Page 455
I Industry-Specific Dimensions of Security
The discussion in Chapter 1 is couched in terms that are relatively independent of the specific industry or business involved. However, industries differ in the specifics of the information they wish to protect and in the operational questions they ask about security. What follows is an indicative—not exhaustive—discussion of security issues as they relate to specific types of business.1 As discussed in Chapters 1 and 2, cryptography is only part of an overall approach to dealing with information security concerns; other factors also matter, such as administrative and technical procedures for controlling access to sensitive information and the trustworthiness of computer operating systems and applications software, among others. However, cryptographic technologies for authentication, integrity, and confidentiality can strengthen an organization's overall information security in many ways.
I.1 BANKING AND FINANCIAL SERVICES
Banking and financial services are a good example of how communications underpin the economy. The flow of currency is largely digital. Funds are transferred from account to account, from customer to vendor,
1 These industry-specific comments should not be read as being mutually exclusiveconcerns raised in the discussion of one industry may apply to other industries as well. Nevertheless, as presented, they do reflect concerns raised in discussions with representatives from the industries indicated.
Page 456
from bank to bank—all without the trade of tangible property. As evidenced recently by the economic crisis in Mexico, the rapid transfer of investments has the ability to make or break an economy, much as the weather affected economies during the agricultural era. Network-enabled communications speed back-office (check and accounts) processing, as well as mortgage and loan application processing, and indeed interlink financial services, banking, and investment systems worldwide. Wholly new securities (e.g., derivatives and indexes) and services are created by the effective use of information communicated in a prompt and timely fashion.
Banks and financial service institutions have had a long history of being a target of nefarious elements in society and thus traditionally have been willing to spend money on security measures (e.g., safes). This history, coupled with their dependence on information technology and their capability for networked communication among themselves, has led to a relatively high degree of concern within the banking and financial services sector for information security. Given the importance of U.S. banks in the world economy, large U.S. banks with multinational connections have needs for security that are quite stringent.
In the matter of managing electronic transfers of financial transaction information, banks are much more concerned with authentication than with data confidentiality, although concerns about the latter are growing as the result of regulation and increasingly common business practices. The reason is that false authentication may lead to an unrecoverable loss of financial assets, an event regarded as more disastrous than the loss of privacy. Nonetheless, confidentiality is important as well,2 not so much because personal financial transactions need to be kept private (they do, but the ramifications of divulging one person's transactions are generally limited to that person), but because an adversary's understanding of the data flows within the banking system can itself lead to security breakdowns. (For example, with access to confidential information, an adversary may learn how to bypass certain access controls.)
Banking is extensively international today and will become more so in the future. Moreover, it has moved relatively quickly to bring customers (both individual and institutional) on line in an attempt to reduce costs. (For example, some banks with South American customers call the United States and are answered in Spanish or Portuguese from processing and customer service centers in Europe.) For these reasons, the banking industry may represent the leading edge of information security needs
2 Note that banks, as part of a highly regulated industry, are relatively less concerned about government monitoring of their financial transactions, since governments usually have extensive authority to monitor any aspect of bank transactions in any event.
Page 457
as far as other increasingly internationalized and electronically interconnected industries are concerned. (Box I.1 describes some of the issues that arise when retail customers might apply for a loan through an electronic connection.)
To date, losses due to electronic penetration of banking systems have been a relatively small fraction of the billions of dollars written off every year in bad loans, unrepayable debt, and the like.3 Yet the fact that any penetrations at all have occurred raise the specter of much larger losses (billions rather than millions of dollars) as the result of similar but more sophisticated actions. In addition, given the central importance of banking systems in the U.S. economy, a major disruption of service in these systems could have cataclysmic consequences for the world economy. Finally, customer and patron trust is at the heart of modern financial systems around the world, and such trust, once lost, is difficult to regain. Even small bank losses—if made widely known—could adversely affect customer trust in banks, and the result could be a significant and widespread loss of trust leading to enormous financial disruption and chaos.
