Defense wants PKI now

To jump-start development of a public-key recovery system, the Defense Department plans
to require its vendors to use strong encryption, deputy Defense secretary John Hamre said

Because it wields significant buying clout, Defense's more stringent requirements
should boost government and industry efforts to build systems for managing encryption
keys, Hamre said last month at an Armed Forces Communications and Electronics Association
event in Washington.

Agencies cannot wait for the government and industry to settle on a national encryption
policy, Hamre said.

Through successive administrations, the government has tried to develop a singular
policy on encryption. But so far, the efforts have failed. Generally, industry has
criticized the government's policy proposals as too restrictive.

"We have an important national imperative to protect ourselves in this
world," Hamre said. "We can't wait to have this issue resolved ... therefore
we're going to buy encryption with key recovery."

Vendors will have to use encrypted data and be able to recover it when doing business
with DOD, he said.

Defense will work out a final policy in the coming weeks, Hamre said.

"We are going to personally require that if you want to do business with us, we
are going to insist you have security on your side," he said. "That's all we're
asking for, and we're willing to buy it."

Lauren Hall, chief technologist for the Software Publishers Association, a Washington
trade association, disagreed with the theory that such a requirement would create a market
for key recovery services.

"They might drive a niche market," she said, but questioned whether the
approach would meet the government's national security concerns.

She predicted that the DOD requirement would become another burden that makes U.S.
software companies less competitive than their overseas counterparts.

Hamre called the ongoing debate over encryption a fraud. Key recovery, he said, would
give the government no greater access to documents than it now has, which some critics

Hamre said industry will have to take the lead in implementing key recovery systems
because government is not going to set system requirements. The designs should be based on
commercial applications, he said.

DOD is willing to cede the management of the keys and let an outside third party serve
as the certificate authority, or key holder, he said.

Security and encryption are critical for the development of electronic commerce, the
cornerstone of DOD's streamlined buying processes, Hamre said.

The department is choking on paper, Hamre said, noting that its procurement shops last
year generated some 300 million sheets of paper.

"When you have to move mountains of paper every day just to do your job, your
energy is consumed by the mechanics of the process, not the competence of the
process," Hamre said.

What's more, recent cyberattacks on DOD systems underscore the need for the department
to make use of encryption, Hamre said. Hackers hit about 150 DOD systems in February as
the United States and Iraq were nearing a showdown over weapons inspections.

To better deal with such systems assaults, the department is creating a joint
cyberwarfare task force.

DOD network security is increasingly becoming the responsibility of the Defense
Information Systems Agency, Hamre said.


  • 2020 Government Innovation Awards
    Government Innovation Awards -

    21 Public Sector Innovation award winners

    These projects at the federal, state and local levels show just how transformative government IT can be.

  • Federal 100 Awards
    cheering federal workers

    Nominations for the 2021 Fed 100 are now being accepted

    The deadline for submissions is Dec. 31.

Stay Connected