A STUDY OF THE INTERNATIONAL MARKET FOR COMPUTER SOFTWARE WITH ENCRYPTION [Note: This is a redacted copy of the original secret document. Brackets [] accompanied by the original classifications have been used to indicate location and size of excised classified text]Prepared by the U.S. Department of Commerce and the National Security Agency for the Interagency Working Group on Encryption and Telecommunications Policy EXECUTIVE SUMMARY BACKGROUND In late 1994, the President's National Security Advisor directed that an interagency report be prepared assessing the current and future international market for software products containing encryption and the impact of export controls on the U.S. software industry. The report was to include an assessment of the impact of U.S. encryption export controls on the international competitiveness of the U.S. computer software industry and a review of the types, quality, and market penetration of foreign-produced encryption software products. This paper presents the joint efforts of the Department of Commerce/Bureau of Export Administration and the National Security Agency to complete this tasking. (U)EXPORT CONTROLS All countries that are major producers of commercial encryption products control exports of those products to some extent. Control methodologies and licensing practices vary, however, and a few countries, most notably France, Russia and Israel also control imports and/or domestic use of encryption. There is a significant amount of international cooperation in controlling encryption exports. (U) Some European and other countries apparently treat exports to the United States of DES- based software more liberally than the United States treats DES exports to those countries. Some countries have stated that they generally restrict DES exports to financial end-uses. In general, no independent verification of these licensing practices was obtained. However, in some cases the U.S. was able to obtain DES products from them for non-financial end-uses. It is possible that some countries may allow these exports based on their political/economic/military relationship with the destination country (e.g., within the European Community, or former COCOM), for end uses that are considered legitimate commercial applications of the technology, or, in the case of exports to the United States, because DES is a national standard. (U) As the technology and the marketplace have evolved, the USG export control authorities have relaxed licensing constraints on cryptographic products several times over the past 10 years. These changes have usually been made after industry pressures and internal debate to balance national security and economic concerns. (U)DOMESTIC AND INTERNATIONAL MARKETS While presently encryption software accounts for only a small percentage of the total software market (1-3%), according to numerous information security experts contacted in the course of the study, the future growth trend for this sector is expected to be great. The market for encryption in distributed computation, databases, and electronic mail is beginning to expand exponentially as the U.S. and other countries develop and popularize electronic commerce, public networks, and distributed processing. (U) Encryption in these environments will often be implemented in software, as opposed to hardware, because it is generally less expensive and simpler to install and upgrade. Absent changes in government standards, for the next ten years, encryption software will primarily use DES and RSA-licensed encryption algorithms. Other non-standard and company proprietary algorithms will be used primarily for security-specific products for small niche markets. (U) Certain developments are promoting greater use by the general public of software-based network security features, including encryption, throughout the industrialized world. They include ever increasing use, fueled by well publicized "break-ins," of distributed databases, popular acceptance and usage of global networks, and the development and use of electronic commerce. (U) These developments are ongoing at one stage or another in practically all of the countries surveyed for this assessment. Less technologically advanced countries, where demand for encryption software is reportedly negligible, will soon undergo widespread development and computerization leading to increased demand for encryption software within the next 10 years. (U) The overwhelming majority (75%) of general-purpose software products (e.g., word processors, spread sheet programs, and database programs) available on foreign markets today are of U.S. origin. Commerce Department analyses indicate that the U.S. has few viable foreign competitors for such products, and of those general-purpose products with encryption features, all were found to be of U.S. origin. (U) In the security specific software market, however, U. S. manufacturers face competition in several foreign markets from such encryption exporting countries as the United Kingdom, Germany, and Israel. To a large extent, markets for these products tend to be "national. " Not only do export controls affect sales, but local vendors of security-specific products are at a competitive advantage in that they are better situated to work closely with end- users and develop encryption solutions tailored to meet the conditions of the local environment. (U) NSA confirmed the existence of a significant number of foreign security-specific software products with encryption features, predominantly from Western European suppliers. Security-specific products are usually