I.2 MEDICAL CONSULTATIONS AND HEALTH CARE
Many health care professionals believe that computer-based health care information systems, both within individual institutions and networked over a national information infrastructure, hold great potential for improving the quality of health care, reducing administrative and clinical costs, increasing access (e.g., through telemedicine in rural areas), and enabling data aggregation in support of research on the cost and effectiveness of alternative treatments. Computer storage, retrieval, and network accessibility of health care information, such as medical records and diagnostic test data, can sharply increase the efficiency with which patients, care providers, and others (such as payers, researchers, and public health officials) use that information.4
At the same time, the digitization and transmission of such information raises concerns about the heightened vulnerability of personal infor-
3 For example, losses on credit cards issued to consumers are considerable, but the amount lost due to outright fraud is small compared to the debts that consumers are simply unable or unwilling to pay.
4 See, for example, Institute of Medicine, The Computer-Based Patient Record: An Essential Technology for Health Care, R.S. Dick and E.B. Steen (eds.), National Academy Press, Washington, D.C., 1991; and Information Infrastructure Task Force Committee on Applications and Technology, Putting the Information Infrastructure to Work, NIST Special Publication 857, U.S. Department of Commerce, National Institute of Standards and Technology, Gaithersburg, Md., 1994.
Page 458
| BOX 1.1 Loans are an essential part of many large transactions such as the purchase of houses and automobiles. Consumers provide information in loan applications which the loan provider uses as the basis of a loan approval. The formal approval commits the lender to a specific interest rate and, when it is accepted, the user to a specific repayment schedule. Since only information is exchanged, an application in principle could be conducted entirely without face-to-face interaction between consumer and provider, thus freeing the consumer to search the Internet for a provider offering the best rate.1 In practice, however, the prospect of an Internet loan application raises many questions: • How is the personal data transmitted from the consumer to the provider to be protected as it crosses the Internet? In a face-to-face interaction, the information is provided at the bank, and so there is no difficulty in protecting the information in transit. • How does the consumer know that she or he is sendingthe data to the proper bank? In a face-to-face interaction, the consumer can look at the sign on the front of the building to verify that it is indeed a branch of First Citibank of Washington, for example. (People have been known to send faxes to the wrong fax number.) • How does the consumer know that the institution with which he or she is interacting is a trustworthy one (e.g., an organization chartered and regulated by the Federal Deposit Insurance Corporation)? In a face-to-face interaction, the consumer can look for the Federal Deposit Insurance Corporation seal at the front of the building and have some confidence that the seal is indeed associated with the offices inside the building. • How do the parties ensure the integrity of a quoted interest rate? In a face-toface interaction (or over the telephone), the parties can simultaneously view a piece of paper on which a certain interest rate is typed. • In many loans, the interest rate is tied in an algorithmic fashion to a market index of some sort (e.g., 3 percentage points over the prime interest rate). In a faceto-face interaction, the lender can pull out a copy of the Wall Street Journal and point to p. B4. • How does the lender verify the consumer's identity? In a face-to-face interaction, the consumer can present two photo identification cards and a recent tax return. • How can the lender as a commercial entity protect itself against cyber-anarchists who believe that commercial transactions have no place on the Internet? In offering services to consumers on a face-to-face basis, police and security guards protect the bank against robbers. 1 Indeed, laws and regulations governing the granting of credit explicitly or implicitly forbid the inclusion of factors such as race or ''character" that might be ascertained in a face-to-face interaction. |
Page 459
mation in a profession with a tradition of maintaining the confidentiality of patient records that goes back to the days of Hippocrates.5 Indeed, patient records may contain a great deal of sensitive information, photographs and other images, physicians' observations, clinical tests, diagnoses and treatments, life-style information (e.g., tobacco and alcohol use and sexual behavior), family medical history, and genetic conditions. If divulged to parties outside the patient-caregiver relationship, such information carries the risk of causing great personal anguish and/or financial harm (e.g., loss of insurance, employment).
