This was posted to another list today. It purports to be fresh although the file at the Web site is dated 11 August. Hope this is not redundant.
* U.S. CONGRESS OFFICE OF TECHNOLOGY ASSESSMENT Washington, DC 20510 *
* ISSUE UPDATE ON INFORMATION SECURITY AND PRIVACY IN NETWORK ENVIRONMENTS *
The OTA background paper "Issue Update on Information Security and Privacy in Network Environments" is now available. Ordering information and details about electronic access are at the end of this file.
INFORMATION SECURITY AND PRIVACY ISSUES IN NETWORK ENVIRONMENTS REQUIRE CONGRESSIONAL ATTENTION
Transition to a society that depends on electronic information and network connectivity brings new concerns for information security and effective protection of privacy. The new focus must be on safeguarding information as it is processed, stored, and transmitted, rather than on "document" security or "computer" security. In the networked society, responsibility for information security is shifting to the end users.
In a background paper released today the congressional Office of Technology Assessment (OTA) finds an increasingly urgent need for timely congressional attention to these concerns.
OTA has updated, at the request of the Senate Committee on Governmental Affairs, some key issues identified in its 1994 report on information security and privacy. OTA found that recent and ongoing events are relevant to congressional consideration of national cryptography policy and government-wide guidance on safeguarding unclassified information in federal agencies.
OTA stresses the need for openness, oversight, and public accountability--given the broad public and business impacts of these policies--throughout the discussion of possible congressional actions. In OTA's view, two key questions underlie consideration of policy options. The first is: How will the nation develop and maintain the balance among traditional "national security" and law-enforcement objectives and other aspects of the public interest, such as economic vitality, civil liberties, and open government? The second is: What are the costs of government efforts to control cryptography and who will bear them?
None of the cost estimates will be easy to make, warns OTA. Ultimately, however, these costs are all borne by the public, whether in the form of taxes, product prices, or foregone economic opportunities and earnings.
OTA emphasizes that congressional oversight of government information security and privacy protection is of utmost importance in the present time of government reform and organizational streamlining. The security of unclassified information has not been a top management priority; downsizing can incur additional information security and privacy risks. Similarly, says OTA, management must ensure integration of safeguards when streamlining agency operations and modernizing information systems
OTA finds momentum building for government-wide consolidation of information-security responsibilities. Congress must resolve the overarching issue of where federal authority for safeguarding unclassified information in the civilian agencies should reside and, therefore, what needs to be done concerning the substance and implementation of the Computer Security Act of 1987, says OTA. If Congress retains the general premise of the act--that responsibility for unclassified information security in the civilian agencies should not reside within the defense/intelligence community--then vigilant oversight and clear direction will be needed, says OTA.
Timely and continuing congressional oversight of cryptography policies is crucial, says OTA. Cryptography, a fundamental safeguard, can preserve the confidentiality of messages and files, or provide "digital signatures" that will help speed the way to electronic commerce. Non- governmental markets for cryptography-based safeguards have grown over the past two decades, but are still developing. Research is international; markets would be, says OTA, except for governmental restrictions, such as export controls that effectively create "domestic" and "export" market segments for strong encryption products.
Cryptography policies affect technological developments in the field, as well as the health and economic vitality of companies that produce or use products incorporating cryptography, and consequently, the vitality of the information technology industries and the everyday lives of most Americans. But, business has strong and serious concerns that government interests, especially with respect to standards and export controls, could stifle commercial development and use of networks in the international arena. Given the broad public and business impacts, timely and continuing congressional oversight of these policies is crucial.
Strong encryption is increasingly portrayed as a threat to domestic security (public safety) and a barrier to law enforcement if it is readily available for use by terrorists or criminals. Thus, export controls, intended to restrict the international availability of U.S. cryptography technology and products, are now being joined with domestic cryptography initiatives, like key-escrow encryption, that are intended to preserve U.S. law-enforcement and signals- intelligence capabilities.
Public and business concerns surrounding the Clinton Administration's escrowed-encryption initiative have not been resolved, notes OTA. Many concerns focus on whether government-approved, key-escrow encryption will become mandatory for government agencies or the private sector, if non-escrowed encryption will be banned, and/or if these actions could be taken without legislation. Although the Clinton Administration has stated that it has no plans to make escrowed encryption mandatory, or to ban other forms of encryption, OTA points out that, absent legislation, these intentions are not binding. OTA concludes that escrowed- encryption initiatives warrant congressional attention because of the public funds that will be spent in deploying them, and also because negative public perceptions of the processes for developing and deploying encryption standards, and of the standards themselves, may erode public confidence and trust in government and the effectiveness of federal leadership in promoting responsible use of information safeguards.
OTA is a nonpartisan analytical agency that serves the U.S. Congress. Its purpose is to aid Congress with the complex and often highly technical issues that increasingly affect our society.
ORDERING INFORMATION
For copies of the 142-page background paper "Issue Update on Information Security and Privacy in Network Environments" for congressional use, please call (202) 224-9241. To order copies for noncongressional use, call (202) 512-0132 (GPO's main bookstore) or (202) 512-1800 and indicate stock number 052-003-01416-5. Or send your check for $11.00 a copy or provide your VISA or MasterCard number and expiration date to Superintendent of Documents, P.O. Box 371954, Pittsburgh, PA 15250-7974, [FAX (202) 512-2250]. Free 8-page summaries are available electronically, and by calling (202) 224-8996.
ELECTRONIC ACCESS
Readers can access this background paper electronically through OTA Online via the following standard Internet tools:
WWW: http://www.ota.gov
FTP: otabbs.ota.gov; login as anonymous, password is your e- mail address; publications are in the /pub directory
Telnet: otabbs.ota.gov; login as public, password is public
Additional features of OTA Online are available through client software with a graphical user interface for Microsoft Windows. This software is available free through the WWW home page or by contacting the OTA Telecommunications and Information Systems Office, (202) 228-6000, or email sysop@ota.gov Direct questions or comments on Internet services by email to netsupport@ota.gov