July 1995 Office of Technology Assessment U.S. Congress OTA REPORT SUMMARY * ISSUE UPDATE ON INFORMATION SECURITY AND PRIVACY IN NETWORK ENVIRONMENTS * As a follow-on to the September 1994 report on information security and privacy, at the request of the Senate Committee on Governmental Affairs, the Office of Technology Assessment has updated some key issues in a new background paper. In "Issue Update on Information Security and Privacy in Network Environments," OTA develops further some of its earlier options related to the effects of government policies on the private sector and to federal-agency operations to safeguard unclassified information. OTA's Findings As OTA's 1994 report noted, we are in transition to a society that is critically dependent on electronic information and network connectivity. The Internet now has host computers in over 85 countries; the variety of online sources of information, services, and entertainment continues to expand. Businesses' use of networks has continued to expand, and ventures to bring electronic commerce and electronic money, or "digital cash," into homes and offices are materializing rapidly. Government agencies have continued to expand both the scale and scope of their network connectivities; information technologies and networks are featured prominently in plans to make government more efficient, effective, and responsive. The transformation being brought about by networking brings with it new concerns for the security of networked information and for our ability to maintain effective privacy protections in networked environments. In contrast to the older concepts of "document" security or "computer" security, the new focus is on safeguarding the information itself as it is processed, stored, and transmitted. Responsibility for security is being shifted to the end users. Increased interactivity means that we must protect transactional privacy, while preventing fraud in electronic commerce. OTA finds that the need for timely congressional attention to safeguarding unclassified information and protecting personal privacy is increasingly urgent. The background paper discusses a number of reasons for this conclusion, including the following: o Congressional oversight of government informationsecurity and privacy is of utmost importance in the presenttime of government reform and organizational streamlining. When the role, size, and structure of the federal agenciesare being reexamined, it is important to take into accountthe additional information security and privacy risksincurred in downsizing and the historical lack of commitmenton the part of top agency managements to safeguardingunclassified information. Similarly, management must ensurethat safeguards are integrated when organizations streamlinetheir operations and modernize their information systems. o Momentum is building toward government-wide consolidationof information-security responsibilities. Cryptography standards-development and export-control issuesunderlie a long history of concern over leadership andresponsibility for the security of unclassified informationgovernmentwide. Controversy over who should be in chargeand who is in charge was not laid to rest after enactment ofthe Computer Security Act of 1987 (Public Law 100-235). Now,these concerns have been revitalized by the creation of theSecurity Policy Board and the Board staff proposals tocentralize unclassified information-security authoritiesgovernment-wide and by the prospect of new information-technology and information-security legislation in the 104thCongress. o An overarching issue that must be resolved by Congress iswhere federal authority for safeguarding unclassifiedinformation in the civilian agencies should reside and,therefore, what needs to be done concerning the substanceand implementation of the Computer Security Act of 1987. If Congress retains the general premise of the act--thatresponsibility for unclassified information security in thecivilian agencies should not reside within thedefense/intelligence community, then vigilant oversight andclear direction will be needed. This would include assigning and funding a credible focal point (or points) forcost-effective security guidance for unclassifiedinformation. If the Computer Security Act is revisited,Congress might wish to redirect the National Institute ofStandards and Technology's (NIST's) activities away from"picking technologies" for standards and toward providingfederal agencies with guidance on: the availability ofsuitable commercial technologies, interoperability andapplication portability, and how to make best use of theirexisting hardware and software technology investments. o Cryptography is not arcane anymore. Cryptography also isnot just a "government technology" anymore. In its modern setting, cryptography is a fundamentalsafeguard with broad applications. It can be used to preserve the confidentiality of messages and files, or toprovide "digital signatures" that will help speed the way toelectronic commerce. The nongovernmental markets forcryptography-based safeguards have grown over the past twodecades, but are still developing. Good commercial encryption technology is available in the United States andabroad. Research in cryptography is international. Markets for cryptography would also be international, except thatgovernmental restrictions like export controls effectivelysegment "domestic" and "export" markets for strongencryption products. User-friendly cryptographic safeguardsthat are integrated into products (as opposed to those thatthe user has to acquire separately and add on) are stillhard to come by--in part, because of export controls andother federal policies that seek to control cryptography. o Cryptography is a technology whose time has come, but theclock is still ticking. Because cryptography is a technology of such broadapplication, cryptography policies affect technologicaldevelopments in the field, as well as the health andeconomic vitality of companies that produce or use productsincorporating cryptography. Consequently, policies aboutcryptography exports and standards will increasingly affectboth the vitality of the information technology industriesand the everyday lives of most Americans. Representativesof major U.S. computer and software companies have recentlyreaffirmed the importance of security and privacyprotections in the developing global informationinfrastructure.