Page 19

1 Growing Vulnerability in the Information Age

Chapter 1 frames a fundamental problem facing the United States today—the need to protect against the growing vulnerability of information to unauthorized access and/or change as the nation makes the transition from an industrial age to an information age. Society's reliance on a changing panoply of information technologies and technology-enabled services, the increasingly global nature of commerce and business, and the ongoing desire to protect traditional freedoms as well as to ensure that government remains capable of fulfilling its responsibilities to the nation all suggest that future needs for information security will be large. These factors make clear the need for a broadly acceptable national cryptography policy that will help to secure vital national interests.

1.1 THE TECHNOLOGY CONTEXT OF THE INFORMATION AGE

The information age is enabled by computing and communications technologies (collectively known as information technologies) whose rapid evolution is almost taken for granted today. Computing and communications systems appear in virtually every sector of the economy and increasingly in homes and other locations. These systems focus economic and social activity on information—gathering, analyzing, storing, presenting, and disseminating information in text, numerical, audio, image,



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 19
Page 19 1 Growing Vulnerability in the Information Age Chapter 1 frames a fundamental problem facing the United States today—the need to protect against the growing vulnerability of information to unauthorized access and/or change as the nation makes the transition from an industrial age to an information age. Society's reliance on a changing panoply of information technologies and technology-enabled services, the increasingly global nature of commerce and business, and the ongoing desire to protect traditional freedoms as well as to ensure that government remains capable of fulfilling its responsibilities to the nation all suggest that future needs for information security will be large. These factors make clear the need for a broadly acceptable national cryptography policy that will help to secure vital national interests. 1.1 THE TECHNOLOGY CONTEXT OF THE INFORMATION AGE The information age is enabled by computing and communications technologies (collectively known as information technologies) whose rapid evolution is almost taken for granted today. Computing and communications systems appear in virtually every sector of the economy and increasingly in homes and other locations. These systems focus economic and social activity on information—gathering, analyzing, storing, presenting, and disseminating information in text, numerical, audio, image,

OCR for page 19
Page 20 and video formats—as a product itself or as a complement to physical or tangible products.1 Today's increasingly sophisticated information technologies cover a wide range of technical progress: •  Microprocessors and workstations are increasingly important to the computing infrastructure of companies and the nation. Further increases in speed and computational power today come from parallel or distributed processing with many microcomputers and processors rather than faster supercomputers. •  Special-purpose electronic hardware is becoming easier to develop. Thus, it may make good sense to build specialized hardware optimized for performance, speed, or security with respect to particular tasks; such specialized hardware will in general be better adapted to these purposes than general-purpose machines applied to the same tasks. •  Media for transporting digital information are rapidly becoming faster (e.g., fiber optics instead of coaxial cables), more flexible (e.g., the spread of wireless communications media), and less expensive (e.g., the spread of CD-ROMs as a vehicle for distributing digital information). Thus, it becomes feasible to rely on the electronic transmission of larger and larger volumes of information and on the storage of such volumes on ever-smaller physical objects. •  Convergence of technologies for communications and for computing. Today, the primary difference between communications and computing is the distance traversed by data flows: in communications, the traversed distance is measured in miles (e.g., two people talking to each other), while in computing the traversed distance is measured in microns (e.g., between two subcomponents on a single integrated circuit). A similar convergence affects companies in communications and in computing—their boundaries are blurring, their scopes are changing, and their production processes overlap increasingly. •  Software is increasingly carrying the burden of providing functionality in information technology. In general, software is what gives hardware its functional capabilities, and different software running on the same hardware can change the functionality of that hardware entirely. Since software is intangible, it can be deployed widely on a very short 1Citations to a variety of press accounts can be found in Computer Science and Telecommunications Board (CSTB), National Research Council, Information Technology and Manufacturing: A Research Agenda, National Academy Press, Washington, D.C., 1993; CSTB, Information Technology in the Service Society: A Twenty-First Century Lever, 1993; CSTB, Realizing the Information Future: The Internet and Beyond, 1994; CSTB, Keeping the Computer and Communications Industry Competitive: Convergence of Computing, Communications, and Entertainment, 1995; and CSTB, The Unpredictable Certainty: Information Infrastructure Through 2000, 1996.

OCR for page 19
Page 21 BOX 1.1 Communications and Computing Devices and the Role of Software Communications and computing devices can be dedicated to a single purpose or may serve multiple purposes. Dedicated single-purpose devices are usually (though not always) hardware devices whose functionality cannot be easily altered. Examples include unprogrammable pocket calculators, traditional telephones, walkie-talkies, pagers, fax machines, and ordinary telephone answering machines. A multipurpose device is one whose functionality can be altered by the end user. In some instances, a hardware device may be "reprogrammed" to perform different functions simply by the physical replacement of a single chip by another chip or by the addition of a new circuit board. Open bus architectures and standard hardware interfaces such as the PC card are intended to facilitate multipurpose functionality. Despite such interfaces and architectures for hardware, software is the primary means for implementing multipurpose functionality in a hardware device. With software, physical replacement of a hardware component is unnecessary—a new software program is simply loaded and executed. Examples include personal computers (which do word processing or mathematical calculations, depending on what software the user chooses to run), programmable calculators (which solve different problems, depending on the programming given to them), and even many modern telephones (which can be programmed to execute functions such as speed dialing). In these instances, the software is the medium in which the expectations of the user are embedded. Today, the lines between hardware and software are blurring. For example, some "hardware" devices are controlled by programs stored in semi-permanent read-only memory. "Read-only memory" (ROM) originally referred to memory for storing instructions and data that could never be changed, but this characteristic made ROM-controlled devices less flexible. Thus, the electronics industry responded with "read-only'' memory whose contents take special effort to change (such as exposing the memory chip to a burst of ultraviolet light or sending only a particular signal to a particular pin on the chip). The flexibility and cheapness of today's electronic devices make them ubiquitous. Most homes now have dozens of microprocessors in coffee makers, TVs, refrigerators, and virtually anything that has a control panel. time scale compared to that of hardware. Box 1.1 contains more discussion of this point. As these examples suggest, information technologies are ever more affordable and ubiquitous. In all sectors of the economy, they drive demand for information systems; such demand will continue to be strong and experience significant growth rates. High-bandwidth and/or wireless media are becoming more and more common. Interest in and use of the Internet and similar public networks will continue to grow rapidly.