Trends in health care today suggest an increasing aggregation of clinical, demographic, and utilization information into a single, patient-based record6 or the development and deployment of systems for virtually linking these sources of information.7 As a result, the number of access points to the information contained in computer-based patient records is increasing, thereby increasing its potential vulnerability. In addition, as the practice of telemedicine spreads, patient information and conferences among geographically separated medical professionals treating a single patient, which are transmitted across communications networks may be susceptible to interception.
Data aggregation presents another concern. For example, databases without personal identifiers may be assembled for purposes of research or public health planning.8 Despite the fact that it may not be necessary to know the identities of individual patients, it may be possible to cross-index these databases with others (such as employment histories, insurance records, and credit reports), enabling the determination of personal identities.9 This might be done, for example, in order to generate a list of names and addresses for direct marketing of a pharmaceutical product or a health service. Box 1.2 describes one cryptographic method that can be used to reduce the risk of improper data aggregation.
The risks of improper disclosure of patient information come from
5 It is interesting to note that for health care professionals, "confidentiality" refers to keeping certain information out of the hands of unauthorized individuals by whatever mechanisms are necessary, whereas for information security providers the term refers to a specific property of encrypted information.
6 L.O. Gostin, J. Turek-Brezina, M. Powers, R. Kozloff, R. Faden, and D.D. Steinauer, "Privacy and Security of Personal Information in a New Health Care System," Journal of the American Medical Association, Volume 270(20), 1993, pp. 2487-2493.
7 Personal communication, E.H. Shortliffe, Stanford University School of Medicine, November 5, 1994.
8 Institute of Medicine, Health Data in the Information Age: Use, Disclosure, and Privacy, M.S. Donaldson and K.N. Lohr (eds.), National Academy Press, Washington, D.C., 1994.
9 E. Meux, "Encrypting Personal Identifiers," Health Services Research, Volume 29(2), 1994, pp. 247-256.
Page 460
| BOX 1.2 Use of the Social Security Number as a de facto universal identifier gives rise to concerns on the part of privacy advocates regarding the unauthorized aggregation of data about individuals collected from many different institutions that have been individually authorized to release specific data. Peter Szolovits and Isaac Kohane have proposed a mechanism based on public-key cryptography that would generate a unique identifier tied to the individual and a specific institution under which that individual's information could be stored by that institution. With such a mechanism in place, a positive user action would be required to create an identifier, and the individual would gain control over the parties who could aggregate personal data because he or she could refuse to create an identifier for any given institution requesting particular data. In essence, the scheme relies on the individual's performing a public-key digital signature on the institution's name. The result of this operation is a piece of data, usable as an identifier, that only the individual could have created, but that anyone can verify the individual has created. More specifically, the individual "decrypts" the plaintext that gives the name of the institution using his or her private key. Only the individual could have created the result, because only the individual knows the private key. However, anyone can encrypt the identifier using the individual's public key. If the result of this encryption is the name of the institution, it can be known with confidence that indeed the individual generated the identifier. Of course policy would be needed to support this mechanism as well. For example, it might be necessary to conduct random data audits of various institutions that would check to see if a given institution was indeed properly authorized by the individual to receive given data. SOURCE: P. Szolovits and I. Kohane, "Against Universal Health-care Identifiers," Journal of the American Medical Informatics Association, Volume 1, 1994, pp. 316-319. |
two sources: disclosure through actions taken by unauthorized "outside" parties (e.g., eavesdroppers, hackers, visitors wandering through a hospital unchallenged, individuals posing over the telephone as physicians and convincing medical personnel to divulge sensitive information or grant remote access to an information system) or disclosure through actions taken by authorized "inside" parties who abuse their authorization (e.g., a hospital staff member snooping out of curiosity into the records of relatives, friends, or celebrities or a medical records clerk motivated by financial, political, or other concerns who gives or sells lists of women with appointments for abortions to an antiabortion political group.10)
10 Personal communication, E.H. Shortliffe, Stanford University School of Medicine, November 5, 1994.
Page 461
Health care organizations tend to be much more concerned about the "insider" than the "outsider" threat. Information systems for health care organizations are no longer freestanding "islands of information"; instead, because they are increasingly networked beyond their walls, the number of "inside" authorized users is expanding to include other primary and specialty health care providers, health insurers, employers or purchasers, government agencies, and the patient or consumer.
