September 1994 ************************************************************ * OTA REPORT SUMMARY * * * * INFORMATION SECURITY AND PRIVACY IN NETWORK ENVIRONMENTS * ************************************************************ The technology used in daily life is changing. Informationtechnologies are transforming the ways we create, gather,process, and share information; electronic transactions andrecords are becoming central to everything from commerce tohealth care. Computer networking is driving many of thesechanges. The explosive growth of the Internet the number ofusers more than doubles each year exemplifies thistransition to a networked society. According to the InternetSociety, as of July 1994 the Internet linked over 3 millionhost computers in more than 75 countries; some 20 to 30million people worldwide can exchange messages over theInternet. The use of information networks for business, in particular,is expanding enormously; government use of networks featuresprominently in plans to make government more efficient,effective, and responsive. But the transformation broughtabout by networking also raises new concerns for thesecurity and privacy of networked information. If theseconcerns are not properly resolved, they threaten to limitnetworking's full potential, in terms of both participationand usefulness. The OTA report Information Security and Privacy in NetworkEnvironments was requested by the Senate Committee onGovernmental Affairs and the House Subcommittee on Telecommunications and Finance. The report focuses onsafeguarding unclassified information in networks, not onthe security or survivability of networks themselves, or onthe reliability of network services to ensure informationaccess. OTA's analysis examines policy issues in threeareas: 1) cryptography policy, including federal informationprocessing standards and export controls; 2) guidance onsafeguarding unclassified information in federal agencies;and 3) legal issues and information security, includingelectronic commerce, privacy, and intellectual property. Information safeguards, especially those based oncryptography, are becoming increasingly important.Appropriate safeguards (countermeasures) must account forand anticipate technical, institutional, and social changesthat increasingly shift responsibility for safeguardinginformation to the end users. Broader efforts to safeguardnetworked information will be frustrated unless cryptography-policy issues are resolved. The single most important step toward implementing propersafeguards for networked information in a federal agency orother organization is for top management to define theorganization's overall objectives, formulate anorganizational security policy to reflect those objectives,and implement that policy. Only top management canconsolidate the consensus and apply the resources necessaryto effectively protect networked information. For thefederal government, this requires guidance from the Officeof Management and Budget (e.g., in OMB Circular A-130),commitment from top agency management, and oversight byCongress. ******************* * POLICY ISSUES * ******************* ************************* * Cryptography Policy * ************************* Congress has a vital role in formulating nationalcryptography policy and in determining how we safeguardinformation and protect personal privacy in our networkedsociety. Cryptography has become a fundamental technologywith broad applications. Decisions about cryptography policywill affect the everyday lives of most Americans becausecryptography will help ensure the confidentiality andintegrity of health records and tax returns. It will helpspeed the way to electronic commerce, and it will help usmanage copyrighted material in electronic form. Despite two decades of growth in nongovernmental researchand development, the federal government still has the mostexpertise in cryptography. The nongovernmental market forcryptography products has grown in the last 20 years or so,but is still developing. Thus, export controls and thefederal information processing standards (FIPS) developed bythe Commerce Department's National Institute of Standardsand Technology (NIST) have substantial impact on thedevelopment and use of information safeguards based oncryptography. In its activities as a developer, user, andregulator of safeguard technologies, the federal governmentfaces a fundamental tension between two important policyobjectives: 1) fostering the development and widespread useof cost-effective information safeguards, and 2)controlling the proliferation of safeguard technologies thatcan impair U.S. signals-intelligence and law-enforcementcapabilities. This tension is evident in concerns about theproliferation of cryptography that could impair U.S. signalsintelligence and law enforcement, and in the resultingstruggle to control cryptography through use of federalstandards and export controls. Previously, control of the availability and use ofcryptography was presented as a national-security issuefocused outward, with the intention of maintaining a U.S.technological lead over other countries. Now, with anincreasing policy focus on domestic crime and terrorism, theavailability and use of cryptography has also come intoprominence as a domestic-security, law-enforcement issue.Thus, export controls, intended to restrict theinternational availability of U.S. cryptography technologyand products, are now being joined with domesticcryptography initiatives intended to preserve U.S. law-enforcement and signals-intelligence capabilities. Policy debate over cryptography used to be as arcane as thetechnology itself. However, as the communicationstechnologies used in daily life have changed, concern overthe implications of privacy and security policies dominatedby national security objectives has grown dramatically,particularly in business and academic communities that produce or use information safeguards, but among the generalpublic as well. This concern is reflected in the ongoingdebates over key-escrow encryption and the government'sEscrowed Encryption Standard (EES). The Clinton Administration announced the "escrowed-encryption" initiative (often referred to as "Clipper" orthe "Clipper chip") in April 1993. The EES uses a classifiedalgorithm developed by the National Security Agency (NSA).The Department of Commerce issued the EES as a federalinformation processing standard for encrypting unclassifiedinformation in