Information Security and Privacy in Network Environments
September 1994 OTA-TCT-606 NTIS order #PB95-109203 GPO stock #052-003-01387-8 Recommended Citation: U.S. Congress, Office of Technology Assessment, Information Security and Privacy in Network Environments, OTA-TCT-606 (Washington, DC: U.S. Government Printing Office, September 1994).
For Wk by the U.S. Government Prlnflng Office Superintendent of Document\, MiIIl Stop: SSOP, Wti\hlngton, DC 204)2-932/! ISBN O- 16-04!; 188-4 Foreword
nformation networks are changing the way we do business, educate our children, deliver government services, and dispense health care. Information technologies are intruding in our lives in both I positive and negative ways. On the positive side, they provide win- dows to rich information resources throughout the world. They provide instantaneous communication of information that can be shared with all who are connected to the network. As businesses and government be- come more dependent on networked computer information, the more vulnerable we are to having private and confidential information fall into the hands of the unintended or unauthorized person. Thus appropriate institutional and technological safeguards are required for a broad range of personal, copyrighted, sensitive, or proprietary information. Other- wise, concerns for the security and privacy of networked information may limit the usefulness and acceptance of the global information infra- structure. This report was prepared in response to a request by the Senate Com- mittee on Governmental Affairs and the House Subcommittee on Tele- communications and Finance. The report focuses on policy issues in three areas: 1 ) national cryptography policy, including federal informa- tion processing standards and export controls; 2) guidance on safeguard- ing unclassified information in federal agencies; and 3) legal issues and information security, including electronic commerce, privacy, and intel- lectual property. OTA appreciates the participation of the many individuals without whose help this report would not have been possible. OTA received valu- able assistance from members of the study’s advisory panel and partici- pants at four workshops, as well as a broad range of individuals from government, academia, and industry. OTA also appreciates the coopera- tion of the General Accounting Office and the Congressional Research Service during the course of this assessment. The report itself, however, is the sole responsibility of OTA.
ROGER C. HERDMAN Director . . . Ill Advisory Panel
Nancy M. Cline Burton S. Kaliski, Jr. David Alan Pensak Chairperson Chief Scientist Principal Consultant Dean of University Libraries RSA Laboratories Computing Technology The Pennsylvania State University E.I. DuPont de Nemours, Inc. Stephen T. Kent James M. Anderson Chief Scientist Richard M. Peters, Jr. Director of Security Security Technology Senior VP for Corporate Mead Data Central, Inc. Bolt Beranek and Newman, Inc. Development Oceana Health Care Systems Alexander Cavalli Clifford A. Lynch Director, Research and Director Joel R. Reidenberg Development Division of Library Automation Professor Enterprise Integration Division Office of the President University School of Law Microelectronics and Computer of California Fordham University Technology Corp. Simona Nass Thomas B. Seipert Dorothy E. Denning President Detective Sergeant Chair, Computer Science The Society for Electronic Access Portland Police Bureau Department Georgetown University Jeffrey D. Neuburger Willis H. Ware Attorney Consultant L. Dain Gary Brown Raysman & Millstein The RAND Corp. Manager, Coordination Center CERT Susan Nycum Attorney Richard F. Graveman Baker & McKenzie Member of Technical Staff, Information Systems Security Raymond L. Ocampo, Jr. Bellcore Sr. Vice President, General Counsel and Secretary Lee A. Hollaar Oracle Corp. Professor of Computer Science The University of Utah
Note: OTA appreciates and is grateful for the valuable assistance and thoughtful critiques provided by the advisory panel members. The panel does not, however, necessarily approve, disapprove. or endorse this report. OTA assumes full responsibility for the report and the accuracy of its contents. iv Project Staff
Peter Blair JOAN WINSTON Assistant Director Project Director OTA Industry, Commerce, and International Security Division Paula Bruening Senior Analyst James W. Curlin Program Director Tom Hausken OTA Telecommunication and Analyst Computing Technologies Program Beth Valinoti Research Assistant
ADMINISTRATIVE STAFF Liz Emanuel Office Administrator
Karolyn St. Clair PC Specialist c ontents
1 Introduction and Policy Summary 1 Overview 1 Safeguarding Networked Information 6 Policy Issues and Options 8
2 Safeguarding Networked Information 25 Safeguards for Networked Information 26 Institutions That Facilitate Safeguards for Networked Information 40 Government’s Role in Providing Direction 63
3 Legal Issues and Information Security 69 Electronic Commerce 70 Protection of Information Privacy and the Problem of Transborder Data Flow 78 Digital Libraries 96
4 Government Policies and Cryptographic Safeguards 111 Importance of Cryptography 115 Government Concerns and Information Safeguards 128 Guidance on Safeguarding Information in Federal Agencies 132 U. S. Export Controls on Cryptography 150 Safeguards, Standards, and the Roles of NIST and NSA 160 Strategic and Tactical Congressional Roles 174
vii A Congressional Letters of Request 185
B Computer Security Act and Related Documents 189
C Evolution of the Digital Signature Standard 215
D Workshop Participants 223 E Reviewers and Other Contributors 226
INDEX 229
. . . Vlll Introduction and Policy Summary 1
he technology used in daily life is changing. Information technologies are transforming the ways we create, gather, process, and share information. Computer networking is T driving many of these changes; electronic transactions and records are becoming central to everything from commerce to health care. The explosive growth of the Internet exemplifies this transition to a networked society. According to the Internet Soci- ety, the number of Internet users has doubled each year; this rapid rate of growth increased more during the first half of 1994. By July 1994, the Internet linked over 3 million host computers worldwide; 2 million of these Internet hosts are in the United States. ] Including users who connect to the Internet via public and private messaging services, some 20 to 30 million people world- wide can exchange messages over the Internet. OVERVIEW The use of information networks for business is expanding enor- mously. 2 The average number of electronic point-of-sale transac- tions in the United States went from 38 per day in 1985 to 1.2
] Data (m Internet S]ZC and gr~~wth from the Internet Stwicty, press release, Aug. 4, 1994. The lntemct (mginated m the Department of Defense’s ARPANET in the early 1970s, By 1982, the TCPIP pr(}t(}ct)ls developed for ARPANET were a military standard and there were atx]ut 100 computers on [he ARPANET. Twelve years later, the Internet IInhs host c{~mputers in rm~re than 75 countries via a netw(~rk of separately administered netwtrks. 2 See U.S. C(mgress, office of Techn[)logy Assessment, Elcctron[( Enferpr(fes: LOdIn million per day in 1993.3 An average $800 billion on infected computers and lost staff time in is transferred among partners in international cur- putting the computers back on line. Related rency markets every day; about $1 trillion is trans- dollar losses are estimated to be between ferred daily among U.S. banks; and an average $100,000 and $10 million. The virus took ad- $2 trillion worth of securities are traded daily in vantage of UNIX’s trusted-host features to New York markets.4 Nearly all of these financial propagate among accounts on trusted ma- transactions pass over information networks. chines. (U.S. General Accounting Office, Government use of networks features promi- Computer Security: Virus Highlights Need for nently in plans to make government more effi- Improved Internet Management, GAO/l M- cient, effective, and responsive. 5 Securing the TEC-89-57 (Washington, DC: U.S. Govern- financial and other resources necessary to suc- ment Printing Office, June 1989).) cessfully deploy information safeguards can be ● Between April 1990 and May 1991, hackers difficult for agencies, however. Facing pressures penetrated computer systems at 34 Department to cut costs and protect information assets, some of Defense sites by weaving their way through federal-agency managers have been reluctant to university, government, and commercial sys- connect their computer systems and networks tems on the Internet. The hackers exploited a with other agencies, let alone with networks out- security hole in the Trivial File Transfer Proto- side government. 6 Worse, if agencies were to col, which allowed users on the Internet to ac- “rush headlong” onto networks such as the Inter- cess a file containing encrypted passwords net, without careful planning, understanding se- without logging onto the system. (U.S. General curity concerns, and adequate personnel training, Accounting Office, Computer Security: Hack- the prospect of plagiarism, fraud, corruption or ers Penetrate DOD Computer Systems, GAO/ loss of data, and improper use of networked in- IMTEC-92-5 (Washington, DC: U.S. Govern- formation could affect the privacy, well-being, ment Printing Office, November 1991 ).) 7 and livelihoods of millions of people. ● Authorized users of the Federal Bureau of In- In its agency audits and evaluations, the Gener- vestigation’s National Crime Information Cen- al Accounting Office (GAO) identified several re- ter misused the network’s information. Such cent instances of information-security and privacy misuse included using the information to, for problems: example, determine whether friends, neigh- bors, or relatives had criminal records, or in- - In November 1988, a virus caused thousands of quire about backgrounds for political purposes. computers on the Internet to shut down. The vi- rus’s primary impact was lost processing time (U.S. General Accounting Office, National 3 Electronic Funds Transfer Association, Hemdon, VA. Based on data supplied by Bunk Network News and POS News. 4 Joel Kurtzman, The Deafh o~Money (New York, NY: Simon & Schuster, 1993). 5 See The National lnjimnation lnfiastruclure: Agenda jbr Acfion, Information Infrastructure Task Force, Sept. 15, 1993; and Reengineer- ing Through /njbrmafion Technology, Accompanying Report of the National Performance Review (Washington, DC: Ofice of the Vice Presi - dent, 1994). See also U.S. Congress, Office of Technology Assessment, Making Go\ermnenf Work: E/ecfronic Deli}’ery oj’Fedend Ser}’ices, OTA-TCT-578 (Washington, DC: U.S. Government Printing OffIce, September 1993). fJ This was one finding from a series Of agency visits made by the OffIce of Management and Budget (OMB), the National Institute of Stan- dards and Technology (NIST), and the National Security Agency (NSA) in 1991 and 1992. The visits were made as part of the implementation of the Computer Security Act of 1987 and the revision of the security sections of OMB Circular A-130 (see ch. 4). See Office of Management and Budget, “Observations of Agency Computer Security Practices and implementation of OMB Bulletin No. 90-08,” February 1993. 