OCR for page 19
Page 22 1.2 TRANSITION TO AN INFORMATION SOCIETY— INCREASING INTERCONNECTIONS AND INTERDEPENDENCE As the availability and use of computer-based systems grow, so, too, does their interconnection. The result is a shared infrastructure of information, computing, and communications resources that facilitates collaboration at a distance, geographic dispersal of operations, and sharing of data. With the benefits of a shared infrastructure also come costs. Changes in the technology base have created more vulnerabilities, as well as the potential to contain them. For example, easier access for users in general implies easier access for unauthorized users. The design, mode of use, and nature of a shared infrastructure create vulnerabilities for all users. For national institutions such as banking, new risks arise as the result of greater public exposure through such interconnections. For example, a criminal who penetrates one bank interconnected to the world's banking system can steal much larger amounts of money than are stored at that one bank. (Box 1.2 describes a recent electronic bank robbery.) Reducing vulnerability to breaches of security will depend on the ability to identify and authenticate people, systems, and processes and to assure with high confidence that information is not improperly manipulated, corrupted, or destroyed. Although society is entering an era abounding with new capabilities, many societal practices today remain similar to those of the 1960s and 1970s, when computing was dominated by large, centralized mainframe computers. In the 1980s and 1990s, they have not evolved to reflect the introduction of personal computers, portable computing, and increasingly ubiquitous communications networks. Thus, people continue to relinquish control over substantial amounts of personal information through credit card transactions, proliferating uses of Social Security numbers, and participation in frequent-buyer programs with airlines and stores. Organizations implement trivial or no protection for proprietary data and critical systems, trusting policies to protect portable storage media or relying on simple passwords to protect information. These practices have endured against a backdrop of relatively modest levels of commercial and individual risk; for example, the liability of a credit card owner for credit card fraud perpetrated by another party is limited by law to $50. Yet most computer and communications hardware and software systems are subject to a wide range of vulnerabilities, as described in Box 1.3. Moreover, information on how to exploit such vulnerabilities is often easy to obtain. As a result, a large amount of information that people say they would like to protect is in fact available through entirely legal channels (e.g., purchasing a credit report on an individual) or in places that can be accessed improperly through technical attacks requiring relatively modest effort.

OCR for page 19
Page 23 BOX 1.2 An Attempted Electronic Theft from Citicorp Electronic money transfers are among the most closely guarded activities in banking. In 1994, an international group of criminals penetrated Citicorp's computerized electronic transfer system and moved about $12 million from legitimate customer accounts to their own accounts in banks around the world. According to Citicorp, this is the first time its computerized cash-management system has been breached. Corporate customers access the system directly to transfer funds for making investments, paying bills, and extending loans, among other purposes. The Citicorp system moves about $500 billion worldwide each day. Authority to access the system is verified with a cryptographic code that only the customer knows. The case began in June 1994, when Vladimir Levin of St. Petersburg, Russia, allegedly accessed Citicorp computers in New York through the international telephone network, posing as one of Citicorp's customers. He moved some customer funds to a bank account in Finland, where an accomplice withdrew the money in person. In the next few months, Levin moved various Citicorp customers' funds to accomplices' personal or business accounts in banks in St. Petersburg, San Francisco, Tel Aviv, Rotterdam, and Switzerland. Accomplices had withdrawn a total of about $400,000 by August 1994. By that time, bank officials and their customers were on alert. Citicorp detected subsequent transfers quickly enough to warn the banks into which funds were moved to freeze the destination accounts. (Bank officials noted that they could have blocked some of these transfers, but they permitted and covertly monitored them as part of the effort to identify the perpetrators.) Other perpetrators were arrested in Tel Aviv and Rotterdam; they revealed that they were working with someone in St. Petersburg. An examination of telephone company records in St. Petersburg showed that Citicorp computers had been accessed through a telephone line at AO Saturn, a software company. A person arrested after attempting to make a withdrawal from a frozen account in San Francisco subsequently identified Levin, who was an AO Saturn employee. Russia has no extradition treaty with the United States; however, Levin traveled to Britain in March 1995 and was arrested there. As of September 1995, proceedings to extradite him for trial in the United States were in progress. Levin allegedly penetrated Citicorp computers using customers' user identifications and passwords. In each case, Levin electronically impersonated a legitimate customer, such as a bank or an investment capital firm. Some investigators suspect that an accomplice inside Citicorp provided Levin with necessary information; otherwise, it is unclear how he could have succeeded in accessing customer accounts. He is believed to have penetrated Citicorp's computers 40 times in all. Citicorp says it has upgraded its system's security to prevent future break-ins. SOURCES: William Carley and Timothy O'Brien, "Cyber Caper: How Citicorp System Was Raided and Funds Moved Around World," Wall Street Journal, September 12, 1995, p. A1; Saul Hansell, "A $10 Million Lesson in the Risks of Electronic Banking," New York Times, August 19, 1995, p. 31.

