Information Security and Privacy in Network Environments September 1994 OTA-TCT-606 NTIS order #PB95-109203 GPO stock #052-003-01387-8 Recommended Citation: U.S. Congress, Office of Technology Assessment, Information Security and Privacy in Network Environments, OTA-TCT-606 (Washington, DC: U.S. Government Printing Office, September 1994). For Wk by the U.S. Government Prlnflng Office Superintendent of Document\, MiIIl Stop: SSOP, Wti\hlngton, DC 204)2-932/! ISBN O- 16-04!; 188-4 Foreword nformation networks are changing the way we do business, educate our children, deliver government services, and dispense health care. Information technologies are intruding in our lives in both I positive and negative ways. On the positive side, they provide win- dows to rich information resources throughout the world. They provide instantaneous communication of information that can be shared with all who are connected to the network. As businesses and government be- come more dependent on networked computer information, the more vulnerable we are to having private and confidential information fall into the hands of the unintended or unauthorized person. Thus appropriate institutional and technological safeguards are required for a broad range of personal, copyrighted, sensitive, or proprietary information. Other- wise, concerns for the security and privacy of networked information may limit the usefulness and acceptance of the global information infra- structure. This report was prepared in response to a request by the Senate Com- mittee on Governmental Affairs and the House Subcommittee on Tele- communications and Finance. The report focuses on policy issues in three areas: 1 ) national cryptography policy, including federal informa- tion processing standards and export controls; 2) guidance on safeguard- ing unclassified information in federal agencies; and 3) legal issues and information security, including electronic commerce, privacy, and intel- lectual property. OTA appreciates the participation of the many individuals without whose help this report would not have been possible. OTA received valu- able assistance from members of the study’s advisory panel and partici- pants at four workshops, as well as a broad range of individuals from government, academia, and industry. OTA also appreciates the coopera- tion of the General Accounting Office and the Congressional Research Service during the course of this assessment. The report itself, however, is the sole responsibility of OTA. ROGER C. HERDMAN Director . Ill Advisory Panel Nancy M. Cline Burton S. Kaliski, Jr. David Alan Pensak Chairperson Chief Scientist Principal Consultant Dean of University Libraries RSA Laboratories Computing Technology The Pennsylvania State University E.I. DuPont de Nemours, Inc. Stephen T. Kent James M. Anderson Chief Scientist Richard M. Peters, Jr. Director of Security Security Technology Senior VP for Corporate Mead Data Central, Inc. Bolt Beranek and Newman, Inc. Development Oceana Health Care Systems Alexander Cavalli Clifford A. Lynch Director, Research and Director Joel R. Reidenberg Development Division of Library Automation Professor Enterprise Integration Division Office of the President University School of Law Microelectronics and Computer of California Fordham University Technology Corp. Simona Nass Thomas B. Seipert Dorothy E. Denning President Detective Sergeant Chair, Computer Science The Society for Electronic Access Portland Police Bureau Department Georgetown University Jeffrey D. Neuburger Willis H. Ware Attorney Consultant L. Dain Gary Brown Raysman & Millstein The RAND Corp. Manager, Coordination Center CERT Susan Nycum Attorney Richard F. Graveman Baker & McKenzie Member of Technical Staff, Information Systems Security Raymond L. Ocampo, Jr. Bellcore Sr. Vice President, General Counsel and Secretary Lee A. Hollaar Oracle Corp. Professor of Computer Science The University of Utah Note: OTA appreciates and is grateful for the valuable assistance and thoughtful critiques provided by the advisory panel members. The panel does not, however, necessarily approve, disapprove. or endorse this report. OTA assumes full responsibility for the report and the accuracy of its contents. iv Project Staff Peter Blair JOAN WINSTON Assistant Director Project Director OTA Industry, Commerce, and International Security Division Paula Bruening Senior Analyst James W. Curlin Program Director Tom Hausken OTA Telecommunication and Analyst Computing Technologies Program Beth Valinoti Research Assistant ADMINISTRATIVE STAFF Liz Emanuel Office Administrator Karolyn St. Clair PC Specialist c ontents 1 Introduction and Policy Summary 1 Overview 1 Safeguarding Networked Information 6 Policy Issues and Options 8 2 Safeguarding Networked Information 25 Safeguards for Networked Information 26 