A final category of concern related to health care information security is the need to ensure the integrity and the authenticity of data associated with a patient. Thus, computer-based patient records must be secure against improper alteration or deletion of data (data integrity) and known with high confidence to be associated with the particular individual with whom they are claimed to be associated (data and user authenticity).
This categorization of risks suggests that, within health care organizations, the need for authentication of users and access controls (for both insiders and outsiders) may well be more important than encryption for confidentiality (in the information security sense of the term). The reason is that good authentication and access controls enable to a very high degree the creation of audit trails that can help document who has accessed what information and for what reason. However, the need for interorganizational transmission of data is encouraging many health care administrators to re-evaluate their strategic risk analysis and consider cryptography for data confidentiality.
Some informal discussions with health care leaders reveal that security issues are generally delegated to their chief information officers and are not a standing top-priority item in their overall strategic planning. However, many of the country's foremost health care organizations continuously conduct risk analysis and generally have decided that serving the needs of authorized patient caregivers for rapid access to clinical information is their paramount priority. Any technical or policy approach to implementing cryptography for confidentiality will always be measured against this patient care priority.
I.3 MANUFACTURING
Large manufacturing companies are increasingly multinational. For example, General Motors (GM), the world's largest full-line vehicle manufacturer of cars, trucks, and automotive systems, has units worldwide that support all dimensions of its production. Its divisions range from those that build mechanical subsystems and components for automobiles and electronic systems for automotive electronics, telecommunications, and space and defense electronics to those that provide financing and
Page 462
insurance for dealers and end customers. GM has about 600,000 employees in 170 countries worldwide.
Manufacturers are placing more emphasis on product variety.11 Variation inevitably increases costs (e.g., each variant requires considerable engineering; thus, the engineering costs per variant rise). To amortize these fixed costs, manufacturers necessarily seek larger markets for these variants, and the result is often a global market. For example, a market for a certain product in a particular foreign nation may exist, and a variant of a product originally intended for a U.S. market with local content added in that foreign nation may prove quite successful. To manage sales globally, companies may well need to establish company offices in foreign countries that remain in frequent communication with company headquarters in the United States.
Manufacturing operations must be managed globally as well. For example, a problem in a manufacturing plant in Brazil may require an engineering change order to be generated at an engineering design center in Germany and synchronized with tooling supplied by Japan and parts manufactured in Mexico. A second incentive for global operations is that labor costs are often lower abroad as well, for both white-collar and blue-collar workers.
The network of vendors and suppliers that serve large manufacturing operations is also global. The day is long since gone when it makes economic sense for a manufacturer to take responsibility for fabricating every component under its own direct control—outsourcing such fabrication is often much more efficient. In some cases, foreign suppliers of parts are used because foreign purchase of parts is an additional incentive for a foreign nation to buy the finished U.S. product. However, to obtain the right mix of price, quality, volume, and timeliness, manufacturers increasingly search globally for subcontractors, and these subcontractors must be integrated into the manufacturer's information network. At the same time, it may not be desirable for subcontractors to share the same level of access as the primary company, especially if these subcontractors are competitors. Unauthorized disclosure of information between such parties constitutes a threat by endangering and presenting a risk to important communications links between the company and the customers and suppliers (reducing business trust). The same is true for manufacturers and customers: a manufacturer of capital-intensive products may well wish to share product information with potential customers. Yet since potential customers may be competitors among themselves (e.g., an airplane manufacturer may have several airlines among its customers)
11 For more discussion, see Computer Science and Telecommunications Board, National Research Council, Information Technology for Manufacturing: A Research Agenda, National Academy Press, Washington, D.C., 1995.