7 See F. Lynn McNuhy, Associate Director for Computer Security, National Institute of Standards and Technology, “Security on the Inter- net,” testimony presented before the Subcommittee on Science, Committee on Science, Space, and Technology, U.S. House of Representatives, Mar. 22, 1994, p. 8. Chapter 1 Introduction and Policy Summary 13 Crime Information Center: Legislation gathering Internet passwords by using what are Needed To Deter Misuse of Criminal Justice In- called sniffer programs. The sniffer programs formation, GAO/T-GGD-93-41 (Washington, operate surreptitiously, capturing authorized DC: U.S. Government Printing Office, July users’ logins and passwords for later use by 1993).) intruders. The number of captured passwords = In October 1992, the Internal Revenue Ser- in this series of attacks has been estimated at a vice’s (IRS’s) internal auditors identified 368 million or more, potentially threatening all the employees who had used the IRS’s Integrated host computers on the Internet--and their users.9 Data Retrieval System without management knowledge, for non-business purposes. Some 1 The Networked Society of these employees had used the system to issue The transformation being brought about by net- fraudulent refunds or browse taxpayer accounts working brings with it new concerns for the secu- that were unrelated to their work, including rity and privacy of networked information. If those of friends, neighbors, relatives, and ce- these concerns are not properly resolved, they lebrities. (U.S. General Accounting Office, IRS threaten to limit networking’s full potential, in Information Systems: Weaknesses Increase terms of both participation and usefulness. Thus, Risk of Fraud and Impair Reliability of Man- information safeguards are achieving new promi- 10 agement Information, GAO/AIMD-93-34 nence. Whether for use in government or the pri- (Washington, DC: U.S. Government Printing vate sector, appropriate information safeguards, 8 Office, September 1993).) must account for—and anticipate—technical, More recent events have continued to spur gov- institutional, and social developments that in- ernment and private-sector interest in information creasingly shift responsibility for safeguarding in- security: formation to the end users. Key developments include the following: ~ A series of hacker attacks on military com- puters connected to the Internet has prompted ■ There has been an overall movement to distrib- the Defense Information Systems Agency to uted computing. Computing power used to be tighten security policies and procedures in the concentrated in a mainframe with ‘*dumb” defense information infrastructure. The hack- desktop terminals. Mainframes, computer ers, operating within the United States and workstations, and personal computers are in- abroad, have reportedly penetrated hundreds of creasingly connected to other computers sensitive, but unclassified, military and gov- through direct connections such as local- or ernment computer systems. The break-ins have wide-area networks, or through modem con- increased significantly since February 1994, nections via telephone lines. Distributed com- when the Computer Emergency Response puting is relatively informal and bottom up; Team first warned that unknown intruders were 8 E~amples provided by Hazel Edwards, Director, General Govemrnen{ Information Systems, U.S. General Acctwnting office, W>rs(mal c(mmmnicatmn, May 5, 1994. 9 See Elizabeth Siktm)vsky, “’Ronw Lab Hacker Arrested After Lengthy Invasion,” Federal Computer Week, July 18, 1994, p. 22; Peter H. Lewis, ‘“Hackers (m Internet Posing Security Risks, Experts Say,” The Netv York Times, July21, 1994, pp. 1, B 10; Bob Brewin, “DODTO Brief White H(wse (m Hacker Attacks,” Federa/ Cornpu[er Week, July 25, 1994, pp. 1, 4. )() ]n this reF)fl OTA ~)ften uses the tem “safeguard,” as in ;nform~f;on ,ruje~uards or 10 safe~li~rd information. This is to av~~id misunder- stamhngs regarding use of the teml “’secunt y,”’ which s(mle readers may interpret in terms of classified infomlati(m, or as excluding measures to protect pers~mai privacy. In its discussi(m of infom~ation safeguards, this report focuses on technical and institutional measures to ensure the (’onjidertf~al~ty and [nfegrify of the inft)m]ation and the aufhenflc[ty of its origin. 4 I Information Security and Privacy in Network Environments systems administration may be less rigorous as world if they can find a vulnerability in the net- it is decentralized. work. ■ Open systems allow interoperability among ● Computer networks allow more interactivity. products from different vendors. Open systems Online newspapers and magazines allow read- shift more of the responsibility for information ers to send back comments and questions to re- security from individual vendors to the market porters; online discussion groups allow widely as a whole. dispersed individuals to discuss diverse issues; ● Boundaries between types of information are pay-per-view television allows viewers to blurring. As the number of interconnected select what they want to see. Consequently, computers and users expands, telephone con- providers must consider new responsibilities— versations, video segments, and computer data such as protecting customer privacy11—result- are merging to become simply digital informa- ing from interactivity. tion, at the disposal of the user. ● Information technology has done more than ● The number and variety of service providers make it possible to do things faster or easier— has increased. A decade after the divestiture of electronic commerce has transformed and AT&T, the market is now divided among many created industries. Successful companies de- local-exchange and long-distance carriers, cel- pend on the ability to identify and contact po- lular carriers, satellite service providers, value- tential customers; customer buying habits and -added carriers, and others. Traditional market trends are increasingly valuable as busi- providers are also entering new businesses: nesses try to maximize their returns. Manufac- telephone companies are testing video ser- turing is becoming increasingly dependent on vices; some cable television companies are pro- receiving and making shipments “just in time” viding telephone and Internet services; Internet and no earlier or later to reduce inventories. providers can deliver facsimile and video in- Documents critical to business transactions— formation; electric utilities are seeking to enter including electronic funds—are increasingly the communications business. stored and transferred over computer net works. ✘ Lower costs have moved computing from the ■ Electronic information has opened new ques- hands of experts. Diverse users operate person- tions about copyright, ownership, and respon- al computers and can also have access to mo- sibility for information. Rights in paper-based dems, encryption tools, and information stored and oral information have been developed in remote computers. This can empower indi- through centuries of adaptation and legal prece- viduals who might otherwise be isolated by dis- dents. Information in electronic form can be abilities, distance, or time. Lower cost created, distributed, and used very differently computing also means that businesses rely than its paper-based counterparts, however. more on electronic information and informa- ■ Measures to streamline operations through use tion transfer, But, lower cost computing also of information technology and networks re- empowers those who might intrude into per- quire careful attention to technical and institu- sonal information, or criminals who might seek tional safeguards. For example, combining to profit from exploiting the technology. Poten- personal records into a central database, in or- tial intruders can operate from anywhere in the I I In ~ls reP)fl OTA uses he tem conjjdenfja~ify t{l refer t{) disclosure of information only to authorized individuals, entities, ~d so fofih. Pri}’acy refers to the social balance between an individual right to keep information confidential and the societal benefit derived from sharing information, and how this balance is codified to give individuals the means to control personal information. The tem]s are not mutually exclu- sive: safeguards that help ensure confidentiality of information can be used to protect personal privacy. Chapter 1 Introduction and Policy Summary 15 der to improve data processing efficiency, can put privacy at risk if adequate safeguards are not also implemented. In addition, many types of information safeguards are still relatively new, and methods to balance risks and the costs of protecting information are not fully devel- oped. Distributed computing and open systems can make every user essentially an “insider.” This means that responsibility for safeguarding in- formation becomes distributed as well, potential- ly putting the system at greater risk. With the rapid changes in the industry, the responsibilities of each network provider to other providers and to -. customers may not be as clear as in the past. Even though each player may be highly trusted, the overall level of trust in the network necessarily de- creases, unless the accountability of each of the The Clipper chip. many intermediaries is very strict. Thus, users must take responsibility for safeguarding in- A). After consultation with requesting staff, OTA formation, rather than relying on intermediaries to prepared a proposal for an expedited study; the provide adequate protection. proposal was approved by the Technology As- sessment Board in June 1993. D Background of the OTA Assessment This report focuses on safeguarding unclassi- In May 1993, Senator William V. Roth, Jr., Rank- fied information in networks, not on the security ing Minority Member of the Senate Committee on or survivability of networks themselves, or on the Governmental Affairs, requested that the Office of reliability of network services to ensure informa- Technology Assessment (OTA) study the chang- tion access. The report also does not focus on ing needs for protecting (unclassified) informa- “computer crime” per se (a forthcoming OTA tion and for protecting the privacy of individuals, study, Information Technologies for Control of given the increased connectivity of information Money Laundering, focuses on financial crimes). systems within and outside government and the This study was done at the unclassified level. growth in federal support for large-scale net- Project staff did not receive or use any classified works. Senator Roth requested that OTA assess information during the course of the study. the need for new or updated federal computer-se- The widespread attention to and the signifi- curity guidelines and federal computer-security cance of the Clinton Administration’s escrowed- and encryption standards. Senator John Glenn, encryption initiative resulted in an increased focus Chairman of the Senate Committee on Govern- on the processes that the government uses to regu- mental Affairs, joined in the request, noting that late cryptography and to develop federal infor- it is incumbent for Congress to be informed and mation processing standards (the FIPS) based ready to develop any needed legislative solutions on cryptography. Cryptography is a fundamental for these emerging information-security and pri- technology for protecting the confidentiality of in- vacy issues. Congressman Edward J. Markey, formation, as well as for checking its integrity and Chairman of the House Subcommittee on Tele- authenticating its origin. communications and Finance, also joined in en- Cryptography was originally used to protect dorsing the study (see request letters in appendix the confidentiality of communications, through 6 I Information Security and Privacy in Network Environments encryption; it is now also used to protect the confi- In addition to meetings and interviews with ex- dentiality of information stored in electronic form perts and stakeholders in government, the private and to protect the integrity and authenticity of sector, and academia, OTA broadened participa- both transmitted and stored information. With the tion through the study’s advisory panel and advent of what are called public-key techniques, through four project workshops (see list of work- cryptography came into use for digital signatures shop participants in appendix D). The advisory that are of widespread interest as a means for elec- panel met in April 1994 to discuss a draft of the re- tronically authenticating and signing commercial port and advise the project staff on revisions and transactions like purchase orders, tax returns, and additions. To gather expertise and perspectives funds transfers, as well as for ensuring that unau- from throughout OTA, a “shadow panel” of 11 thorized changes or errors are detected. These OTA colleagues met with project staff as needed functions are critical for electronic commerce. to discuss the scope and subject matter of the re- Techniques based on cryptography can also help port. manage copyrighted material and ensure its prop- At several points during the study, OTA staff er use. met formally and informally with officials and This study builds on the previous OTA study of staff of the National