant number of foreign
security-specific software products with encryption features,
predominantly from Western European suppliers. Security-specific products
are usually not available on the shelf at retail stores either in the U.S.
or abroad, but can be purchased through direct contact with the
manufacturer. (U)
 
 
ES-2
 
BXA attempted to quantify U.S. competitiveness and market share in 31
foreign countries where encryption is thought to have significant demand.
While sources in the countries surveyed had limited access to import
statistics or market literature on encryption software and encountered
numerous difficulties in evaluating this complex market, definite
conclusions may be drawn from the responses. (U)
 
Sources in 14 countries indicated that U.S. export controls limit U.S.
market share in their countries. Sources in seven countries indicated that
export controls have either no impact or no major impact. (U)
 
Sources in most countries indicated that the U.S. market share is keeping
pace with overall demand despite the impact of U.S. export controls, which
may promote indigenous production or reduce U. S. market penetration. In
all known cases, the U.S. holds the majority of the general-purpose
encryption software market. (U)
 
Three exceptions are Switzerland (where the U.S. market share reportedly
declined in 1994, while the market shares of other European countries
rose), Denmark and the United Kingdom, which reported unspecified declines
from previous years. Sources in all three countries attribute the decline
to U.S. export controls, which they claim promote the development and sale
of indigenous encryption products. (U)
 
In many countries surveyed, exportable U. S. encryption products are
perceived to be of unsatisfactory quality. (U)
 
 
ANALYSIS OF FOREIGN PRODUCTS
 
NSA used various methods to procure encryption software products from a
variety of countries and companies, as reflected in the TIS database and
other sources. Altogether, 28 products from 22 foreign producers in 10
countries were acquired for the purposes of this study. Of these, 21
purportedly use the DES algorithm, while the remaining 7 use proprietary
algorithms. (U)
 
[
 
 
 
 
] (S)
 
 
 
 
 
ES-3
 
ECONOMIC IMPACT
 
In the absence of significant foreign competition, the impact of U.S.
export controls on the international market shares of general-purpose
products is probably negligible. Customers are often unaware of the
encryption features in these products and primarily base purchases on the
features implementing the primary function of the product (e.g., word
processing or database). (U)
 
[
 
 
 
] (S)
 
BXA attempted to quantify the economic impact of export controls on the
U.S. software industry by forwarding a detailed voluntary questionnaire to
206 software vendors and other interested parties. Thirty six encryption
software manufacturers provided completed surveys out of the 71 returned.
By and large, the companies were unable or unwilling to quantify the costs
of export controls, but did provide substantive explanations of how and
why they believe they are adversely affected. (U)
 
Some general-purpose software companies claim that export controls have
affected their plans to expand security features to meet anticipated
growing demand. These companies believe that they could expand their
domestic and international customer base with such features. (U)
 
The export licensing process itself is not a major obstacle to U. S.
competitiveness. Only seven survey respondents use the Department of State
licensing system. While they continue to have some complaints about the
administrative burdens and time delays associated with State's process,
several noted that there had been improvements in recent years. Only two
of the survey respondents had been denied licenses by the Department of
State. (U)
 
Numerous survey respondents indicated that they avoided applying for
export licenses from the Department of State altogether. Some larger
companies whose products tended to be general-purpose in nature either
developed two versions of software, or incorporated an encryption
algorithm they knew would qualify for Commerce general licenses. (U)
 
Many smaller, security-specific software firms, on the other hand, elected
to limit their sales to the domestic market only. These companies
indicated a high level of foreign interest in purchasing their products,
and therefore lost potential sales. While it is difficult for them to
quantify their potential market, they believe it to be sizable. They
claim their small size limited their ability to develop two versions of
their products, and the fact that their products were for security purposes
 
 
ES-4
 
specifically requires them to incorporate strong encryption. Only one
company was able to provide specific examples where a foreign competitor
obtained a sale due to an export license denied by U.S. authorities. (U)
 
There is little evidence that U.S. export controls have had a negative
effect on the availability of products in the U.S. marketplace. A broad
range of products with secure algorithms exist in the U. S. market and
availability of products is based principally on the level of customer
demand. Export controls may have hindered incorporation of strong
encryption algorithms in some domestic mass-market, general-purpose
products, since some companies find developing and maintaining two
versions of a product infeasible. (U)
 
The existence of foreign products with labels indicating DES or other
strong encryption algorithms, even if they are less secure than claimed,
can nonetheless have a negative effect on U.S. competitiveness. Most
encryption users base their purchasing decisions on the advertised product
features, along with price, company reputation, etc. (U)


Return to:

Export Controls Page

Cryptography Policy Page

EPIC Home Page