Page 463
and information regarding customer-desired product configurations may have competitive significance, the manufacturer has an important requirement to keep information about one customer private to that customer.
The information flows associated with such activities are enormously valuable to manufacturing firms. These flows contain sensitive and proprietary information related to:
• Product design and research and development;
• Marketing, sales, and bidding;
• Plant operations, capabilities, and efficiencies;
• Costs and prices of parts or services being purchased and products being sold;
• Strategic plans;
• Profits and losses;
• Orders to and from suppliers;
• Product readiness and repair; and
• Product problems and incident investigations.
These information flows need not necessarily be electronic; many companies still use people on airplanes with briefcases locked to their wrists. In electronic form, however, they can be transmitted instantly via electronic mail, telephone, fax, and videoconference, and action can be taken on a much shorter time scale. Specialized communications infrastructures can make all the difference in the world—one manufacturer reported that before a specialized network was installed, engineers in the United States were cutting large engineering drawings into 8½ x 11 sheets and faxing them to their counterparts in another country.
At the same time, the compromise of communications can be significant in manufacturing. Theft of product design data can result in the loss of competitive advantage in products; if the products in question have military significance, such data may well be classified and the compromise of data may lead to a national security threat to the United States. Premature release of financial information can affect stock prices. Knowledge of specific problems in a given plant can give competitors unwarranted leverage. Unauthorized changes to engineering orders can result in chaos on the assembly line or in operational disaster. Destruction or alteration of key data by insiders or outsiders could be as significant as physical sabotage, and subtle changes to digital designs or software may be undetectable for an indefinite time with possible consequences such as product recall.
I.4 THE PETROLEUM INDUSTRY
The petroleum industry is inherently international; a typical multinational oil company may operate in dozens of nations. Moreover, the scale
Page 464
of oil exploration and production requires substantial collaborative efforts, even among potential competitors. Thus, this industry highlights the need for protecting sensitive proprietary information that must be shared worldwide, potentially across telecommunication networks. Sensitive information of particular significance to the petroleum industry includes the following:
• Personnel information. Top executives of large multinational oil companies are often placed at substantial physical risk by threats of kidnapping, extortion, and other criminal activity. Thus, the whereabouts of such individuals are often confidential.
• Personal information. Midlevel employees who work and live in politically unstable areas are often concerned about maintaining their personal safety. Since they may engage routinely in communications between home and office that could disclose their whereabouts, compromise of these communications could subject them to personal attack.
• Seismic and other data indicating the whereabouts of oil and natural gas underground. Such data are particularly sensitive because the competitive advantage of a given oil company may well be in the data it has been able to collect on a given field. The use of such data, coupled with advanced computing capabilities, has saved hundreds of millions of dollars by helping drillers to avoid "dry" wells.12
• Information related to bidding. Oil companies often bid for rights to drill or to explore in certain locations, and premature disclosure or disclosure to inappropriate parties of such information could seriously compromise bidding negotiations.
• Conferences among technical experts. With worldwide operations, it may be necessary, for example, for experts at a potential drilling site to consult with experts located halfway around the world to make a reasoned decision about drilling. These experts display the same seismic data on their computer screens (data that is confidential as described above), but the in-house expertise needed to interpret such data (as expressed in their communications) can be an additional competitive advantage that cannot be compromised.
A significant amplifier of the information security threat relevant to U.S. multinational oil companies is the fact that the oil companies of other nations are often state owned and operated. The close integration between such foreign oil companies and their governments, combined with
12 Written testimony of Jack L. Brock to the Subcommittee on Science, Technology and Space of the Senate Commerce Committee, March 5, 1991, p. 4.