OCR for page 19
Page 24 BOX 1.3 Vulnerabillities in Information Systems and Networks Information systems and networks can be subject to four generic vulnerabilities: 1. Eavesdropping or data browsing. By surreptitiously obtaining the confidential data of a company or by browsing a sensitive file stored on a computer to which one has obtained improper access, an adversary could be in a position to undercut a company bid, learn company trade secrets (e.g., knowledge developed through proprietary company research) that would eliminate a competitive advantage of the company, or obtain the company's client list in order to steal customers. Moreover, damage can occur independent of the use of stealth—many companies would be damaged if their sensitive data were disclosed, even if they knew that such a disclosure had occurred. 2. Clandestine alteration of data. By altering a company's data clandestinely, an adversary could destroy the confidence of the company's customers in the company, disrupt internal operations of the company, or subject the company to shareholder litigation. 3. Spoofing. By illicitly posing as a company, an adversary could place false orders for services, make unauthorized commitments to customers, defraud clients, and cause no end of public relations difficulties for the company. Similarly, an adversary might pose as a legitimate customer, and a company—with an interest in being responsive to user preferences to remain anonymous under a variety of circumstances—could then find itself handicapped in seeking proper confirmation of the customer's identity. 4. Denial of service. By denying access to electronic services, an adversary could shut down company operations, especially time-critical ones. On a national scale, critical infrastructures controlled by electronic networks (e.g., the air traffic control system, the electrical power grid) involving many systems linked to each other are particularly sensitive. Today, the rising level of familiarity with computer-based systems is combining with an explosion of experimentation with information and communications infrastructure in industry, education, health care, government, and personal settings to motivate new uses of and societal expectations about the evolving infrastructure. A key feature of the new environment is connection or exchange: organizations are connecting internal private facilities to external public ones; they are using public networks to create virtual private networks, and they are allowing outsiders such as potential and actual customers, suppliers, and business allies to access their systems directly. One vision of a world of electronic commerce and what it means for interconnection is described in Box 1.4. Whereas a traditional national security perspective might call for keeping people out of sensitive stores of information or communications networks, national economic and social activity increasingly involves the

OCR for page 19
Page 25 BOX 1.4 Electronic Commerce and the Implications for Interconnectivity A number of reports have addressed the potential nature and impact of electronic commerce.1Out of such reports, several common elements can be distilled: • The interconnection of geographically dispersed units into a "virtual" company. • The linking of customers, vendors, and suppliers through videoconferencing, electronic data interchange, and electronic networks. • The creation of temporary or more permanent strategic alliances for business purposes. • A vast increase in the on-line availability of information and information products, both free and for a fee, that are useful to individuals and organizations. • The electronic transaction of retail business, beginning with today's toll-free catalog shopping and extending to electronic network applications that enable customers to: —apply for bank loans; —order tangible merchandise (e.g., groceries) for later physical delivery; —order intangible merchandise (e.g., music, movies) for electronic delivery; —obtain information and electronic documents (e.g., official documents such as driver's licenses and birth certificates). • The creation of a genuinely worldwide marketplace that matches buyers to sellers largely without intermediaries. • New business opportunities for small entrepreneurs that could sell low-value products to the large numbers of potential customers that an electronic marketplace might reach. In general, visions of electronic commerce writ large attempt to leverage the competitive edge that information technologies can provide for commercial enterprises. Originally used exclusively to facilitate internal communications, information technology is now used by corporations to connect directly with their suppliers and business partners.2In the future, corporate networks will extend all the way to customers, enabling improvements in customer service and more direct channels for customer feedback. Furthermore, information technologies will facilitate the formation of ad hoc strategic alliances among diverse enterprises and even among competitors on a short time scale, driven by changes in business conditions that demand prompt action. This entire set of activities is already well under way. 1 See, for example, Cross-Industry Working Team, Electronic Cash, Tokens, and Payments in the National Information Infrastructure, Corporation for National Research Initiatives, 1895 Preston White Drive, Suite 100, Reston, Virginia 22091-5434 (Internet: info-xiwt@cnri.reston.va.us; Tel: 703/620-8990), 1994; Office of Technology Assessment, Electronic Enterprises: Looking to the Future, U.S. Government Printing Office, Washington, D.C., July 1994. 2For example, in manufacturing, collaborative information technologies can help to improve the quality of designs and reduce the cost and time needed to revise designs; product designers will be able to create a "virtual" product, make extensive computer simulations of its behavior without supplying all of continued

OCR for page 19
Page 26 BOX 1.4 continued its details, and "show" it to the customer for rapid feedback. Networks will enable the entire manufacturing enterprise to be integrated all along the supply chain, from design shops to truck fleets that deliver the finished products. (See Computer Science and Telecommunications Board, National Research Council, Information Technology and Manufacturing: A Research Agenda, National Academy Press, Washington, D.C., 1995.) In the delivery of services, the more effective use and transmission of information have had dramatic effects. Today's air transportation system would not exist without rapid and reliable information flows regarding air traffic control, sales, marketing, maintenance, safety, and logistics planning. Retailers and wholesalers depend on the rapid collection and analysis of sales data to plan purchasing and marketing activities, to offer more differentiated services to customers, and to reduce operational costs. The insurance industry depends on rapid and reliable information flows to its sales force and to customize policies and manage risks. (See Computer Science and Telecommunications Board, National Research Council, Information Technology in the Service Society: A Twenty-First Century Lever, National Academy Press, Washington, D.C., 1994.) BOX 1.5 Tensions Between Security and Openness Businesses have long been concerned about the tension between openness and security. An environment that is open to everyone is not secure, while an environment that is closed to everyone is highly secure but not useful. A number of trends in business today tend to exacerbate this conflict. For example: • Modem competitive strategies emphasize openness to interactions with potential customers and suppliers. For example, such strategies would demand that a bank present itself as willing to do business with anyone, everywhere, and at any time. However, such strategies also offer potential adversaries a greater chance of success, because increasing ease of access often facilitates the penetration of security protections. • Many businesses today emphasize decentralized management that pushes decision-making authority toward the customer and away from the corporate hierarchy. Yet security often has been (and is) approached from a centralized perspective. (For example, access controls are necessarily hierarchical (and thus centralized) if they are to be maintained uniformly.) • Many businesses rely increasingly on highly mobile individuals. When key employees were tied to one physical location, it made sense to base security on physical presence, e.g., to have a user present a photo ID card to an operator at the central corporate computer center. Today, mobile computing and communications are common, with not even a physical wire to ensure that the person claiming to be an authorized user is accessing a computer from an authorized location or to prevent passive eavesdropping on unencrypted transmissions with a radio scanner.