Institute of Standards and computer and communications security, Defend- Technology (NIST) and the National Security ing Secrets, Sharing Data: New, Locks and Keys Agency (NSA). Individuals from these agencies, for Electronic Information, OTA-CIT-310 (Wash- as well as from the Office of Management and ington, DC: U.S. Government Printing Office, Budget (OMB), the Office of Science and October 1987). The 1987 study focused on securi- Technology Policy, the Department of Justice, the ty for unclassified information within relatively Federal Bureau of Investigation, the General closed networks. Since then, new information se- Services Administration, the Patent and Trade- curity and privacy issues have resulted from ad- mark Office, the Copyright Office, the General vances in networking, such as the widespread use Accounting Office, and several mission agencies, of the Internet and development of the informa- were among the workshop participants and were tion infrastructure, and from the prospect of net- invited to review a draft of the report (see list of re- working as a critical component of private and viewers who provided comments in appendix E). public-sector functions. These advances require appropriate institutional and technological safe- guards for handling a broad range of personal, SAFEGUARDING NETWORKED copyrighted, sensitive, and proprietary informa- INFORMATION tion. This study also builds on intellectual-proper- The information infrastructure is already interna- ty work in Finding a Balance: Computer tional: networks like the Internet seamlessly cross Software, Intellectual Property, and the Chal- national borders. Networked information is simi- lenge of Technological Change, OTA-TCT-527 larly borderless. Achieving consensus regarding (Washington, DC: U.S. Government Printing Of- information safeguards among the diverse stake- fice, May 1992); the analysis of issues related to holders worldwide is more difficult than solving digital libraries and other networked information many technical problems that might arise. The resources in Accessibility and Integrity of Net- federal government can help resolve many of worked Information Collections, BP-TCT-109 these interrelated issues. But they must be solved (Washington, DC: OTA, August 1993); and the systematically, not piecemeal, in order to attain an analysis of privacy issues in Protecting Privacy in overall solution. Computerized Medical Information, OTA- This report focuses on policy issues and op- TCT-576 (Washington, DC: U.S. Government tions regarding cryptography policy, guidance on Printing Office, September 1993). safeguarding information in federal agencies, and Chapter 1 Introduction and Policy Summary 17 legal issues of electronic commerce, personal pri- utility, cost, and security. Information can never vacy, and copyright. These policy issues and op- be absolutely secured, so safeguarding informa- tions are summarized in the next section of this tion is not so much an issue of how to secure in- chapter. The remainder of this section summarizes formation as one of how much security a other findings regarding the development and de- government agency or business can justify. ployment of safeguard technologies (for a detailed There is a great need for federal agencies, as discussion, see chapter 2). well as other organizations, to develop more ro- The fast-changing and competitive market- bust security policies that match the reality of place that produced the Internet and a strong net- modem information networks. These policies working and software industry in the United should support the specific agency objectives and States has not consistently produced products interests, including but not limited to policies re- equipped with affordable, easily used safeguards. garding private information. The policies must In general, many individual products and tech- also anticipate a future where more information niques are currently available to adequately safe- may be shared among agencies. Finally, these po- guard specific information networks—provided licies should be mandated from the highest level. the user knows what to purchase, and can afford The single most important step toward im- and correctly use the product. Nevertheless, better plementing proper safeguards for networked and more affordable products are needed. In par- information in a federal agency or other organiza- ticular, there is a need for products that integrate tion is for its top management to define the orga- security features with other functions for use in nization’s overall objectives and a security policy electronic commerce, electronic mail, or other ap- to reflect those objectives. Only top management plications. can consolidate the consensus and apply the re- More study is needed to fully understand ven- sources necessary to effectively protect net- dors’ responsibilities with respect to software and worked information. For the federal government, hardware product quality and liability. More study this means guidance from OMB, commitment is also needed to understand the effects of export from top agency management, and oversight by controls on the domestic and global markets for Congress. information safeguards and on the ability of safe- Both risk analysis and principles of due care guard developers and vendors to produce more af- need further development. Neither approach is fordable products. Broader efforts to safeguard necessarily always appropriate and therefore nei- networked information will be frustrated unless ther is always sufficient to provide a strong de- cryptography-policy issues are resolved (see fense against liability in the case of a monetary chapter 4). loss related to loss, theft, or exposure of net- A public-key infrastructure (PKI) is a critical worked information. A combination of the two underpinning for electronic commerce and trans- approaches will likely provide improved protec- actions. The establishment of a system of certifi- tion. Before formal models can be successful for cation authorities and legal standards, in turn, is safeguarding the exchange of information among essential to the development of a public-key infra- government agencies or other organizations, the structure and to safeguarding business and per- entities must first review and coordinate their in- sonal transactions. Current PKI proposals need formation-security policies. These policies can further development and review, however, before then be implemented according to new or existing they can be deployed successfully. formal models as needed. OTA found in its inter- Ideally, the safeguards an organization imple- views, however, that while exploration into new ments to protect networked information should re- types of formal models maybe warranted, there is flect the organization’s overall objectives. In considerable doubt about the utility of formal practice, this is often not the case. Network de- models for safeguarding networked information, signers must continuously struggle to balance 8 I Information Security and Privacy in Network Environments particularly to protect the integrity and availabil- employees, students, and the public at large) about ity of information. ethical behavior. The federal government trusted product eval- uation process is not, and will not soon be, effec- POLICY ISSUES AND OPTIONS tive for delivering products that adequately This report focuses on policy issues in three areas: protect unclassified information in network envi- 1 ) national cryptography policy, including federal ronments. Alternatives to that approach appear information processing standards and export con- promising, however, including (but not limited to) trols; 2) guidance on safeguarding unclassified in- NIST’s Trusted Technology Assessment Pro- formation in federal agencies; and 3) legal issues gram. Generally Accepted System Security Prin- and information security, including electronic ciples (GSSP) also have strategic importance for commerce, privacy, and intellectual property. establishing due care guidelines for cost-justify- Chapter 4 discusses cryptography policy and ing safeguards, as targets for training and profes- guidance on safeguarding information in federal sional programs, and as targets for insurance agencies. It examines the current public contro- coverage. The current federal effort in GSSP will versies regarding the Clinton Administration’s es- not produce immediate results, but the effort is crowed-encryption initiative and the development overdue and OTA found wide support for its mis- of new federal information processing standards sion. Efforts to “professionalize” the information based on cryptography. Because the Computer Se- security field are important, but will not produce curity Act of 1987 (Public Law 100-235) is signif- significant results for some time. Success depends icant for both development of the FIPS and significantly upon the success of Generally Ac- agency guidance on safeguarding information, cepted System Security Principles and their adop- chapter 4 also examines the act in some depth, in- tion in industry and government. cluding the continuing controversies concerning Emergency response efforts are vital to safe- its implementation and the working relationship guarding networked information, due to the rela- between NIST and NSA. tive lack of shared information about vulner- Chapter 3 examines legal issues including: dis- abilities on information networks. Expanding cur- cussion of nonrepudiation services and digital sig- rent efforts could further improve the coordination natures for electronic commerce; the Privacy Act of system administrators and managers charged of 1974 and the implications for the United States with protecting networked information. of privacy initiatives in the European Union; and Criminal and civil sanctions constitute only copyright for networked information and multi- one aspect of safeguarding networked informa- media works. tion. Further study is needed to determine the ef- fectiveness of such sanctions, as opposed to improving the effectiveness of law enforcement to D National Cryptography Policy act on existing laws. With the rapid expansion of The federal government faces a fundamental ten- the networked society, there is a great need to sup- sion between two important policy objectives: 1 ) port reevaluation of fundamental ethical prin- fostering the development and widespread use of ciples-—work that is currently receiving too little cost-effective information safeguards, and 2) con- attention. More resources also could be applied to trolling the proliferation of safeguard technolo- study and improve the methods and materials used gies that can impair U.S. signals-intelligence and in education of ethical use of networked informa- law-enforcement capabilities. This tension runs tion, so that more effective packages are available throughout the government activities as a devel- to schools and organizations that train users. Fi- oper, user, and regulator of safeguard technolo- nally, more resources could also be directly ap- gies. This tension is manifested in concerns over plied to educate users (including federal the proliferation of cryptography that could im- Chapter 1 Introduction and Policy Summary 19 pair U.S. signals intelligence and law enforce- electronic commerce; and it will help manage ment, and in the resulting struggle to control copyrighted material in electronic form. cryptography through use of federal standards and Policy debate over cryptography used to be as export controls. arcane as the technology itself. Most people didn't Despite the growth in nongovernmental cryp- regard government decisions about cryptography tographic research and safeguard development as directly affecting their lives. However, as the over the past 20 years, the federal government still communications technologies used in daily life has the most expertise in cryptography.12 There- have changed, concern over the implications of fore, the federal information processing standards privacy and security policies dominated by na- developed by NIST substantially influence the de- tional security objectives has grown dramatically y, velopment and use of safeguards based on cryp- particularly in business and academic communi- tography in the private