Like many government policies across the globe, this directive was apparently drafted with a clear social goal in mind, but with little understanding of the use and pace of technology. Surely anyone serious about transporting intelligence information or treasonous material will use methods of encryption and obfuscation that would take more than a few hours of inspection to discover. Likewise, pornography has a way of finding its way to interested consumers no matter how it's hampered. In any case, one would think the low-wattage beacons of leadership in Khartoum would have more pressing business in Darfur.
While the Sudanese government has been on spin cycle for half a century, the country's leaders have been able to stabilize certain technology and energy-related aspects of the economy over the past few years. Recent ventures away from an otherwise solidly agrarian market have brought an increase in the number of affluent nationals and foreign businesspeople traveling in and out of the country -- each carrying little devices with lots of data. Apparently it occurred to government officials that they didn't understand what was in the devices and that the devices might be the conveyance for objectionable material.
The immediate effect of the quarantines and data inspections is sure to be a dampening of business interest in an already risk-fraught environment. Over the long term, however, silly rules regarding technology tend to be corrected by individuals' use of even more advanced technology. Governments rarely win this sort of oneupsmanship. In a bit of mild hysteria that peaked in the 1990s, the U.S. government clamped down on the export of both powerful computers and encryption software, to somewhat different and unexpected ends. Both situations are worth considering in the context of Sudan.
The U.S. Department of Commerce's Bureau of Export Administration (BXA) maintains a formal definition of what our government considers a supercomputer, along with a few other thresholds for computing power that can be exported to hostile or politically bewildered foreign states. Relevant regulations at the time included 15 CFR Parts 770, 772, 773, 776, and 799. When Apple introduced the PowerMac G4 in the late 1990's, its capacity to process over 1 billion instructions per second (1GFLOPS) qualified it as a supercomputer. Because powerful computers can be used to do things like compute missile trajectories and simulate conflict outcomes, such machines were considered munitions under U.S. export law.
While the starched shirts of the Defense Department were deadly serious about preventing export of "munitions" technology to hostile states, Apple astutely turned this into a marketing bonanza, appealing to power-hungry computer users across the country. Other PC makers followed suit, and new versions of the Intel Pentium processor were similarly promoted as personal supercomputers. Market pressures convinced the BXA and the Defense Department to adjust the standard much more quickly in light of advancing technology and to ease export restrictions so the G4 and similarly powerful systems could be marketed overseas.
I'm sure that back in the '60s, agents of the then-young National Security Agency would have had a collective aneurysm at the thought of commonplace digital watches with 16-bit processors and 32K of memory -- about the same computing power as the NASA guidance computer systems that managed Apollo missions to the Moon. But today's critical computing infrastructure and top-secret technology is tomorrow's disposable tchotchke, and it took a long time for the policy-makers to realize that they needed a comparative standard rather than an absolute one.
A similar situation arose in the U.S. around encryption technology, but with different effect. The U.S. Department of State's Directorate of Defense Trade Controls (DDTC) is responsible for defining munitions, and for publishing the official United States Munitions List of weapons and information that we wouldn't want to end up in the hands of naughty people. The munitions list enumerates such specific cases as "Technical Data and Defense Services Not Otherwise Enumerated" and "Miscellaneous Articles." This leaves plenty of room for computer hardware and software that make governmental people nervous. The DDTC is also given the authority to regulate the export of anything defined as a munition under the Arms Export Control Act. AECA is in turn implemented as the International Trafficking in Arms Regulations or ITAR.
It's this ITAR that caused Phil Zimmerman, the author of Pretty Good Privacy, so much trouble. ITAR prohibited the export of any encryption using more than 40 bits for its key until 1996. When Zimmerman and RSA couldn't settle a dispute in 1993 regarding an early agreement, RSA complained to U.S. Customs that Zimmerman was exporting munitions-grade encryption. But a funny thing happened: Zimmerman was harassed and investigated about the export of 128-bit encryption but never prosecuted. By the time a thorough investigation had taken place in Zimmerman's case and others, it was pretty clear the effect of the law was to wash a lot of encryption research and product development away from U.S. shores.
The prohibition on the export of strong encryption technology led several commercial research organizations to relocate or outsource their encryption groups and projects to more friendly locales. Over the course of a half-dozen years, a significant chunk of state-of-the-art encryption research and development left the United States for Finland, Russia, Ireland, Australia, India and the like. Of course, not everyone left in the U.S. was hung out to dry. Major academic institutions and commercial powerhouses such as RSA still cranked out encryption tools, but the availability of top-notch commercial products from outside the U.S. (such as the Finnish-developed BestCrypt) made many portions of the U.S. export restrictions meaningless.
Subsequent relaxing of export controls over encryption didn't undo the spread of technology to other nations. For example, in late 1997, a year after the first major easing of encryption export controls, RSA acquired a Japanese company to form Nihon-RSA, a subsidiary not subject to U.S. encryption export rules. At the same time, Sun Microsystems announced it would begin selling a 128-bit VPN product developed by a Moscow firm called ElvisPlus Co. as part of its own SunScreen product line.
Clearly it's easy to write a policy that drives encryption research and development away. How would one pull these technologies into a country? Easy -- ban pornography and start randomly searching people's personal data storage. However unintentionally, the Sudanese government is creating a strong internal demand for technical privacy controls. The people subject to these new quarantine and search laws are rather affluent by Sudanese standards and clearly have access to foreign sources of data and software. It would be foolish to assume they would not take steps to protect their data. If Sudanese people with resources are forced to commission or create their own security tools, those tools will likely be made available in both English and Arabic-language versions -- another step forward for the spread of security and privacy tools.
As Sudanese nationals and visitors become more comfortable with the security of their own data -- and count on others protecting their data -- the expectation of secure data storage and communications will surely insinuate itself in financial transactions and other areas of business. Perhaps the level of invasiveness into portable data storage will even have a positive effect on the deployment and improvement of GSM and third-generation data services. I doubt it's what the policy-makers had in mind, but I'll bet the effect over the next few years is the best thing ever to happen to computer security in Sudan.
Jon Espenschied has been at play in the security industry for enough years to become enthusiastic, blas', cynical, jaded, content and enthusiastic again. He is currently a senior security consultant in Seattle, where his advice has been ignored by CEOs, auditors and sysadmins alike.