OCR for page 19
Page 27 exact opposite: inviting people from around the world to come in—with varying degrees of recognition that all who come in may not be benevolent. Box 1.5 describes some of the tensions between security and openness. Such a change in expectations and perspective is unfolding in a context in which controls on system access have typically been deficient, beginning with weak operating system security. The distributed and internetworked communications systems that are emerging raise questions about protecting information regardless of the path traveled (endto-end security), as close to the source and destination as possible. The international dimensions of business and the growing importance of competitiveness in the global marketplace complicate the picture further. Although "multinationals" have long been a feature of the U.S. economy, the inherently international nature of communications networks and the growing capabilities for distributing and accessing information worldwide are helping many activities and institutions to transcend national boundaries. (See Box 1.6.) At the same time, export markets are at least as important as domestic U.S. markets for a growing number of goods and service producers, including producers of information technology products as well as a growing variety of high- and low-technology products. The various aspects of globalization—identifying product and merchandising needs that vary by country; establishing and maintaining employment, customer, supplier, and distribution relationships by country; coordinating activities that may be dispersed among countries but result in products delivered to several countries; and so on—place new demands on U.S.-based and U.S.-owned information, communication, organizational, and personal resources and systems. 1.3 COPING WITH INFORMATION VULNERABILITY Solutions to cope with the vulnerabilities described above require both appropriate technology and user behavior and are as varied as the needs of individual users and organizations. Cryptography—a technology described more fully in Chapter 2 and Appendix C—is an important element of many solutions to information vulnerability that can be used in a number of different ways. National cryptography policy—the focus of this report—concerns how and to what extent government affects the development, deployment, and use of this important technology. To date, public discussion of national cryptography policy has focused on one particular application of cryptography, namely its use in protecting the confidentiality of information and communications. Accordingly, consideration of national cryptography policy must take into account two fundamental issues:

OCR for page 19
Page 28 BOX 1.6 International Dimensions of Business and Commerce Today U.S. firms increasingly operate in a global environment obtaining goods and services from companies worldwide, participating in global virtual corporations, and working as part of international strategic alliances. One key dimension of increasing globalization has been the dismantling of barriers to trade and investment. In the past 40 years, tariffs among developed countries have been reduced by more than two-thirds. After the Uruguay Round reductions are phased in, tariffs in these countries will be under 4%, with 43% of current trade free of any customs duties. While tariffs of developing countries are at higher levels, they have recently begun to decline substantially. After the Uruguay Round, tariffs in these countries will average 12.3% by agreement and will be even lower as a result of unilateral reductions. In response to the reductions in trade barriers, trade has grown rapidly. From 1950 to 1993, U.S. and world trade grew at an average compound rate of 10% annually. Investment has also grown rapidly in recent years, stimulated by the removal of restrictions and by international rules that provide assurances to investors against discriminatory or arbitrary treatment. U.S. foreign direct investment also has grown at almost 10% annually during the past 20 years and now totals about half a trillion dollars. Foreign direct investment in the United States has risen even faster over the same period—at almost 19% annually—and now also totals almost $500 billion. The expansion of international trade and investment has resulted in a much more integrated and interdependent world economy. For the United States, this has meant a much greater dependence on the outside world. More than a quarter of the U.S. gross domestic product is now accounted for by trade in goods and services and returns on foreign investment. Over 11 million jobs are now directly or indirectly related to our merchandise trade. Because the U.S. economy is mature, the maintenance of a satisfactory rate of economic growth requires that the United States compete vigorously for international markets, especially in the faster growing regions of the world. Many sectors of our economy are now highly dependent on export markets. This is particularly the case for, but is not limited to, high-technology goods, as indicated in Table 1.1. A second international dimension is the enormous growth in recent years of multinational enterprises. Such firms operate across national boundaries, frequently in multiple countries. According to the 1993 World Investment Report of the United TABLE 1.1 Dependence of U.S. Business Sectors on Export Markets Area of Export Exports as a Percentage of U.S. Output Electronic computing and parts 52 Semiconductors and related devices 47 Magnetic and optical recording media (includes software products) 40 SOURCE: U.S. Department of Commerce, Commerce News, August 9, 1995.

OCR for page 19
Page 29 Nations, transnational corporations (TNCs) with varying degrees of integration account for about a third of the world's private sector productive assets. The number of TNCs has more than tripled in the last 20 years. At the outset of this decade, about 37,000 U.S. firms had a controlling equity interest in some 170,000 foreign affiliates. This does not include nonequity relationships, such as management contracts, subcontracting, franchising, or strategic alliances. There are some 300 TNCs based in the United States and almost 15,000 foreign affiliates, of which some 10,000 are nonbank enterprises. The strategies employed by TNCs vary among firms. They may be based on trade in goods and services alone or, more often, involve more complex patterns of integrated production, outsourcing, and marketing. One measure of the extent of integration by U.S. firms is illustrated by the U.S. Census Bureau, which reported that in 1994, 46% of U.S. imports and 32% of U.S. exports were between related firms. Of U.S. exports to Canada and Mexico, 44% were between related parties; for the European Union and Japan, the share was 37%. With respect to imports, the shares of related-party transactions were 75.5% for Japan, 47.2% for the European Union, 44.6% for Canada, and 69.2% for Mexico. Among those sectors with the highest levels of interparty trade are data processing equipment, including computers, and parts and telecommunications equipment, ranging from 50% to 90%. • If the public information and communications infrastructure continues to evolve with very weak security throughout, reflecting both deployed technology and user behavior, the benefits from cryptography for confidentiality will be significantly less than they might otherwise be. • The vulnerabilities implied by weak security overall affect the ability of specific mechanisms such as cryptography to protect not only confidentiality but also the integrity of information and systems and the availability of systems for use when sought by their users. Simply protecting (e.g., encrypting) sensitive information from disclosure can still leave the rest of a system open to attacks that can undermine the encryption (e.g., the lack of access controls that could prevent the insertion of malicious software) or destroy the sensitive information. Cryptography thus must be considered in a wider context. It is not a panacea, but it is extremely important to ensuring security and can be used to counter several vulnerabilities. Recognition of the need for system and infrastructure security and demand for solutions are growing. Although demand for solutions has yet to become widespread, the trend is away from a marketplace in which the federal government2was the only meaningful customer. Growing reliance 2 The more general statement is that the market historically involved national governments in several countries as the principal customers.

