for services such as evaluation. It must not depend on government funding for its viability.
Note that the mission outlined above is much more challenging than defining standards or providing evaluation of consumer durables (e.g., as done by Underwriters Laboratories, Inc.). The committee does not know of any existing private organization that could take on these tasks.
Although it recognizes that any proposal for establishing a new institution faces an uphill battle, the committee sees this proposal as a test of commitment for industry, which has complained loudly about the existing institutional infrastructure. Commitment to an organization like that proposed can facilitate self-regulation and greatly diminish the likelihood of explicit government regulation.
If a new organization is not established—or if the functions proposed for it are not pursued in an aggressive and well-funded manner, the most immediate consequence will be the further discouraging of efforts by vendors to develop evaluated products, even though evaluation is vital to assuring that products are indeed trustworthy; the continuation of a slow rate of progress in the market, leaving many system users unprotected and unaware of the risks they face; and the prospect that U.S. vendors will become less competitive in the international systems market. Without aggressive action to increase system trustworthiness, the national exposure to safety and security catastrophes will increase rapidly.
Getting widely deployed and more effective computer and communications security is essential if the United States is to fully achieve the promise of the Information Age. The technology base is changing, and the proliferation of networks and distributed systems has increased the risks of threats to security and safety. The computer and communications security problem is growing. Progress is needed on many fronts—including management, development, research, legal enforcement, and institutional support—to integrate security into the development and use of computer and communications technology and to make it a constructive and routine component of information systems.
Losses from credit card and communications fraud alone investigated by the Secret Service range into the millions. See Box 1.1 for other examples.