sector as well as in ties that produce or use information safeguards, 13 government. The nongovernmental market for but among the general public as well. This con- cryptography-based products has grown in the last cern is reflected in the ongoing debates over key- 20 years or so, but is still developing, Export con- escrow encryption and the government’s trols also have substantial significance for the de- Escrowed Encryption Standard (EES).14 velopment and use of these technologies. Previously, control of the availability and use Therefore, Congress’s choices in setting national of cryptography was presented as a national-secu- cryptography policies (including standards and rity issue focused outward, with the intention of export controls) affect information security and maintaining a U.S. technological lead over other privacy in society as a whole. countries. Now, with an increasing policy focus Cryptography has become a technology of on domestic crime and terrorism, the availability broad application; thus, decisions about cryptog- and use of cryptography has also come into promi- raphy policy have increasingly broad effects on nence as a domestic-security, law-enforcement society. The effects of policies about cryptogra- issue. More widespread foreign use of cryptogra- phy are not limited to technological developments phy—including use by terrorists and developing in cryptography, or even to the health and vitality countries-makes U.S. signals intelligence more of companies that produce or use products incor- difficult. Within the United States, cryptography porating cryptography. Instead, these policies will is increasingly portrayed as a threat to domestic increasingly affect the everyday lives of most security (public safety) and a barrier to law en- Americans: cryptography will be used to help en- forcement if it is readily available for use by ter- sure the confidentiality and integrity of health re- rorists or criminals. There is also growing cords and tax returns; it will help speed the way to ‘ 2 -I-k gok ~àc mrmntal rmmopoly on cryptography has been eroding. Over the past three decades, the gm’cmment siruggle for c(mtr{~l has been exacerbated by technological advances m computing and microelectronics that have made inexpensl~ e cryp[t~graph) potentially ublqul - t(ms, and by mcreasmg private-sector capabilities m cryptography (as evidenced by independent devch~pment of c(mmlcrcial. publlc-hq tm- cv ptl(m systems). These de}eh)prnents have made p)ssible the Increasing rel]ance on digital c(mm~unicati~ms and tnft)m~atl(m prtwess]ng ftw c(m~nwrctal transactifms and (jperatitms in [he public and pn~ate sectors. Together, they have enabled and supp}rtcd a grt~u Ing tnclu~t~ scg- nwrrt ~)ffcmng a variety of hardware- and software-based in fomlation safeguards based on c~ ptography. I \ With re$p.ct t. ~nf{)mlatl{)n safegutids based on Cryptography, nati(mal-security concerns shape the safeguard standards (I.e. the F]pS) a~atlable to agcncws for safeguarding unclassified in f(mnati(m. Theref(we, these c(mcems also affect civilian agencies that arc usual]) m~t (h(~ught of [n c(~njuncti(m with nati(mal security. I ~ ~c EES is intended for use in safeguarding voice, facsimile, (jr c(m]puter data ctmmmnicated in a telephone SJ stem. me Cllpper chip ls des]gned for use in teleph(me systems; it c(mtains the EES encryption algorithm, called SKIPJACK. The Clipper-chip IS being used in the AT&T Surlty Telephtme Dewce 3600, which has a retail price ~}f ahmt $1,100. 10 I Information Security and Privacy in Network Environments recognition of the potential misuses of cryptogra- discouraging future development and use of en- phy, such as by disgruntled employees as a means cryption without built-in law enforcement access, to sabotage an employer’s databases. Thus, export in favor of key-escrow encryption and related controls, intended to restrict the international technologies. Wide use of the EES and related availability of U.S. cryptography technology and technologies could ultimately reduce the variety products, are now being joined with domestic of other cryptography products through market cryptography initiatives intended to preserve U.S. dominance that makes the other products more law-enforcement and signals-intelligence capa- scarce or more costly. bilities. Concerns over the proliferation of encryption that have shaped and/or retarded federal standards Federal Information Processing Standards development have complicated federal agencies’ Based on Cryptography technological choices. For example, as appendix The Escrowed Encryption Standard has been pro- C explains, national security concerns regarding mulgated by the Clinton Administration as a vol- the increasingly widespread availability of robust untary alternative to the original federal encryption-and, more recently, patent prob- encryption standard used to safeguard unclassi- lems-contributed to the extraordinarily lengthy fied information, the Data Encryption Standard development of a federal standard for digital sig- (DES). A key-escrowing scheme is built in to en- natures: NIST first published a solicitation for sure lawfully authorized electronic surveillance public-key cryptographic algorithms in 1982, and when key-escrow encryption is used (see box 2-7 the DSS was finally approved in May 1994. and box 4-2). The federal Digital Signature Stan- Public-key cryptography can be used for digital dard (DSS) uses a public-key signature technique signatures, for encryption, and for secure distribu- but does not offer public-key encryption or key- tion or exchange of cryptographic keys. The DSS management functions (see box 4-4). Therefore, is intended to supplant, at least in part, the demand it cannot support secure exchange of cryptograph- for other public-key cryptography by providing a ic keys for use with the DES or other encryption method for generating and verifying digital signa- algorithms. tures. However, while the DSS algorithm is a pub- In OTA’s view, both the EES and the DSS are lic-key signature algorithm, it is not a public-key federal standards that are part of a long-term con- encryption algorithm (see box 4-4). That means, trol strategy intended to retard the general avail- for example, that it cannot be used to securely dis- ability of “unbreakable” or “hard to break” tribute “secret” encryption keys, such as those cryptography within the United States, for reasons used with the DES algorithm (see figure 2-4). of national security and law enforcement. It ap- Some sort of interoperable (i.e., standardized) pears that the EES is intended to complement the method for secure key exchange is still needed. ] 5 DSS in this overall encryption-control strategy, by As this report was completed, the DSS had been IS One pub]ic.key a]gori~m Mat can be used for key distribution is the “RSA” algorithm; the RSA algorithm Cm encrypt. ne llSA SWem was proposed in 1978 by Ronald Rivest, Adi Shamir, and Leonard Adleman. The Diffle-Hellman technique is another method for key genera- tion and exchange; it does not encrypt (see figure 2-5). Chapter 1 Introduction and Policy Summary I 11 issued, but there was no FIPS for public-key key U.S. Export Controls on Cryptography exchange. 16 The United States has two regulatory regimes for The lengthy evolution of the DSS meant that exports, depending on whether the item to be ex- federal agencies had begun to look to commercial ported is military in nature, or is “dual- use,” hav- products (e.g., based on the Rivest-Shamir-Adle- ing both civilian and military uses. These regimes man, or RSA, system) to meet immediate needs for are administered by the State Department and the digital signature technology. The introduction of Commerce Department, respectively. Both re- the EES additionally complicates agencies’ tech- gimes provide export controls on selected goods nological choices, in that the EES and related gov- or technologies for reasons of national security or ernment key-escrowing techniques (e.g., for data foreign policy. Licenses are required to export communication or file encryption) for may not be- products, services, or scientific and technical data come popular in the private sector for some time, originating in the United States, or to re-export if at all. As this report was finalized, the EES has these from another country. Licensing require- not yet been embraced within government and is ments vary according to the nature of the item to largely unpopular outside of government. There- be exported, the end use, the end user, and, in some fore, agencies may need to support multiple en- cases, the intended destination. For many items, cryption technologies both for transactions (i.e., no specific approval is required and a ‘*general li- signatures) and for communications (i.e., encryp- cense” applies (e.g., when the item in question is tion, key exchange) with each other, with the pub- not military or dual-use and/or is wide] y available lic, and with the private sector. from foreign sources). In other cases, an export In July 1994, Vice President Al Gore indicated license must be applied for from either the State the Clinton Administration’s willingness to ex- Department or the Commerce Department, de- plore industry alternatives for key-escrow encryp- pending on the nature of the item. In general, the tion, including techniques based on unclassified State Department’s licensing requirements are algorithms or implemented in software.17 These more stringent and broader in scope. 18 alternatives would be used to safeguard informa- Software and hardware for robust, user-con- tion in computer networks and video networks; trolled encryption are under State Department the EES and Clipper chip would be retained for control. unless State grants jurisdiction to Com- telephony. Whether the fruits of this exploration merce. This has become increasingly controver- result in increased acceptance of key-escrow en- sial, especial] y for the information technology and cryption within the United States and abroad will software industries. The impact of export controls not be evident for some time. 10 Tw,() inlplen)en[at[{)ns ~)( [he E~s ~ncgptl(}~ ~lgor[[hr,] [hat a~~ us~(j In ~~t~ ~or]lrllunl~~[lons-t}lc” (“(//) fl{)nc 01//) ;llld the T~-.\.\fi-//z\ carddo contain a publ]c-lwy Key Exchange Alg(mthrn ( KEA ). Hmve\ cr, at this ritlng, the Kc) Exch:inge Algtmthm 1~ m~t part (~fany FIPS. Therefore, (Jrganizatltms that do not use Capstone f~r TESSERA still need to select a secure and hmmqwrablc f(mm t~f l+ di\trlbuti(m. Ilc Capsttme chip is used for data comrnimications and c(mtalns the EES algorithm (callc(’ SKIPJACK), as well as dtgltid-signature and he) -c\- change functi(ms. However, at th]s writing, the Key E\change Algorithm is not part of any FIPS. Therefore, (~rgimizall[ms that do m)t usc Cap- sume (w TESSERA slill need to select a secure and intm(~perable foml of Key dlstrlbutl(m. TESS ERA IS a PCMC’I A ~id [hiit ct~n(il[ns ii Cilp\ton~ chip. ~ 7 Vice ~e51~en[ Al @re, letter (() Reprcstm[atiw Maria Cantwcll, July 20, 1994. SW also Nell Munro, ‘“The Key tt~ Clipper Available t{) the W(mld,” Washington Tcchrrolog], July 28.1994, pp. 1, 18. 18 F{)r a C(,mparlson ,Jf the tw,() ~KV)~.controj” ~cglnlc~, sec U,S, ~,cn~ral A~c(Iuntlng of fiC.C, fi”~p[lr] [’~jr?]r<>/,$: /.$ $uc.$ ~n Rcm{)) ;/,,: ,\f///larYtYt .%n.f~flte IIem.fjiwn the MImIII~m.$ I.1$1, GAO NSIAD-93-67 (Washlngt(m, DC tJ.S. Gt)\cmnwnt Printing Oflke. March 1993), ~sp>~iiill]r pp. 10- I 3. 12 I Information Security and Privacy in Network Environments on the overall cost and availability of safeguards is impact of these reforms over the next year and pro- especially troublesome to business and industry at vide feedback on how well they have worked, as a time when U.S. high-technology firms find well as recommendations for additional procedur- themselves as targets for sophisticated foreign-in- al reforms. telligence attacks and thus have urgent need for In the 103d Congress, legislation intended to sophisticated safeguards that can be used in opera- streamline export controls and ease restrictions on tions worldwide. 