OCR for page 19
Page 40 entrepreneurial strengths, U.S. leadership is not automatic. Already, evidence of such development is available, as these nations build on the falling costs of underlying technologies (e.g., microprocessors, aggregate communications bandwidth) and worldwide growth in relevant skills. The past three decades of information technology history provide enough examples of both successful first movers and strategic missteps to suggest that U.S. leadership can be either reinforced or undercut: leadership is an asset, and it is sensitive to both public policy and private action. Public and private factors affecting the competitive health of U.S. information technology producers are most tightly coupled in the arena of foreign trade.9 U.S. producers place high priority on ease of access to foreign markets. That access reflects policies imposed by U.S. and foreign governments, including governmental controls on what can be exported to whom. Export controls affect foreign trade in a variety of hardware, software, and communications systems.10They are the subject of chronic complaints from industry, to which government officials often respond by pointing to other, industry-centered explanations (e.g., deficiencies in product design or merchandising) for observed levels of foreign sales and market shares. Chapter 4 addresses export controls in the context of cryptography and national cryptography policy. 1.5 INDIVIDUAL AND PERSONAL INTERESTS IN PRIVACY The emergence of the information age affects individuals as well as businesses and other organizations. As numerous reports argue, the nation's information infrastructure promises many opportunities for selfeducation, social exchange, recreation, personal business, cost-effective delivery of social programs, and entrepreneurship.11 Yet the same tech- 90f course, many intrafirm and intraindustry factors shape competitive strength, such as good management, adequate financing, good fit between products and consumer preferences, and so on. 10 See, for example, John Harvey et al., A Common-Sense Approach to High-Technology Export Controls, Center for International Security and Arms Control, Stanford University, Stanford, Calif., March 1995; National Research Council, Finding Common Ground: U.S. Export Controls in a Changed Global Environment, National Academy Press, Washington, D.C., 1991; Computer Science and Technology Board, National Research Council, Global Trends in Computer Technology and Their Impact on Export Control, National Academy Press, Washington, D.C., 1988. 11 See, for example, Computer Science and Telecommunications Board (CSTB), National Research Council, The Unpredictable Certainty: Information Infrastructure Through 2000, National Academy Press, Washington, D.C., 1996; CSTB, White Papers: The Unpredictable Certainty, 1996; and CSTB, The Changing Nature of Telecommunications/Information Infrastructure, 1995.

OCR for page 19
Page 41 nologies that enable such benefits may also convey unwanted side effects. Some of those can be considered automated versions of problems seen in the paper world; others are either larger in scale or different in kind. For individuals, the area relevant to this report is privacy and the protection of personal information. Increasing reliance on electronic commerce and the use of networked communication for all manner of activities suggest that more information about more people will be stored in network-accessible systems and will be communicated more broadly and more often, thus raising questions about the security of that information. Privacy is generally regarded as an important American value, a right whose assertion has not been limited to those "with something to hide." Indeed, assertion of the right to privacy as a matter of principle (rather than as an instrumental action) has figured prominently in U.S. political and social history; it is not merely abstract or theoretical. In the context of an information age, an individual's privacy can be affected on two levels: privacy in the context of personal transactions (with businesses or other institutions and with other individuals), and privacy vis-à-vis governmental units. Both levels are affected by the availability of tools, such as cryptography in the context of information and communications systems, that can help to preserve privacy. Today's information security technology, for example, makes it possible to maintain or even raise the cost of collecting information about individuals. It also provides more mechanisms for government to help protect that information. The Clinton Administration has recognized concerns about the need to guard individual privacy, incorporating them into the security and privacy guidelines of its Information Infrastructure Task Force.12These guidelines represent an important step in the process of protecting individual privacy. 1.5.1 Privacy in an Information Economy Today, the prospect of easier and more widespread collection and use of personal data as a byproduct of ordinary activities raises questions about inappropriate activities by industry, nosy individuals, and/or criminal elements in society. Criminals may obtain sensitive financial information to defraud individuals (credit card fraud, for example, amounts to approximately $20 per card per year). Insurance companies may use health data collected on individuals to decide whether to provide or deny health insurance—putting concerns about business profit- 12Information Infrastructure Task Force, National Information Infrastructure Security Issues Forum, Nll Security: The Federal Role, Washington, D.C., June 5, 1995.

OCR for page 19
Page 42 ability in possible conflict with individual and public health needs. On the other hand, much of the personal data in circulation is willingly divulged by individuals for specific purposes; the difficulty is that once shared, such information is available for additional uses. Controlling the further dissemination of personal data is a function both of procedures for how information should be used and of technology (including but not limited to cryptography) and procedures for restricting access to those authorized. Given such considerations, individuals in an information age may wish to be able to: • Keep specific information private. Disclosure of information of a personal nature that could be embarrassing if known, whether or not such disclosure is legal, is regarded as an invasion of privacy by many people. A letter to Ann Landers from a reader described his inadvertent eavesdropping on some very sensitive financial transactions being conducted on a cordless telephone.13 A staff member of this study committee has heard broadcasts of conversations that apparently emanate from a nextdoor baby monitor whose existence has been forgotten. Home banking services using telephone lines or network connections and personal computers will result in the flow on public networks of large amounts of personal information regarding finances. Even the ad copy in some of today's consumer catalogues contains references to information security threats.14 • Ensure that a party with whom they are transacting business is indeed the party he or she claims to be. Likewise, they may seek to authenticate their own identity with confidence that such authentication will be accepted by other parties, and that anyone lacking such authentication will be denied the ability to impersonate them.15Such a capability is needed 13Ann Landers, "Ann Landers," Washington Post, Creators Syndicate, October 20, 1995, p. D5. 14For example, a catalogue from Comtrad Industries notes that "burglars use 'Code Grabbers' to open electric garage doors and break into homes," defining "code grabbers" as "devices that can record and play back the signal produced from your garage door remote control" (Comtrad Industries catalogue, 1995, p. 20). The Herrington catalogue advertises the ''Enigma" phone scrambler by noting that "[a] recent Wall Street Journal article documents the increasing acceptance and prevalence of industrial espionage" and mentions as an "example of the alarming intrusion of the federal government into citizens' private lives" the fact that "the FBI petitioned Congress to further expand its wiretapping authority" (Herrington catalogue, Winter 1996, p. 13). Note that both of these mail-order firms cater to mainstream consumer sentiment. 15 For example, a journalist who had reported on the trafficking of illegally copied software on America Online was the victim of hackers who assumed his on-line identity, thereby intercepting his e-mail messages and otherwise impersonating him. See Peter

