tion Security (DIS). This individual could chair an interagency committee consisting of agencies and departments with a direct interest in and responsibilities for information security matters, including the operating agency, economic policy agencies (Departments of Treasury and Commerce), law enforcement agencies (FBI; Drug Enforcement Administration; Bureau of Alcohol, Tobaccco, and Firearms), and international affairs and intelligence agencies (Departments of State and Defense, CIA).
Operationally, a single agency could have responsibility for standards setting, certification of escrow agents, approval of certificate holders for authentication purposes, public education on information security, definition of "best practices," management of cryptography on the Commerce Control List, and so on. The operating agency could be one with an economic policy orientation, such as the Department of Commerce. An alternative point of responsibility might be the Treasury Department, although its law enforcement responsibilities could detract from the objective of raising the economic policy profile of the information security function.
The public advisory committee, which is an essential element of this structure, could be made up of representatives of the computing, telecommunications, and banking industries, as well as "public" members from academia, law, and so on. This committee could be organized along the lines of the President's Foreign Intelligence Advisory Board and could report to the Counselor for DIS.
This chapter describes a number of possible policy options but does not attempt to pull together how these options might fit together in a coherent policy framework. That is the function of Chapter 8.