not available on the shelf at retail stores either in the U.S. or abroad, but can be purchased through direct contact with the manufacturer. (U) ES-2 BXA attempted to quantify U.S. competitiveness and market share in 31 foreign countries where encryption is thought to have significant demand. While sources in the countries surveyed had limited access to import statistics or market literature on encryption software and encountered numerous difficulties in evaluating this complex market, definite conclusions may be drawn from the responses. (U) Sources in 14 countries indicated that U.S. export controls limit U.S. market share in their countries. Sources in seven countries indicated that export controls have either no impact or no major impact. (U) Sources in most countries indicated that the U.S. market share is keeping pace with overall demand despite the impact of U.S. export controls, which may promote indigenous production or reduce U. S. market penetration. In all known cases, the U.S. holds the majority of the general-purpose encryption software market. (U) Three exceptions are Switzerland (where the U.S. market share reportedly declined in 1994, while the market shares of other European countries rose), Denmark and the United Kingdom, which reported unspecified declines from previous years. Sources in all three countries attribute the decline to U.S. export controls, which they claim promote the development and sale of indigenous encryption products. (U) In many countries surveyed, exportable U. S. encryption products are perceived to be of unsatisfactory quality. (U)ANALYSIS OF FOREIGN PRODUCTS NSA used various methods to procure encryption software products from a variety of countries and companies, as reflected in the TIS database and other sources. Altogether, 28 products from 22 foreign producers in 10 countries were acquired for the purposes of this study. Of these, 21 purportedly use the DES algorithm, while the remaining 7 use proprietary algorithms. (U) [ ] (S) ES-3ECONOMIC IMPACT In the absence of significant foreign competition, the impact of U.S. export controls on the international market shares of general-purpose products is probably negligible. Customers are often unaware of the encryption features in these products and primarily base purchases on the features implementing the primary function of the product (e.g., word processing or database). (U) [ ] (S) BXA attempted to quantify the economic impact of export controls on the U.S. software industry by forwarding a detailed voluntary questionnaire to 206 software vendors and other interested parties. Thirty six encryption software manufacturers provided completed surveys out of the 71 returned. By and large, the companies were unable or unwilling to quantify the costs of export controls, but did provide substantive explanations of how and why they believe they are adversely affected. (U) Some general-purpose software companies claim that export controls have affected their plans to expand security features to meet anticipated growing demand. These companies believe that they could expand their domestic and international customer base with such features. (U) The export licensing process itself is not a major obstacle to U. S. competitiveness. Only seven survey respondents use the Department of State licensing system. While they continue to have some complaints about the administrative burdens and time delays associated with State's process, several noted that there had been improvements in recent years. Only two of the survey respondents had been denied licenses by the Department of State. (U) Numerous survey respondents indicated that they avoided applying for export licenses from the Department of State altogether. Some larger companies whose products tended to be general-purpose in nature either developed two versions of software, or incorporated an encryption algorithm they knew would qualify for Commerce general licenses. (U) Many smaller, security-specific software firms, on the other hand, elected to limit their sales to the domestic market only. These companies indicated a high level of foreign interest in purchasing their products, and therefore lost potential sales. While it is difficult for them to quantify their potential market, they believe it to be sizable. They claim their small size limited their ability to develop two versions of their products, and the fact that their products were for security purposes ES-4 specifically requires them to incorporate strong encryption. Only one company was able to provide specific examples where a foreign competitor obtained a sale due to an export license denied by U.S. authorities. (U) There is little evidence that U.S. export controls have had a negative effect on the availability of products in the U.S. marketplace. A broad range of products with secure algorithms exist in the U. S. market and availability of products is based principally on the level of customer demand. Export controls may have hindered incorporation of strong encryption algorithms in some domestic mass-market, general-purpose products, since some companies find developing and maintaining two versions of a product infeasible. (U) The existence of foreign products with labels indicating DES or other strong encryption algorithms, even if they are less secure than claimed, can nonetheless have a negative effect on U.S. competitiveness. Most encryption users base their purchasing decisions on the advertised product features, along with price, company reputation, etc. (U)
Return to: Export Controls Page Cryptography Policy Page EPIC Home Page