19 Moreover, software producers mass-market computer software, hardware, and assert that several other countries do have more re- technology, including certain encryption soft- laxed export controls on cryptography. ware, was introduced by Representative Maria On the other hand, U.S. export controls may Cantwell (H.R. 3627) and Senator Patty Murray have substantially slowed the proliferation of (S. 1846). In considering the Omnibus Export Ad- cryptography to foreign adversaries over the ministration Act (H.R. 3937), the House Commit- years. Unfortunately, there is little public explana- tee on Foreign Affairs reported a version of the bill tion regarding the degree of success of these ex- in which most computer software (including soft- port controls and the necessity for maintaining ware with encryption capabilities) was under strict controls on strong cryptography in the face Commerce Department controls and in which ex- of foreign supply and networks like the Internet port restrictions for mass-market software with that seamlessly cross national boundaries. (See encryption were eased.21 In its report, the House the OTA report Export Controls and Nonprolifer- Permanent Select Committee on Intelligence ation Policy, OTA-ISS-596, May 1994, for a gen- struck out this portion of the bill and replaced it eral discussion of the costs and benefits of export with a new section calling for the President to re- controls on dual-use goods.) port to Congress within 150days of enactment, re- New licensing procedures were expected to ap- garding the current and future international pear in the Federal Register in summer 1994; they market for software with encryption and the eco- had not appeared by the time this report was com- nomic impact of U.S. export controls on the U.S. pleted. Changes were expected to include license computer software industry.22 reform measures to reduce the need to obtain indi- At this writing, the omnibus export administra- vidual licenses for each end user, rapid review of tion legislation was still pending. Both the House export license applications, personal-use exemp- and Senate bills contained language calling for the tions for U.S. citizens temporarily taking encryp- Clinton Administration to conduct comprehen- tion products abroad for their own use, and special sive studies on the international market and avail- licensing arrangements allowing export of key-es- ability of encryption technologies and the crow encryption products (e.g., EES products) to economic effects of U.S. export controls. In his most end users.20 The Secretary of State has asked July 20, 1994 letter to Representative Cantwell, encryption-product manufacturers to evaluate the 19 The Threa/ @Foreign EcWWT)Ic Esplo~ge to U.S. Corporations, Hearings Before the Subwmmittee on Economic and cOTTUWCld Law, House Committee on the Judiciary, Serial No. 65, 102d Cong., 2d sess., Apr. 29 and May 7, 1992. 20 Rose Biancaniello, Office of Defense Trade Controls, Bureau of Political-Military Affairs, U.S. Department of State, personal comnw- nicati(m, May 24, 1994. 21 U.S. Congress, House of Representatives, Omnibus E.vporf Administration Act of f994, H. Rept. 103-531, 103d Cong., 2d sess., Parts I (Committee on Foreign Affairs, May 25, 1994),2 (Permanent Select Committee on Intelligence, June 16, 1994), 3 (Committee on Ways and Means, June 7, 1994), and 4 (Committee on Armed Services, June 17, 1994) (Washington, DC, U.S. Government Printing Office, 1994); and H.R. 4663 (Omnibus Export Administration Act of 1994, June 28. 1994). Forthe cryptography provisions, see Omnibus E.xporr Adminisfrafion Acf of )994, Part 1, pp. 57-58 (H.R. 3937, sec. 1 I 7(c)(l )-(4)). 22 Omn;bils E.~p~rf Adminis[rafion Act of)994, PaII 2, pp. 1-5 (H.R. 393_I’, sec. 11 7(c) ( I )-(~)). Chapter 1 Introduction and Policy Summary 113 Vice President Gore assured her that the “best tablished a Computer System Security and available resources of the federal government” Privacy Advisory Board within the Department of would be used in conducting these studies and that Commerce, and required Commerce to promul- the Clinton Administration will “reassess our ex- gate regulations based on NIST guidelines. Addi- isting export controls based on the results of these tionally, the act required federal agencies to studies.”23 identify computer systems containing sensitive information, to develop security plans for identi- Implementation of the Computer fied systems, and to provide periodic training in Security Act of 1987 computer security for all federal employees and The Computer Security Act of 1987 is fundamen- contractors who manage, use, or operate federal tal to development of federal standards for safe- computer systems. guarding unclassified information, balancing In its workshops and discussions with federal national-security and other objectives in imple- employees and knowledgeable outside observers, menting security and privacy policies within the OTA found that these provisions of the Computer federal government, and issues concerning gov- Security Act are viewed as generally adequate as ernment control of cryptography. Moreover, re- written, but that their implementation can be prob- view of the controversies and debate surrounding lematic. OTA found strong sentiment that agen- the act—and subsequent controversies over its cies follow the rules set forth by the Computer implementation—provides background for un- Security Act, but not necessarily the full intent of derstanding current issues concerning the EES the act (also see discussion of OMB Circular and the DSS. A-130 below). The Computer Security Act of 1987 (see text in The Computer Security Act gave final author- appendix B) was a legislative response to overlap- ity for developing government-wide standards ping responsibilities for computer security among and guidelines for unclassified, but sensitive, in- several federal agencies, heightened awareness of formation and for developing government-wide computer security issues, and concern over how training programs to NIST (then the National Bu- best to control information in computerized or reau of Standards). In carrying out these responsi- networked form. The act established a federal bilities, NIST can draw on the substantial government computer-security program that expertise of NSA and other relevant agencies. would protect all sensitive, but unclassified, in- Implementation of the Computer Security Act formation in federal government computer sys- has been especially controversial regarding the tems and would develop standards and guidelines roles of NIST and NSA in standards development. to facilitate such protection. Specifically, the A 1989 memorandum of understanding (MOU) Computer Security Act assigned responsibility between the Director of NIST and the Director of for developing government-wide, computer-sys- NSA established the mechanisms of the working tem security standards and guidelines and securi- relationship between the two agencies in imple- ty-training programs to the National Bureau of menting the act.24 This memorandum of under- Standards (now the National Institute of Stan- standing has been controversial. Observers— dards and Technology, or NIST). The act also es- including OTA-consider that it appears to cede ~~ VICC President Al G(we, f)p, ctt., ft~(~tnote 17. ‘q Memorandum of L’nderstandlng Betw ccn the Director of the National Institute of Standards and Technology and the Director of [he Na- tt(mal Sccurtty Agency C(mccming the Implementati(m of Public Law 100-235, Mar. 23, 1989. (See text of MOU in appendix B.) 14 I Information Security and Privacy in Network Environments to NSA much more authority than the act itself Thus, the provisions of the memorandum of had granted or envisioned, especially considering understanding give NSA power to delay and/or the House report accompanying the legislation.25 appeal any NIST research programs involving The joint NIST/NSA Technical Working “technical system security techniques” (such as Group (TWG) established by the memorandum of encryption), or other technical activities that understanding merits particular attention. The would support (or could lead to) proposed stan- MOU authorizes NIST and NSA to establish the dards or guidelines that NSA would ultimately working group to “review and analyze issues of object to.27 mutual interest pertinent to protection of systems NIST and NSA disagree with these conclu- that process sensitive or other unclassified in- sions. According to NIST and NSA officials who formation.” Where the act had envisioned NIST reviewed a draft of this report, NIST has retained calling on NSA’s expertise at its discretion, the its full authority in issuing federal information MOU’s working-group mechanism involves NSA processing standards and NSA’s role is merely ad- in all NIST activities related to information-secu- visory. In discussions with OTA, officials from rity standards and technical guidelines, as well as both agencies maintained that no part of the MOU proposed research programs that would support is contrary to the Computer Security Act of 1987, them. and that the controversy and concerns are due to For example, the standards-appeal mechanism “misperceptions.” 28 set forth in the Computer Security Act allowed the When OTA inquired about the MOU/TWG ap- President to disapprove or modify standards or peals process in particular, officials in both agen- guidelines developed by NIST and promulgated cies maintained that the appeals process does not by the Secretary of Commerce, if he or she deter- conflict with the Computer Security Act of 1987 mined such an action to be in the public interest. because it concerns proposed research and devel- Should the President disapprove or modify a stan- opment projects that could lead to future NIST dard or guideline that he or she determines will not standards, not fully developed NIST standards serve the public interest, notice must be submitted submitted to the Secretary of Commerce or the to the House Committee on Government Opera- President. 29 In discussions with OTA, senior tions and the Senate Committee on Governmental NIST and NSA staff stated that the appeals mech- Affairs, and must be published promptly in the anism specified in the Computer Security Act has Federal Register.26 By contrast, interagency dis- never been used, and pointed to this as evidence of cussions and negotiations by agency staffs under how well the NIST/NSA relationship is working the MOU can result in delay, modification, or in implementing the act.30 In discussions with abandonment of proposed NIST standards activi- OTA staff regarding a draft of this OTA report, ties, without notice or the benefit of oversight that Clinton Brooks, Special Assistant to the Director is required by the appeals mechanism set forth in of NSA, stated that cryptography presents special the Computer Security Act. ‘f U.S. House of Representatives, Computer Securi/yAct of 1987-Report to AccompanyH.R. /45, H. Rept. No. 100-153, Part 1 (Committee on Science, Space, and Technology) and Pd. t 11 (Committee on Government Operations), 100th Cong., I st sess., June 11, 1987. 26 Public Law 100-235, sec. 4. The President cannot delegate authority to disapprove or modify proposed NIST standards 27 M(XJ, op. cit., footnote 24, sees. 111(5)-(7). ‘g OTA staff interviews with NIST and NSA officials in October 1993 and January 1994. 