Institutions That Facilitate Safeguards for Networked Information 40 Government’s Role in Providing Direction 63 3 Legal Issues and Information Security 69 Electronic Commerce 70 Protection of Information Privacy and the Problem of Transborder Data Flow 78 Digital Libraries 96 4 Government Policies and Cryptographic Safeguards 111 Importance of Cryptography 115 Government Concerns and Information Safeguards 128 Guidance on Safeguarding Information in Federal Agencies 132 U. S. Export Controls on Cryptography 150 Safeguards, Standards, and the Roles of NIST and NSA 160 Strategic and Tactical Congressional Roles 174 vii A Congressional Letters of Request 185 B Computer Security Act and Related Documents 189 C Evolution of the Digital Signature Standard 215 D Workshop Participants 223 E Reviewers and Other Contributors 226 INDEX 229 . Vlll Introduction and Policy Summary 1 he technology used in daily life is changing. Information technologies are transforming the ways we create, gather, process, and share information. Computer networking is T driving many of these changes; electronic transactions and records are becoming central to everything from commerce to health care. The explosive growth of the Internet exemplifies this transition to a networked society. According to the Internet Soci- ety, the number of Internet users has doubled each year; this rapid rate of growth increased more during the first half of 1994. By July 1994, the Internet linked over 3 million host computers worldwide; 2 million of these Internet hosts are in the United States. ] Including users who connect to the Internet via public and private messaging services, some 20 to 30 million people world- wide can exchange messages over the Internet. OVERVIEW The use of information networks for business is expanding enor- mously. 2 The average number of electronic point-of-sale transac- tions in the United States went from 38 per day in 1985 to 1.2 ] Data (m Internet S]ZC and gr~~wth from the Internet Stwicty, press release, Aug. 4, 1994. The lntemct (mginated m the Department of Defense’s ARPANET in the early 1970s, By 1982, the TCPIP pr(}t(}ct)ls developed for ARPANET were a military standard and there were atx]ut 100 computers on [he ARPANET. Twelve years later, the Internet IInhs host c{~mputers in rm~re than 75 countries via a netw(~rk of separately administered netwtrks. 2 See U.S. C(mgress, office of Techn[)logy Assessment, Elcctron[( Enferpr(fes: LOdIn<q fo [he Fufw-e, OTA-TC”l%OO (Washington, DC U.S. Gtwemnwnt Printing Of- II fice, May I 99-$). 2 I Information Security and Privacy in Network Environments million per day in 1993.3 An average $800 billion on infected computers and lost staff time in is transferred among partners in international cur- putting the computers back on line. Related rency markets every day; about $1 trillion is trans- dollar losses are estimated to be between ferred daily among U.S. banks; and an average $100,000 and $10 million. The virus took ad- $2 trillion worth of securities are traded daily in vantage of UNIX’s trusted-host features to New York markets.4 Nearly all of these financial propagate among accounts on trusted ma- transactions pass over information networks. chines. (U.S. General Accounting Office, Government use of networks features promi- Computer Security: Virus Highlights Need for nently in plans to make government more effi- Improved Internet Management, GAO/l M- cient, effective, and responsive. 5 Securing the TEC-89-57 (Washington, DC: U.S. Govern- financial and other resources necessary to suc- ment Printing Office, June 1989).) cessfully deploy information safeguards can be ● Between April 1990 and May 1991, hackers difficult for agencies, however. Facing pressures penetrated computer systems at 34 Department to cut costs and protect information assets, some of Defense sites by weaving their way through federal-agency managers have been reluctant to university, government, and commercial sys- connect their computer systems and networks tems on the Internet. The hackers exploited a with other agencies, let alone with networks out- security hole in the Trivial File Transfer Proto- side government. 6 Worse, if agencies were to col, which allowed users on the Internet to ac- “rush headlong” onto networks such as the Inter- cess a file containing encrypted passwords net, without careful planning, understanding se- without logging onto the system. (U.S. General curity concerns, and adequate personnel training, Accounting Office, Computer Security: Hack- the prospect of plagiarism, fraud, corruption or ers Penetrate DOD Computer Systems, GAO/ loss of data, and improper use of networked in- IMTEC-92-5 (Washington, DC: U.S. Govern- formation could affect the privacy,
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages248 Page
-
File Size-