OCR for page 19
Page 43 to transfer money among mutual funds with a telephone call or to minimize unauthorized use of credit card accounts.16In an electronic domain without face-to-face communications or recognizable indicators such as voices and speech patterns (as used today in telephone calls), forgery of identity becomes increasingly easy. • Prevent the false repudiation of agreed-to transactions. It is undesirable for a party to a transaction to be able to repudiate (deny) his agreement to the terms of the transaction. For example, an individual may agree to pay a certain price for a given product; he or she should not then be able to deny having made that agreement (as he or she might be tempted to do upon finding a lower price elsewhere). • Communicate anonymously (i.e., carry out the opposite of authenticated communication). Individuals may wish to communicate anonymously to criticize the government or a supervisor, report illegal or unethical activity without becoming further involved, or obtain assistance for a problem that carries a social stigma. In other instances, they may simply wish to speak freely without fear of social reprisal or for the entertainment value of assuming a new digital identity in cyberspace. • Ensure the accuracy of data relevant to them. Many institutions such as banks, financial institutions, and hospitals keep records on individuals. These individuals often have no personal control of the records, even though the integrity of the data in these records can be of crucial significance. Occasional publicity attests to instances of the inaccuracy of such data (e.g., credit records) and to the consequences for individuals. Practical safeguards for privacy such as those outlined above may be more compelling than abstract or principled protection of a right to privacy. Lewis, "Security Is Lost in Cyberspace," New York Times, February 22, 1995, p. D1. Other cases of "stolen identities" have been reported in the press, and while these cases remain relatively isolated, they are still a matter of public concern. Thieves forge signatures and impersonate the identities of law-abiding citizens to steal money from bank accounts and to obtain credit cards in the name of those citizens; see Charles Hall, "A Personal Approach to Stealing," Washington Post, April 1, 1996, p. Al. 16For example, a recent press article calls attention to security concerns raised by the ease of access to 401(k) retirement accounts (for which there is no cap on the liability incurred if a third party with unauthorized access transfers funds improperly). See Timothy Middleton, "Will Thieves Crack Your Automated Nest Egg?," New York Times, March 10, 1996, Business Section, p. 10. Another article describes a half-dozen easy-to-apply methods that can be used by criminals to undertake fraud. See Albert Crenshaw, "Creative Credit Card Crooks Draw High-Tech Response," Washington Post, August 6, 1995, Business Section, p. H1.

OCR for page 19
Page 44 1.5.2 Privacy for Citizens Public protection of privacy has been less active in the United States than in other countries, but the topic is receiving increasing attention. In particular, it has become an issue in the political agenda of people and organizations that have a wide range of concerns about the role and performance of government at all levels; it is an issue that attracts advocates from across the spectrum of political opinion. The politicization of privacy may inhibit the orderly consideration of relevant policy, including cryptography policy, because it revolves around the highly emotional issue of trust in government. The trust issue surfaced in the initial criticisms of the Clipper chip initiative proposal in 1993 (Chapter 5) and continues to color discussion of privacy policy generally and cryptography policy specifically. To many people, freedom of expression and association, protection against undue governmental, commercial, or public intrusion into their personal affairs, and fair treatment by various authorities are concerns shaped by memories of highly publicized incidents in which such rights were flouted.17It can be argued that such incidents were detectable and correctable precisely because they involved government units that were obligated to be publicly accountable—and  indeed, these  incidents prompted new policies and procedures as well as greater public vigilance. It is also easy to dismiss them as isolated instances in a social system that for the most part works well. But where these episodes involve government, many of those skeptical about government believe that they demonstrate a capacity of government to violate civil liberties of 17 Some incidents that are often cited include the surveillance of political dissidents, such as Martin Luther King, Jr., Malcolm X, and the Student Non-Violent Coordinating Committee in the mid to late 1960s; the activities of the Nixon "plumbers" in the late 1960s, including the harassment and surveillance of sitting and former government officials and journalists and their associates in the name of preventing leaks of sensitive national security information; U.S. intelligence surveillance of the international cable and telephone communications of U.S. citizens from the early 1940s through the early 1970s in support of FBI and other domestic law enforcement agencies; and the creation of FBI dossiers on opponents of the Vietnam War in the mid-1960s. The description of these events is taken largely from Frank J. Donner, The Age of Surveillance, Alfred A. Knopf, New York, 1980 (surveillance of political dissidents, pp. 244-248; plumbers, pp. 248-252; FBI dossiers on antiwar protesters, pp. 252-256; NSA surveillance, pp. 276-277). Donner's book documents many of these events. See also Final Report of the Senate Select Committee to Study Governmental Operations with Respect to Intelligence Activities, Book II, April 26, 1974, U.S. Government Printing Office, Washington, D.C., p. 12.