29 OTA staff interviews, ibid. 30 OTA staff intenlew wl~ M. Rubin (Wputy Chief t3mnsel, NIST) on Jan. 13, 1994 and with four NSA representatives on Jan. lg~ ~ 99’$, Chapter 1 Introduction and Policy Summary 115 problems with respect to the Computer Security communities. Sometimes federal safeguard stan- Act, and that if NSA waited until NIST announced dards are accepted as having broad applicability. a proposed standard to voice national security But it is not clear that the government can--or concerns, the technology would already be “out” should--develop all-purpose technical safeguard via NIST’s public standards process.31 standards, or that the safeguard technologies be- However, even if implementation of the Com- ing issued as FIPS can be made to meet the range puter Security Act of 1987, as specified in the of user needs. More open processes for determin- MOU, is satisfactory to both NIST and NSA, this ing how safeguard technologies are to be devel- is not proof that it meets Congress’s expectations oped and/or deployed throughout society can in enacting that legislation. Moreover, chronic better ensure that a variety of user needs are met public suspicions of and concerns with federal equitably. If it is in the public interest to provide a safeguard standards and processes are counterpro- wider range of technical choices than those pro- ductive to federal leadership in promoting respon- vided by government-specified technologies (i.e., sible use of safeguards and to public confidence in the FIPS), then vigorous academic and private- government. sector capabilities in safeguard technologies are It may be the case that using two executive required. branch agencies as the means to effect a satisfacto- More open policies and processes can be used ry balance between national security and other to increase equity and acceptance in implement- public interests in setting safeguard standards will ing cryptography and other technologies. The cur- inevitably be limited, due to intrabranch coordina- rent controversies over cryptography can be tion mechanisms in the National Security Council characterized in terms of tensions between the and other bodies. These natural coordination government and individuals. They center on the mechanisms will determine the balance between issue of trust in government. Trust is a particular national-security interests, law-enforcement in- issue in cases like cryptography, when national- terests, and other aspects of the public interest. security concerns restrict the equal sharing of in- The process by which the executive branch formation between the government and the chooses this balancing point may inevitably be public. Government initiatives of broad public ap- obscure outside the executive branch. (For exam- plication, formulated in secret and executed with- ple, the Clinton Administration’s recent cryptog- out legislation, naturally give rise to concerns raphy policy study is classified, with no public over their intent and application. The process by summary.) which the EES was selected and approved was Public visibility into the decision process is closed to those outside the executive branch. Fur- only through its manifestations in a FIPS, in ex- thermore, the institutional and procedural means port policies and procedures, and so forth. When by which key-escrow encryption is being the consequences of these decisions are viewed by deployed (such as the escrow-management proce- many of the public as not meeting important dures) continue to be developed in a closed forum. needs, or when the government preferred techni- The Clinton Administration made a start at cal “solution” is not considered acceptable, a lack working more closely and more openly with in- of visibility, credible explanation, and/or useful dustry through a “Key Escrow Encryption Work- alternatives fosters mistrust and frustration. shop” held at NIST on June 10, 1994. The Technological variety—having a number of al- workshop was attended by representatives of ternatives to choose from—is important in meet- many of the leading computer hardware and soft- ing the needs of a diversity of individuals and ware companies, as well as attendees from gov- ~ I C]ln[on Br(x)ks, s~cia] Assistant to the Director, NSA, personal communication, May’ 2$ 1994. 16 I Information Security and Privacy in Network Environments ernment and academia. The proposed action plan to support a congressional policy review of cryp- subsequent to the NIST workshop called for the tography is out of phase with the government’s establishment of joint industry-government implementation of key-escrow encryption. There- working groups (with NIST leadership) to: eval- fore: uate all known key-escrowing proposals accord- ing to criteria jointly developed by government OPTION: Congress could consider placing a hold on and industry, hold a public seminar/workshop to further deployment of key-escrow encryption, pending discuss and document the results of this analysis, a congressional policy review. and prepare a report to be used as the basis for sub- sequent discussions between government offi- cials and the private sector. Based on the discussion and industry presentations at the meet- An important outcome of a broad review of na- ing, there was increasing interest in exploring tional cryptography policy would be the develop- “other” approaches to key-escrow encryption that ment of more open processes to determine how can be implemented in software, rather than just in cryptography will be deployed throughout soci- hardware. ety. This deployment includes development of the On July 20, 1994, acknowledging industry’s public-key infrastructures and certification au- concerns regarding encryption and export policy, thorities that will support electronic delivery of Vice President Gore sent a letter to Representative government services, copyright management, and Cantwell that announced a "new phase” of coop- digital commerce. eration among government, industry, and privacy More open processes would build trust and advocates. This will include working with indus- confidence in government operations and leader- try to explore alternative types of key-escrow en- ship. More openness would allow diverse stake- cryption, such as those based on unclassified holders to understand how their views and algorithms or implemented in software; escrow- concerns were being balanced with those of oth- system safeguards, use of nongovernmental key- ers, in establishing an equitable deployment of escrow agents, and liability issues will also be these technologies, even when some of the specif- explored. This is in the context of computer and ics of the technology remain classified. (See also video networks, not telephony; the present EES the policy section below on safeguarding informa- (e.g., in the Clipper chip) would still be used for tion in federal agencies.) More open processes telephone systems. would also allow for public consensus-building, providing better information for use in congres- sional oversight of agency activities. Toward Congressional Review of these ends: Cryptography Policy Congress has vital, strategic roles in cryptography OPTION: Congress could address the extent to which policy and, more generally, in safeguarding in- the current working relationship between NIST and NSA formation and protecting personal privacy in a will be a satisfactory part of this open process, or the ex- networked society. Recognizing the importance tent to which the current arrangements should be re- of the technology and the policies that govern its evaluated and revised. development, dissemination, and use, Congress has asked the National Research Council (NRC) to conduct a major study that would support a broad review of cryptography. Another important outcome of a broad policy The results of the NRC study are expected to be review would be a clarification of national in- available in 1996. But, given the speed with which formation-policy principles in the face of techno- the Clinton Administration is acting, information logical change: Chapter 1 Introduction and Policy Summary I 17 OPTION: Congress could state its policy as to when the licensing reforms and the executive branch study impacts of a technology (like cryptography) are so of the encryption market and export controls that powerful and pervasive that legislation is needed to was included in the 1994 export-administration provide sufficient pubic visibility and accountability for legislation should provide some near-term in- government actions. formation. However, the scope and methodology of the ex- port-control studies that Congress might wish to use in the future may differ from these. Therefore: For example, many of the concerns surround- ing the Escrowed Encryption Standard and the OPTION: Congress might wish to assess the validity Clinton Administration’s escrowed-encryption and effectiveness of the Clinton Administration's stud- initiative, in general, focus on whether key-es- ies of export controls on cryptography by conducting crow encryption will become mandatory for gov- oversight hearings, by undertaking a staff analysis, or ernment agencies or the private sector, if by requesting a study from the Congressional/ Budget nonescrowed encryption will be banned, and/or if Office. these actions could be taken without legislation. Other concerns focus on whether or not alternative Congressional Responses to forms of encryption would be available that would Escrowed-Encryption Initiatives allow private individuals and organizations the Congress also has a more near-term role to play in option of depositing keys (or not) with one or determining the extent to which—and how—the more third-party trustees—at their discretion.32 EES and other escrowed-encryption systems will The National Research Council study should be deployed in the United States. These actions be valuable in helping Congress to understand the can be taken within a long-term, strategic frame- broad range of technical and institutional alterna- work. Congressional oversight of the effective- tives available for various types of trusteeships for ness of policy measures and controls can allow cryptographic keys, “digital powers of attorney,” Congress to revisit these issues as needed, or as and the like. However, if implementation of the the consequences of previous decisions become EES and related technologies continues at the cur- more apparent. rent pace, key-escrow encryption may already be The Escrowed Encryption Standard (Clipper) embedded in information systems before Con- was issued as a voluntary FIPS; use of the EES by gress can act on the NRC report. the private sector is also voluntary. The Clinton As part of a broad national cryptography Administration has stated that it has no plans to policy, Congress may wish to periodically ex- make escrowed encryption mandatory, or to ban amine export controls on cryptography, to ensure other forms of encryption. But, absent legislation, that these continue to reflect an appropriate bal- these intentions are not binding for future admin- ance between the needs of signals intelligence and istrations and also leave open the question of what law enforcement and the needs of the public and will happen if the EES and related technologies do business communities. This examination would not prove acceptable to the private sector. More- take into account changes in foreign capabilities over, the executive branch may soon be using the and foreign availability of cryptographic technol- EES and/or related escrowed-encryption technol- ogies. Information from industry on the results of ogies to safeguard—among other things—large ~Z ~ere ~e ~ea~on~ ~hy ~)rganlzallons and indlviduals might want the op[ion {Jf placing c(~pks of cryptographic keYs “ith th’r~-PW’ trustees (m custodians offheu- oun choosing. For example, there is growing recogniti(m of the problems that could occur if cryptography is used m corp)rati(ms w ith(mt adequate key management and without override capabilities by responsible corporate officers. These problems could include data being rendered inaccessible after having been encrypted by employees who subsequently leave the c(m~pany ((w die). 