Information Security and Privacy in Network Environments (fwd)

[Harry Bartholomew]

    This was posted to another list today.  It purports to be fresh
    although the file at the Web site is dated 11 August.
    Hope this is not redundant.
> *
> U.S. CONGRESS
> OFFICE OF TECHNOLOGY ASSESSMENT
> Washington, DC  20510
> *
> 
> *
> ISSUE UPDATE ON INFORMATION SECURITY AND
> PRIVACY IN NETWORK ENVIRONMENTS
> *
> 
> The OTA background paper "Issue Update on Information
> Security and Privacy in Network Environments" is now
> available.  Ordering information and details about
> electronic access are at the end of this file.
> 
> INFORMATION SECURITY AND PRIVACY ISSUES IN NETWORK
> ENVIRONMENTS REQUIRE CONGRESSIONAL ATTENTION
> 
> Transition to a society that depends on electronic
> information and network connectivity brings new concerns for
> information security and effective protection of privacy.
> The new focus must be on safeguarding information as it is
> processed, stored, and transmitted, rather than on
> "document" security or "computer" security.  In the
> networked society, responsibility for information security
> is shifting to the end users.
> 
> In a background paper released today the congressional
> Office of Technology Assessment (OTA) finds an increasingly
> urgent need for timely congressional attention to these
> concerns.
> 
> OTA has updated, at the request of the Senate Committee on
> Governmental Affairs, some key issues identified in its 1994
> report on information security and privacy.  OTA found that
> recent and ongoing events are relevant to congressional
> consideration of national cryptography policy and
> government-wide guidance on safeguarding unclassified
> information in federal agencies.
> 
> OTA stresses the need for openness, oversight, and public
> accountability--given the broad public and business impacts
> of these policies--throughout the discussion of possible
> congressional actions.  In OTA's view, two key questions
> underlie consideration of policy options.  The first is: How
> will the nation develop and maintain the balance among
> traditional "national security" and law-enforcement
> objectives and other aspects of the public interest, such as
> economic vitality, civil liberties, and open government?
> The second is: What are the costs of government efforts to
> control cryptography and who will bear them?
> 
> None of the cost estimates will be easy to make, warns OTA.
> Ultimately, however, these costs are all borne by the
> public, whether in the form of taxes, product prices, or
> foregone economic opportunities and earnings.
> 
> OTA emphasizes that congressional oversight of government
> information security and privacy protection is of utmost
> importance in the present time of government reform and
> organizational streamlining.  The security of unclassified
> information has not been a top management priority;
> downsizing can incur additional information security and
> privacy risks.  Similarly, says OTA, management must ensure
> integration of safeguards when streamlining agency
> operations and modernizing information systems
> 
> OTA finds momentum building for government-wide consolidation
> of information-security responsibilities.  Congress must
> resolve the overarching issue of where federal authority for
> safeguarding unclassified information in the civilian
> agencies should reside and, therefore, what needs
> to be done concerning the substance and implementation of
> the Computer Security Act of 1987, says OTA.  If Congress retains the
> general premise of the act--that responsibility for
> unclassified information security in the civilian agencies
> should not reside within the defense/intelligence
> community--then vigilant oversight and clear direction will
> be needed, says OTA.
> 
> Timely and continuing congressional oversight of
> cryptography policies is crucial, says OTA.  Cryptography, a
> fundamental safeguard, can preserve the confidentiality of
> messages and files, or provide "digital signatures" that
> will help speed the way to electronic commerce.  Non-
> governmental markets for cryptography-based safeguards have
> grown over the past two decades, but are still developing.
> Research is international; markets would be, says OTA,
> except for governmental restrictions, such as export
> controls that effectively create "domestic" and "export"
> market segments for strong encryption products.
> 
> Cryptography policies affect technological developments in
> the field, as well as the health and economic vitality of
> companies that produce or use products incorporating
> cryptography, and consequently, the vitality of the
> information technology industries and the everyday lives of
> most Americans.  But, business has strong and serious
> concerns that government interests, especially with respect
> to standards and export controls, could stifle commercial
> development and use of networks in the international arena.
> Given the broad public and business impacts, timely and
> continuing congressional oversight of these policies is
> crucial.
> 
> Strong encryption is increasingly portrayed as a threat to
> domestic security (public safety) and a barrier to law
> enforcement if it is readily available for use by terrorists
> or criminals.  Thus, export controls, intended to restrict
> the international availability of U.S. cryptography
> technology and products, are now being joined with domestic
> cryptography initiatives, like key-escrow encryption, that
> are intended to preserve U.S. law-enforcement and signals-
> intelligence capabilities.
> 
> Public and business concerns surrounding the Clinton
> Administration's escrowed-encryption initiative have not
> been resolved, notes OTA.  Many concerns focus on whether
> government-approved, key-escrow encryption will become
> mandatory for government agencies or the private sector, if
> non-escrowed encryption will be banned, and/or if  these
> actions could be taken without legislation. Although the
> Clinton Administration has stated that it has no plans to
> make escrowed encryption mandatory, or to ban other forms of
> encryption, OTA points out that, absent legislation, these
> intentions are not binding.  OTA concludes that escrowed-
> encryption initiatives warrant congressional attention
> because of the public funds that will be spent in deploying
> them, and also because negative public perceptions of the
> processes for developing and deploying encryption standards,
> and of the standards themselves, may erode public confidence
> and trust in government and the effectiveness of federal
> leadership in promoting responsible use of information
> safeguards.
> 
> OTA is a nonpartisan analytical agency that serves the U.S.
> Congress.  Its purpose is to aid Congress with the complex
> and often highly technical issues that increasingly affect
> our society.
> 
> ORDERING INFORMATION
> 
> For copies of the 142-page background paper "Issue Update on
> Information Security and Privacy in Network Environments"
> for congressional use, please call (202) 224-9241.  To order
> copies for noncongressional use, call (202) 512-0132 (GPO's
> main bookstore) or (202) 512-1800 and indicate stock number
> 052-003-01416-5.  Or send your check for $11.00 a copy or
> provide your VISA or MasterCard number and expiration date
> to Superintendent of Documents, P.O. Box 371954, Pittsburgh,
> PA 15250-7974, [FAX (202) 512-2250].  Free 8-page summaries
> are available electronically, and by calling (202) 224-8996.
> 
> ELECTRONIC ACCESS
> 
> Readers can access this background paper electronically
> through OTA Online via the following standard Internet
> tools:
> 
> WWW: http://www.ota.gov
> 
> FTP: otabbs.ota.gov; login as anonymous, password is your e-
> mail address; publications are in the /pub directory
> 
> Telnet: otabbs.ota.gov; login as public, password is public
> 
> Additional features of OTA Online are available through
> client software with a graphical user interface for
> Microsoft Windows.  This software is available free through
> the WWW home page or by contacting the OTA
> Telecommunications and Information Systems Office, (202)
> 228-6000, or email sysop at ota.gov  Direct questions or
> comments on Internet services by email to netsupport at ota.gov
> 
>