OCR for page 19
Page 45 Americans who are exercising their constitutional rights.18This perception is compounded by attempts to justify past incidents as having been required for purposes of national security. Such an approach both limits public scrutiny and vitiates policy-based protection of personal privacy. It is hard to determine with any kind of certainty the prevalence of the sentiments described in this section. By some measures, over half of the public is skeptical about government in general,19but whether that skepticism translates into widespread public concern about government surveillance is unclear. The committee believes that most people acting as private individuals feel that their electronic communications are secure and do not generally consider it necessary to take special precautions against threats to the confidentiality of those communications. These attitudes reflect the fact that most people, including many who are highly knowledgeable about the risks, do not give much conscious thought to these issues in their day-to-day activities. At the same time, the committee acknowledges the concerns of many law-abiding individuals about government surveillance. It believes that such concerns and the questions they raise about individual rights and government responsibilities must be taken seriously. It would be inappropriate to dismiss such individuals as paranoid or overly suspicious. Moreover, even if only a minority is worried about government surveillance, it is an important consideration, given the nation's history as a 18For example, at the 4th Conference on Computers, Freedom, and Privacy in Chicago, Illinois, held in 1994, a government speaker asked the audience if they were more concerned about government abuse and harassment or about criminal activity that might be directed at them. An overwhelming majority of the audience indicated greater concern about the first possibility. For recent accounts that give the flavor of concerns about malfeasance by law enforcement officials, see Ronald Smothers, "Atlanta Holds Six Policemen in Crackdown," New York Times, September 7, 1995, p. 9; George James, "Police Officer Is Arrested on Burglary Charges in Sting Operation," New York Times, September 7, 1995, p. B5; Kenneth B. Noble, "Many Complain of Bias in Los Angeles Police," New York Times, September 4, 1995, p. 11; Kevin Sack, "Racism of a Rogue Officer Casts Suspicion on Police Nationwide," New York Times, September 4, 1995, p. 1; Gordon Witkin, "When the Bad Guys Are Cops,'' U.S. News & World Report, September 11, 1995, p. 20; Barry Tarlow, "Doing the Fuhrman Shuffle," Washington Post, August 27, 1995, p. C2; and David W. Dunlap, "F.B.I. Kept Watch on AIDS Group During Protest Years," New York Times, May 16, 1995, p. B3. 19For example, a national Harris poll in January 1994 asked "Which type of invasions of privacy worry you the most in America today—activities of government agencies or businesses?" Fifty-two percent said that government agencies were their greater worry, while 40% selected business. See Center for Social and Legal Research, Privacy & American Business, Volume 1(3), Hackensack, N.J., 1994, p. 7.

OCR for page 19
Page 46 democracy,20for determining whether and how access to and use of cryptography may be considered a citizen's right (Chapter 7). 1.6 SPECIAL NEEDS OF GOVERNMENT Government encompasses many functions that generate or depend on information, and current efforts to reduce the scope and size of government depend heavily on information technology. In many areas of government, the information and information security needs resemble those of industry (see Appendix I). Government also has important responsibilities beyond those of industry, including those related to public safety. For two of the most important and least understood in detail, law enforcement and national security, the need for strong information security has long been recognized. Domestic law enforcement authorities in our society have two fundamental responsibilities: preventing crime and prosecuting individuals who have committed crimes. Crimes committed and prosecuted are more visible to the public than crimes prevented (see Chapter 3). The following areas relevant to law enforcement require high levels of information security: • Prevention of information theft from businesses and individuals, consistent with the transformation of economic and social activities outlined above. • Tactical law enforcement communications. Law enforcement officials working in the field need secure communications.  At present, police scanners available at retail electronics stores can monitor wireless com- 20Protecting communications from government surveillance is a time-honored technique for defending against tyranny. A most poignant example is the U.S. insistence in 1945 that the postwar Japanese constitution include protection against government surveillance of the communications of Japanese citizens. In the aftermath of the Japanese surrender in World War II, the United States drafted a constitution for Japan. The initial U.S. draft contained a provision saying that "[n]o censorship shall be maintained, nor shall the secrecy of any means of communication be violated." The Japanese response to this provision was a revised provision stating that "[t]he secrecy of letter and other means of communication is guaranteed to all of the people, provided that necessary measures to be taken for the maintenance of public peace and order, shall be provided by law." General Douglas MacArthur, who was supervising the drafting of the new Japanese constitution, insisted that the original provision regarding communications secrecy and most other provisions of the original U.S. draft be maintained. The Japanese agreed, this time requesting only minor changes in the U.S. draft and accepting fully the original U.S. provision on communications secrecy. See Osamu Nishi, Ten Days Inside General Headquarters (GHQ): How the Original Draft of the Japanese Constitution Was Written in 1946, Seibundo Publishing Co. Ltd., Tokyo, 1989.

OCR for page 19
Page 47 munications channels used by police; criminals eavesdropping on such communications can receive advance warning of police responding to crimes being committed. • Efficient use by law enforcement officials of the large amounts of information compiled on criminal activity. Getting the most use from such information implies that it be remotely accessible and not be improperly modified (assuming its accuracy and proper context, a requirement that in itself leads to much controversy21). • Reliable authentication of law enforcement officials. Criminals have been known to impersonate law enforcement officials for nefarious purposes, and the information age presents additional opportunities. In the domain of national security, traditional missions involve protection against military threats originating from other nation-states and directed against the interests of the United States or its friends and allies. These traditional missions require strong protection for vital information: • U.S. military forces require secure communications. Without cryptography and other information security technologies in the hands of friendly forces, hostile forces can monitor the operational plans of friendly forces to gain an advantage.22 • Force planners must organize and coordinate flows of supplies, personnel, and equipment. Such logistical coordination involves databases whose integrity and confidentiality as well as remote access must be maintained. • Sensitive diplomatic communications between the United States and its representatives or allies abroad, and/or between critical elements 21See, for example, U.S. General Accounting Office (GAO), National Crime Information Center: Legislation Needed to Deter Misuse of Criminal Justice Information, GAO/T-GGD-93-41, GAO, Washington, D.C., 1993. 22For example, the compromise of the BLACK code used by Allied military forces in World War II enabled German forces in Africa in 1942, led by General Erwin Rommel, to determine the British order of battle (quantities, types, and locations of forces), estimate British supply and morale problems, and know the tactical plans of the British. The compromise of one particular message enabled Rommel to thwart a critical British counterattack. In July of that year, the British switched to a new code, thus denying Rommel an important source of strategic intelligence. Rommel was thus surprised at the Battle of Alamein, widely regarded as a turning point in the conflict in the African theater. See David Kahn, The Codebreakers: The Story of Secret Writing, MacMillan, New York, 1967, pp. 472-477.