18 I Information Security and Privacy in Network Environments volumes of private information about individuals OPTION: Congress could consider allowing damages (e.g., taxpayer data, health-care information, and to be awarded for individuals or organizations who were SO forth). harmed by misuse or unauthorized disclosure of es- For these reasons, the EES and other key-es- crowed key components. crowing initiatives are by no means only an execu- 1 Safeguarding Information tive branch concern. The EES and any subsequent in Federal Agencies escrowed-encryption standards also warrant con- Congress has an even more direct role in estab- gressional attention because of the public funds lishing the policy guidance within which federal that will be spent in deploying them. Moreover, agencies safeguard information, and in oversight negative public perceptions of the EES and the of agency and OMB measures to implement in- processes by which encryption standards are de- formation security and privacy requirements. The veloped and deployed may erode public confi- Office of Management and Budget is responsible dence and trust in government and, consequently, for developing and implementing government- the effectiveness of federal leadership in promot- wide policies for information resource manage- ing responsible safeguard use. ment; for overseeing the development and In responding to current escrowed-encryption promoting the use of government information- initiatives like the EES, and in determining the ex- management principles, standards, and guide- tent to which appropriated funds should be used in lines; and for evaluating the adequacy and implementing key-escrow encryption and related efficiency of agency information-management technologies: practices. Information-security managers in fed- OPTION: Congress could address the appropriate eral agencies must compete for resources and sup- locations of the key-escrow agents, particularly for fed- port to properly implement needed safeguards. In eral agencies, before additional investments are made order for their efforts to succeed, both OMB and in staff and facilities for them. Public acceptance of key- top agency management must fully support in- escrow encryption might be improved-but not as- vestments in cost-effective safeguards. Given the sured—by an escrowing system that used separation expected increase in interagency sharing of data, of powers to reduce perceptions of the potential for mis- interagency coordination of privacy and security use. policies is also necessary to ensure uniformly ade- quate protection. The forthcoming revision of Appendix 111 (“Agency Security Plans”) of OMB Circular With respect to current escrowed-encryption A-1 30 is central to improved federal information initiatives like the EES, as well as any subsequent security practices. The revision of Appendix 111 key-escrow encryption initiatives, and in deter- will take into account the provisions and intent of mining the extent to which appropriated funds the Computer Security Act, as well as observa- should be used in implementing key-escrow en- tions regarding agency security plans and prac- cryption and related technologies: tices that resulted from a series of agency visits OPTION: Congress could address the issue of criminal penalties for misuse and unauthorized disclosure of es- crowed key components. Chapter 1 Introduction and Policy Summary 119 made by OMB, NIST, and NSA in 1992.33 In After the revised Appendix III of OMB Circu- practice, there are both insufficient incentives for lar A-130 is issued: compliance and insufficient sanctions for non- compliance with the spirit of the Computer Secu- OPT/O/V: Congress could assess the effectiveness of rity Act. (For example, agencies do develop the the OMB's revised guide/ines, including improvements required security plans; however, the act does not in implementing the Computer Security Acts provisions require agencies to review them periodically or regarding agency security plans and training, in order update them as technologies or circumstances to determine whether additional statutory requirements change. One result of this is that, “[security of or oversight measures are needed. systems tends to atrophy over time unless there is a stimulus to remind agencies of its impor- tance.”34 Another result is that agencies may not This might be accomplished by conducting treat security as an integral component when new systems are being designed and developed.) oversight hearings, undertaking a staff analysis, The forthcoming revision of Appendix III of and/or requesting a study from the General Ac- counting Office. However, the effects of OMB’s OMB Circular A-130 should lead to improved revised guidance may not be apparent for some federal information-security practices. According time after the revised Appendix 111 is issued. to OMB, the revision of Appendix 111 will take Therefore, a few years may pass before GAO is into account the provisions and intent of the Com- able to report government-wide findings that puter Security Act of 1987, as well as observations would be the basis for determining the need for regarding agency security plans and practices further revision or legislation. In the interim: from agency visits. To the extent that the revised Appendix III facilitates more uniform treatment OPTION: Congress could gain additional insight across agencies, it can also make fulfillment of through hearings to gauge the reaction of agencies, as Computer Security Act and Privacy Act require- we// as privacy and security experts from outside gov- ments more effective with respect to data sharing ernment, to OMB's revised guidelines. and secondary uses. The revised Appendix 111 had not been issued by the time this report was completed. Although the Office of Technology Assessment discussed Oversight of this sort might be especially valu- information security and privacy issues with able for agencies, such as the Internal Revenue OMB staff during interviews and a December Service, that are developing major new informa- 1993 OTA workshop, OTA did not have access to tion systems. a draft of the revised security appendix. Therefore, In the course of its oversight and when consid- OTA was unable to assess the revision’s potential ering the direction of any new legislation: for improving information security in federal agencies, for holding agency managers account- OPT/ON: Congress could ensure that agencies include able for security, or for ensuring uniform protec- explicit provisions for safeguarding information assets tion in light of data sharing and secondary uses. in any information-technology planning documents. ~~ OffIce of Managemcn( ~d Budget (in ct~njuncti{~n with N]sT and NSA), observations of Agency Computer Security practices and 1~1- plcmcntatl(m of OMB Bulletin No. 90-08: “Guidance for Preparation of Security Plans for Federal Computer Sy stems That Contain Sensitive Inf{)m]ati{m,” February 1993. 34 Ibid., p. I I. 20 I Information Security and Privacy in Network Environments OPTION: Congress could ensure that agencies budget Escrowed Encryption Standard (Clipper) was de- sufficient resources to safeguard information assets, veloped and implemented. Increased funding whether as a percentage of information-technology could enable NIST to become a more equal part- modernization and/or operating budgets, or otherwise. ner to NSA, at least in deploying (if not develop- ing) cryptographic standards. But, if NIST/NSA OPTION: Congress could ensure that the Department processes and outcomes are to reflect a different of Commerce assigns sufficient resources to N/ST to balance of national security and other public inter- support its Computer Security Act responsibilities, as ests, or more openness, than has been evidenced we// as NIST's other activities related to safeguarding in- over the past five years, clear policy guidance and formation and protecting privacy in networks. oversight will be needed. 1 Legal Issues and Information Security Regarding NIST's computer-security budget, Laws evolve in the context of the mores of the OTA has not determined the extent to which addi- culture, business practices, and technologies of tional funding is needed, or the extent to which the time. The laws currently governing commer- additional funding would improve the overall ef- cial transactions, data privacy, and intellectual fectiveness of NIST’s information-security activi- property were largely developed for a time when ties. However, in staff discussions and workshops, telegraphs, typewriters, and mimeographs were individuals from outside and within government the commonly used office technologies and busi- repeatedly noted that NIST’s security activities ness was conducted with paper documents sent by were not proactive and that NIST often lagged in mail. Technologies and business practices have providing useful and needed standards (the FIPS) dramatically changed, but the law has been slower and guidelines. Many individuals from the private to adapt. Computers, electronic networks, and in- sector felt that NIST’s limited resources for secu- formation systems are now used to routinely proc- rity activities precluded NIST from doing work ess, store, and transmit digital data in most that would also be useful to industry. Additional commercial fields. Changes in communication resources, whether from overall increases in and information technologies are particularly sig- NIST’s budget and/or from formation of a new In- nificant in three areas: electronic commerce, pri- formation Technology Laboratory, could enhance vacy and transborder data flow, and digital NIST’s technical capabilities, enable it to be more libraries. proactive, and hence be more useful to federal agencies and to industry. Electronic Commerce NIST activities with respect to standards and As businesses replace conventional paper doc- guidelines related to cryptography are a special uments with standardized computer forms, the case, however. Increased funding alone will not be need arises to secure the transactions and establish sufficient to ensure NIST’s technological leader- means to authenticate and provide nonrepudiation ship or its fulfillment of the “balancing” role as en- services for electronic transactions, that is, a visioned by the Computer Security Act of 1987. means to establish authenticity y and certify that the With respect to cryptography, national-security transaction was made. Absent a signed paper doc- constraints set forth in executive branch policy di- ument on which any nonauthorized changes could rectives appear to be binding, implemented be detected, a digital signature to prevent, avoid, through executive branch coordinating mecha- or minimize the chance that the electronic docu- nisms including those set forth in the NIST/NSA ment has been altered must be developed. In con- memorandum of understanding. These trast to the courts’ treatment of conventional, constraints have resulted, for example, in the paper-based transactions and records, little guid- closed processes by which the FIPS known as the ance is offered as to whether a particular safeguard Chapter 1 Introduction and Policy Summary 121 technique, procedure, or practice will provide the OPTION: Congress could amend the existing law to in- requisite assurance of enforceability in electronic clude previsions addressing the sharing and matching form. This lack of guidance concerning security of data, or restructure the law overall to track the flow of and enforceability is reflected in the diversity of information between institutions. security and authentication practices used by OPT/ON: Congress could provide for public access for those involved in electronic commerce. individuals to information about themselves, and proto- Legal standards for electronic commercial cols for amendment and correction of personal in- transactions and digital signatures have not been formation. It could also consider providing for online fully developed, and these issues have undergone publication of the Federal Register to improve public little review in the courts. Therefore, action by notice about information collection and practices. Congress may not be warranted now. However: OPTION: Congress could monitor the issue of legal In deciding between courses of actions, Congress standards for electronic transactions and digital signa- could exercise its responsibility for oversight tures, so that these are considered in future policy deci- through hearings and/or investigations, gathering sions about information security information from agency officials involved in pri- vacy issues, as well as citizens, in order to gain a better understanding of what kinds of actions are Protection of Privacy in Data required to implement better custodianship, a Since the 1970s, the United States has concen- minimum standard of quality for privacy protec- trated its efforts to protect the privacy of personal tion, and notice to individuals about use and han- data collected and archived by the federal govern- dling of information. ment. Rapid development of networks and in- Although the United States does not compre- formation processing by computer now makes it hensively regulate the creation and use of such possible for large quantities of personal informa- data in the private sector, foreign governments tion to be acquired, exchanged, stored, and (particularly the European Union) do impose con- matched very quickly. As a result, a market