[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Information Security and Privacy in Network Environments (fwd)
This was posted to another list today. It purports to be fresh
although the file at the Web site is dated 11 August.
Hope this is not redundant.
> *
> U.S. CONGRESS
> OFFICE OF TECHNOLOGY ASSESSMENT
> Washington, DC 20510
> *
>
> *
> ISSUE UPDATE ON INFORMATION SECURITY AND
> PRIVACY IN NETWORK ENVIRONMENTS
> *
>
> The OTA background paper "Issue Update on Information
> Security and Privacy in Network Environments" is now
> available. Ordering information and details about
> electronic access are at the end of this file.
>
> INFORMATION SECURITY AND PRIVACY ISSUES IN NETWORK
> ENVIRONMENTS REQUIRE CONGRESSIONAL ATTENTION
>
> Transition to a society that depends on electronic
> information and network connectivity brings new concerns for
> information security and effective protection of privacy.
> The new focus must be on safeguarding information as it is
> processed, stored, and transmitted, rather than on
> "document" security or "computer" security. In the
> networked society, responsibility for information security
> is shifting to the end users.
>
> In a background paper released today the congressional
> Office of Technology Assessment (OTA) finds an increasingly
> urgent need for timely congressional attention to these
> concerns.
>
> OTA has updated, at the request of the Senate Committee on
> Governmental Affairs, some key issues identified in its 1994
> report on information security and privacy. OTA found that
> recent and ongoing events are relevant to congressional
> consideration of national cryptography policy and
> government-wide guidance on safeguarding unclassified
> information in federal agencies.
>
> OTA stresses the need for openness, oversight, and public
> accountability--given the broad public and business impacts
> of these policies--throughout the discussion of possible
> congressional actions. In OTA's view, two key questions
> underlie consideration of policy options. The first is: How
> will the nation develop and maintain the balance among
> traditional "national security" and law-enforcement
> objectives and other aspects of the public interest, such as
> economic vitality, civil liberties, and open government?
> The second is: What are the costs of government efforts to
> control cryptography and who will bear them?
>
> None of the cost estimates will be easy to make, warns OTA.
> Ultimately, however, these costs are all borne by the
> public, whether in the form of taxes, product prices, or
> foregone economic opportunities and earnings.
>
> OTA emphasizes that congressional oversight of government
> information security and privacy protection is of utmost
> importance in the present time of government reform and
> organizational streamlining. The security of unclassified
> information has not been a top management priority;
> downsizing can incur additional information security and
> privacy risks. Similarly, says OTA, management must ensure
> integration of safeguards when streamlining agency
> operations and modernizing information systems
>
> OTA finds momentum building for government-wide consolidation
> of information-security responsibilities. Congress must
> resolve the overarching issue of where federal authority for
> safeguarding unclassified information in the civilian
> agencies should reside and, therefore, what needs
> to be done concerning the substance and implementation of
> the Computer Security Act of 1987, says OTA. If Congress retains the
> general premise of the act--that responsibility for
> unclassified information security in the civilian agencies
> should not reside within the defense/intelligence
> community--then vigilant oversight and clear direction will
> be needed, says OTA.
>
> Timely and continuing congressional oversight of
> cryptography policies is crucial, says OTA. Cryptography, a
> fundamental safeguard, can preserve the confidentiality of
> messages and files, or provide "digital signatures" that
> will help speed the way to electronic commerce. Non-
> governmental markets for cryptography-based safeguards have
> grown over the past two decades, but are still developing.
> Research is international; markets would be, says OTA,
> except for governmental restrictions, such as export
> controls that effectively create "domestic" and "export"
> market segments for strong encryption products.
>
> Cryptography policies affect technological developments in
> the field, as well as the health and economic vitality of
> companies that produce or use products incorporating
> cryptography, and consequently, the vitality of the
> information technology industries and the everyday lives of
> most Americans. But, business has strong and serious
> concerns that government interests, especially with respect
> to standards and export controls, could stifle commercial
> development and use of networks in the international arena.
> Given the broad public and business impacts, timely and
> continuing congressional oversight of these policies is
> crucial.
>
> Strong encryption is increasingly portrayed as a threat to
> domestic security (public safety) and a barrier to law
> enforcement if it is readily available for use by terrorists
> or criminals. Thus, export controls, intended to restrict
> the international availability of U.S. cryptography
> technology and products, are now being joined with domestic
> cryptography initiatives, like key-escrow encryption, that
> are intended to preserve U.S. law-enforcement and signals-
> intelligence capabilities.
>
> Public and business concerns surrounding the Clinton
> Administration's escrowed-encryption initiative have not
> been resolved, notes OTA. Many concerns focus on whether
> government-approved, key-escrow encryption will become
> mandatory for government agencies or the private sector, if
> non-escrowed encryption will be banned, and/or if these
> actions could be taken without legislation. Although the
> Clinton Administration has stated that it has no plans to
> make escrowed encryption mandatory, or to ban other forms of
> encryption, OTA points out that, absent legislation, these
> intentions are not binding. OTA concludes that escrowed-
> encryption initiatives warrant congressional attention
> because of the public funds that will be spent in deploying
> them, and also because negative public perceptions of the
> processes for developing and deploying encryption standards,
> and of the standards themselves, may erode public confidence
> and trust in government and the effectiveness of federal
> leadership in promoting responsible use of information
> safeguards.
>
> OTA is a nonpartisan analytical agency that serves the U.S.
> Congress. Its purpose is to aid Congress with the complex
> and often highly technical issues that increasingly affect
> our society.
>
> ORDERING INFORMATION
>
> For copies of the 142-page background paper "Issue Update on
> Information Security and Privacy in Network Environments"
> for congressional use, please call (202) 224-9241. To order
> copies for noncongressional use, call (202) 512-0132 (GPO's
> main bookstore) or (202) 512-1800 and indicate stock number
> 052-003-01416-5. Or send your check for $11.00 a copy or
> provide your VISA or MasterCard number and expiration date
> to Superintendent of Documents, P.O. Box 371954, Pittsburgh,
> PA 15250-7974, [FAX (202) 512-2250]. Free 8-page summaries
> are available electronically, and by calling (202) 224-8996.
>
> ELECTRONIC ACCESS
>
> Readers can access this background paper electronically
> through OTA Online via the following standard Internet
> tools:
>
> WWW: http://www.ota.gov
>
> FTP: otabbs.ota.gov; login as anonymous, password is your e-
> mail address; publications are in the /pub directory
>
> Telnet: otabbs.ota.gov; login as public, password is public
>
> Additional features of OTA Online are available through
> client software with a graphical user interface for
> Microsoft Windows. This software is available free through
> the WWW home page or by contacting the OTA
> Telecommunications and Information Systems Office, (202)
> 228-6000, or email [email protected] Direct questions or
> comments on Internet services by email to [email protected]
>
>