OCR for page 19
Page 48 of the U.S. government, must be protected as part of the successful conduct of foreign affairs, even in peacetime.23 In addition, the traditional missions of national security have expanded in recent years to include protection against terrorists24and international criminals, especially drug cartels.25Furthermore, recognition has been growing that in an information age, economic security is part of national security. More broadly, there is a practical convergence under way among protection of individual liberties, public safety, economic activity, and military security. For example, the nation is beginning to realize that critical elements of the U.S. civilian infrastructure-including the banking system, the air traffic control system, and the electric power grid-must be protected against the threats described above, as must the civilian information infrastructure that supports the conduct of sensitive government communications. Because civilian infrastructure provides a significant degree of functionality on which the military and defense sector depends, traditional national security interests are at stake as well, and concerns have grown about the implications of what has come to be known as information warfare (Box 1.9). More generally, the need for more secure systems, updated security policies, and effective procedural controls is taking on truly nationwide dimensions. 1.7 RECAP Chapter 1 underscores the need for attention to protecting vital U.S. interests and values in an information age characterized by a number of trends: •  The world economy is in the midst of a transition from an indus- 23An agreement on Palestinian self-rule was reached in September 1995. According to public reports, the parties involved, Yasir Arafat (leader of the Palestinian Liberation Organization) and Shimon Peres (then Foreign Minister of Israel), depended heavily on the telephone efforts of Dennis Ross, a U.S. negotiator, in mediating the negotiations that led to the agreement. Obviously, in such circumstances, the security of these telephone efforts was critical. See Steven Greenhouse, "Twist to Shuttle Diplomacy: U.S. Aide Mediated by Phone," New York Times, September 25, 1995, p. 1. 24Terrorist threats generally emanate from nongovernmental groups, though at times involving the tacit or implicit (but publicly denied) support of sponsoring national governments. Furthermore, the United States is regarded by many parties as a particularly important target for political reasons by virtue of its prominence in world affairs. Thus, terrorists in confrontation with a U.S. ally may wish to make a statement by attacking the United States directly rather than its ally. 25 See, for example, Phil Williams, "Transnational Criminal Organizations and International Security," Survival, Volume 36(1), Spring 1994, pp. 96-113.

OCR for page 19
Page 49 BOX 1.9 Information Warfare "Information warfare" (IW) is a term used in many different ways. Of most utility for this report is the definition of IW as hostile action that targets the information systems and information infrastructure of an opponent (i.e., offensive actions that attack an opponent's communications, weapon systems, command and control systems, intelligence systems, information components of the civil and societal infrastructure such as the power grid and banking system) coupled with simultaneous actions seeking to protect U.S. and allied systems and infrastructure from such attacks. Other looser uses of the term IW include the following: • The use of information and tactical intelligence to apply weapon systems more effectively. IW may be used in connection with information-based suppression of enemy air defenses or "smart" weapons using sensor data to minimize the volume of ordnance needed to destroy a target. • The targeting of companies' information systems for IW attacks. As industrial espionage spreads and/or international competitiveness drives multinational corporations into military-like escapades, the underlying notion of information-based probing of and attack on a competitor's information secrets could take on a flavor of intergovernment military or intelligence activities. • The fight against terrorism, organized crime, and even street crime, which might be characterized as IW to the extent that information about these subjects is used to prosecute the battle. This usage is not widespread, although it may develop in the future. Usage of the term has shifted somewhat as federal agencies, notably the Department of Defense, struggle to fully appreciate this new domain of warfare (or lowintensity conflict) and to create relevant policy and doctrine for it. Conversely, there is some discussion of the vulnerabilities of the U.S. civil information infrastructure to such offense. A broad range of activities can take place in information warfare: • Physical destruction of information-handling facilities to destroy or degrade functionality; • Denial of use of an opponent's important information systems; • Degradation of effectiveness (e.g., accuracy, speed of response) of an opponent's information systems; • Insertion of spurious, incorrect, or otherwise misleading data into an opponent's information systems (e.g., to destroy or modify data, or to subvert software processes via improper data inputs); • Withdrawal of significant tactical or strategic data from an opponent's information systems; • Insertion of malicious software into an opponent's system to affect its intended behavior in various ways and, perhaps, to do so at a time controlled by the aggressor; and • Subversion of an opponent's software and/or hardware installation to make it an in-place self-reporting mole for intelligence purposes. As an operational activity, information warfare clearly is related closely to, but yet is distinct from, intelligence functions that are largely analytical. IW is also related to information security, since its techniques are pertinent both to prosecution of offensive IW and to protection for defensive IW.

OCR for page 19
Page 50 trial to an information age in which information products are extensively bought and sold, information assets provide leverage in undertaking business activities, and communications assume ever-greater significance in the lives of ordinary citizens. At the same time, national economies are increasingly interlinked across national borders, with the result that international dimensions of public policy are important. • Trends in information technology suggest an ever-increasing panoply of technologies and technology-enabled services characterized by high degrees of heterogeneity, enormous computing power, and large data storage and transmission capabilities. • Given the transition to a global information society and trends in information technology, the future of individuals and businesses alike is likely to be one in which information of all types plays a central role. Electronic commerce in particular is likely to become a fundamental underpinning of the information future. • Government has special needs for information security that arise from its role in society, including the protection of classified information and its responsibility for ensuring the integrity of information assets on which the entire nation depends. Collectively, these trends suggest that future needs for information security will be large. Threats to information security will emerge from a variety of different sources, and they will affect the confidentiality and integrity of data and the reliable authentication of users; these threats do and will affect businesses, government, and private individuals. Chapter 2 describes how cryptography may help to address all of these problems.