for trols. The Organization for Economic Coopera- computer-matched personal data has expanded tion and Development (OECD) adopted rapidly, and a private-sector information industry guidelines in 1980 to protect the privacy and has grown around the demand for such data. transborder flows of personal data. The difference Increased computerization and linkage of in- between the level of personal privacy protection in formation maintained by the federal government the United States and that of its trading partners, is arguably not addressed by the Privacy Act, who in general more rigorously protect privacy, which approaches privacy issues on an agency- could inhibit the exchange of data with these by-agency basis. To address these developments: countries. U.S. business has some serious con- cerns about the EU proposal, as it relates to the OPT/ON: Congress could allow each agency to ad- data subject’s consent and the transfer of data to dress privacy concerns indivldually through its present non-EU countries. system of review boards. In addressing the sufficiency of existing U.S. legal standards for privacy and security in a net- OPTION: Congress could require agencies to improve worked environment for the private sector: the existing data integrity boards, with a charter to make clearer policy decisions about sharing information and OPTION: Congress could Iegislate to set standards maintaining its Integrity similar to the OECD guidelines; 22 I Information Security and Privacy in Network Environments or, 2. to carry out oversight to protect the privacy in- terests of individuals in information-handling OPTION: Congress could allow individual interests, activities; such as the business community to advise the interna- 3. to develop and monitor the implementation of tional community on its own of its interests in data appropriate security guidelines and practices protection policy However, because the EU's protec- tion scheme could affect U.S. trade in services and for the protection of health care information; could impact upon individuals, Congress may also 4. to advise and develop regulations appropriate wish to monitor and consider the requirements of for- for specific types of information systems: eign data protection rules as they shape U.S. security 5. to monitor and evaluate developments in in- and privacy policy to assure that all interests are re- formation technology with respect to their im- flected. plications for personal privacy in information; and 6. to perform a research and reporting function with respect to information privacy issues in A diversity of interests must be reflected in ad- the United States. dressing the problem of maintaining privacy in Debate continues as to whether such a body computerized information-whether in the public should serve in a regulatory or advisory capacity. or private sector: In the 103d Congress, legislation (S. 1735, the Privacy Protection Act) that would establish a Pri- OPTION: Congress could establish a Federal Privacy vacy Protection Commission has been Commission. introduced. Protection of Intellectual Property in the Digital Libraries Proposals for such a commission or board were Administration of The availability of protected intellectual prop- discussed by the Office of Technology Assess- erty in networked information collections, such as ment in its 1986 study of Electronic Record Sys- digital libraries and other digital information tems and Individual Privacy. OTA cited the lack banks, is placing a strain on the traditional meth- of a federal forum in which the conflicting values ods of protection and payment for use of intel- at stake in the development of federal electronic lectual property. Technologies developed for systems could be fully debated and resolved. As securing information might hold promise for privacy questions will arise in the domestic arena, monitoring the use of protected information, and as well as internationally, a commission could provide a means for collecting and compensating deal with these as well. Data protection boards the owners of intellectual property as well. The have been instituted in several foreign countries, application of intellectual-property law to protect including Sweden, Germany, Luxembourg, works maintained in digital libraries continues to France, Norway, Israel, Austria, Iceland, United be problematic; traditional copyright concepts Kingdom, Finland, Ireland, the Netherlands, Can- such as fair use are not clearly defined as they ap- ada, and Australia. ply to these works; and the means to monitor com- The responsibilities and functions suggested pliance with copyright law and to distribute for a privacy commission or data protection board royalties is not yet resolved. are: OTA addressed these issues in Finding a Bal- 1. to identify privacy concerns, that is to function ance: Computer Software, Intellectual Property, essentially as an alarm system for the protec- and the Challenge of Technological Change, tion of personal privacy; OTA-TCT-527 (Washington, DC: U.S. Govern- Chapter 1 Introduction and Policy Summary 123 ment Printing Office, May 1992). The 1992 report might try a third approach. This approach would included the following options to deal with the is- allow producer and user communities to establish sue of fair use of works in electronic form: common guidelines for use of copyrighted, multi- media works: ● Congress could clarify the Copyright Act fair-use guidelines with regard to lending, re- source sharing, interlibrary loan, archival OPT/ON: Congress could allow information providers and preservation copying, and copying for and purchasers to enter into agreements that would es- patron use. tablish community guidelines without having the force = Congress could establish legislative guidance of law. In so doing, Congress could decide at some regarding fair use of works in electronic form point in the future to review the success of such an ap- and what constitutes copying, reading, and proach. using; or, ■ Congress could direct the Copyright Office, with assistance from producers and users of With respect to rights and royalties for copy- electronic information, to develop and dis- seminate practical guidelines regarding these righted works: issues. -35 With respect to questions raised concerning multi- OPT/ON: Congress could encourage private efforts to media works, the 1992 OTA report suggested that: form rights-c/earing and royalty-collection agencies for groups of copyright owners = Congress could clarify the status of mixed- media works, with regard to their protection Alternatively, under copyright.36 During this assessment, OTA found that the OPTION: Congress might allow private-sector develop- widespread development of multimedia authoring ment of network tracking and monitoring capabilities to tools—integrating film clips, images, music, support a fee-for-use basis for copyrighted works in sound, and other content—raises additional issues electronic form. pertaining to copyright and royalties. With respect to copyright for multimedia works: OPTION: Congress could allow the courts to continue In the latter case, Congress might wish to review to define the law of copyright as it is applied in the world whether a fee-for-use basis for copyrighted works of electronic information; in electronic form is workable, from the stand- or, point of both copyright law and technological ca- pabilities (e.g., Does it serve the fair-use OPT/ON: Congress could take specific legislative ac- exception? Can network technologies effectively tion to clarify and further define the copyright law in the address this question?). This might be accom- world of electronic information. plished by conducting oversight hearings, under- Instead of waiting for legal precedents to be estab- taking a staff analysis, and/or requesting a study lished or developing new legislation, Congress from the Copyright Office. 35 U.S. Congress, office of Technology Assessment, Finding a Balance: Computer Software, lnlelie~’luai property, ati the challenge ?f Techno/ogica/ Change, OTA-TCT-527 (Washington, DC: U.S. Government Printing Office, May 1992), p. 35 (options 3.1, 3.2, and 3.3). M Ibid,, p, 36 (option 3.4). —— — Safeguarding Networked Information 2 etworked information is constantly exposed to threats— events or agents that have the potential to cause harm to a system or information assets. These threats have the po- tential to exploit a network’s many vulnerabilities-- weaknesses,N or points susceptible to attack. New vulnerabilities emerge as systems are built or changed. If these are exploited, substantial financial losses and an overall failure to achieve the original objectives of the network can result. The true incidence rates and losses arising from these threats are unknown, however, since the y are often not detected, not reported, or require placing a monetary value on a relatively intangible loss. Financial institu- tions, in particular, are reluctant to report losses to avoid negative publicity that might cause more losses or loss of business. Also, the probability that particular threats will exploit particular vul- nerabilities in a network—the amount of risk—varies from net- work to network. Although multiple threats often combine to expose a vulner- ability, threats to networked information can be loosely grouped into the following categories: B Human errors and design faults. The largest source of losses is due to unintentional human actions during operations. Some experts estimate that over one-half of the total financial and productivity losses in information systems is the result of 125 26 I Information Security and Privacy in Network Environments human errors, as opposed to intentional and both the main information facilities as well as malicious acts. ] These acts include improperly their backup systems. Broken water lines. un- installing and managing equipment or soft- even environmental conditions, and other ware, accidentally erasing files, updating the localized threats also produce significant but wrong file, transposing numbers, entering in- less sensational damage. correct information in files, neglecting to “Crackers” and other intruders. A small but change a password or back up a hard disk, and growing number of violations come from unau- other acts that cause loss of information, inter- thorized “crackers”3 who may intrude for mon- ruptions, and so forth. etary gain, for industrial secrets, or for the Many of these and other circumstances are challenge of breaking into or sabotaging the arguably due to faults in design that do not pre- system. This group receives the most sensa- vent many common human errors (or other tional treatment in the press and includes teen- threats) from resulting in losses. An unusual agers breaking into remote systems as well as but legitimate sequence of events also can re- professional criminals, industrial spies, or for- veal a vulnerability in system design. Such de- eign intelligence. sign errors may come with off-the-shelf Viruses and other malicious software. Vi- software or hardware, or may be built into the ruses, worms, and other malicious software can system by the network managers. enter a network through borrowed diskettes, ● Insiders. Many violations of information safe- prepackaged software, and connections to oth- guards are performed by trusted personnel who er networks.4 These hazards could also be a re- engage in unauthorized activities or activities sult of human error (negligence), insiders, or that exceed their authority. These insiders may intruders. copy, steal, or sabotage information, yet their actions may remain undetected.2 These indi- viduals can hold clearances or other authoriza- SAFEGUARDS FOR tions, or may be able to disable network NETWORKED INFORMATION operations or otherwise violate safeguards Federal agencies and other organizations use safe- through actions that require no special autho- guards-countermeasures-that eliminate spe- rization. cific vulnerabilities or otherwise render a threat ■ Natural disasters and environmental dam- impotent, thereby protecting the organizations’ age. Wide-area disasters such as floods, earth- information assets. In this report, security is used quakes, fires, and power failures can destroy generally to describe the protection against disclo-