Page 465
the large economic stakes involved, raises significant concerns in U.S. oil companies that all of the resources of those foreign governments may be brought to bear against them, including foreign intelligence services.
1.5 THE PHARMACEUTICAL AND CHEMICAL INDUSTRIES
The pharmaceutical and chemical industries are also global, since foreign nations often possess both the intellectual expertise and the natural resources needed to be successful in these industries.13 The critical dimensions of these industries in which information must be protected involve not products per se but rather other areas:
• The scientific and technical expertise that allows companies to conceptualize new molecules or adapt previously known molecules to new functionality. Research and development of new drugs and chemicals is the lifeblood of these industries, and information or data in which the creativity of their chemists is reflected is critical.
• The regime of intellectual property protection. Intellectual property rights are one primary mechanism on which the pharmaceutical and chemical industries depend to protect their large investments in research and development. However, intellectual property rights are generally granted to the parties that are first with a discovery or invention.14 Thus, the speed with which discoveries can be made or a patent application filed becomes a parameter of critical importance; nonrepudiable (i.e., irrefutable) proof of the integrity of data from clinical trials and of the dates of patentable discoveries can be useful to strengthen patent claims. In addition, given the public nature of much of the science underlying these discoveries, small intellectual advances that save time may be the only advantage that a company has in the race to be first. Premature disclosure of information associated with the protection of intellectual property rights can lead to patent challenges or even loss of protection and thus may be extraordinarily damaging.
• The processes by which drugs and chemicals are manufactured. In general, drugs and chemicals are at the end of a long processing chain in which raw materials are transformed into the desired substances. Even
13 For example, in August 1995, Upjohn announced a merger with a Swedish competitor (Pharmacia AB) that would result in the ninth-largest drug company in the world, with 34,500 employees worldwide. See Associated Press, "Upjohn, Rival Drug Firm Plan Merger," Washington Post, August 21, 1995, p. A6.
14 In some regimes, "first" means first to discover or invent. In others, first means first to file for patent protection. For purposes of this discussion, the distinction is irrelevant.
Page 466
small process improvements that reduce the volume of raw materials necessary, problems of quality control, or the dangers or complexity of the overall manufacturing process can be reflected in large savings of time and money. Such improvements may be protected by intellectual property rights, but enforcement may be difficult if it is not known that a competitor is using a stolen process improvement. In other instances (e.g., safety), widespread publicity of information taken out of context may cause a company many public relations difficulties.
I.6 THE ENTERTAINMENT INDUSTRY
The product of the entertainment industry is information, information that is increasingly migrating to digital form. The dominant concern of the entertainment industry is how to protect digitized music, movies, games, and the like from unauthorized mass distribution without proper payment of royalties and fees. A secondary, though still important, concern is how the integrity of such products can be ensured. For example, an unprotected digitized movie could be altered unmaliciously (with the intent of enhancing its appeal, e.g., by colorizing an original black-and-white movie) or maliciously (e.g., by changing a scene for purposes of embarrassing the producing company).
I.7 GOVERNMENT
The U.S. government is, and will continue to be, a major user of cryptography, both for internal purposes and in its exchanges with citizens. As more and more government services are implemented using electronic methods, it becomes increasingly important to identify and authenticate individuals and to verify the accuracy of data. To the extent that people wish to use electronic means to communicate personal information to the government, the need to maintain confidentiality also increases. Cryptography supports all of these goals in an electronic world. Several of the many examples of how cryptography will be used in the federal government are described here.
The Internal Revenue Service (IRS) is responsible for collecting the taxes that fuel all government programs. Every year, citizens and corporations transmit financial data to the IRS and interact with the agency to resolve any problems. The agency processes approximately 100 million individual tax returns and more than 1 billion supporting documents (e.g., W-2 forms, 1099 forms) annually. The primary goal of the IRS's Tax Systems Modernization (TSM) effort is to facilitate this process by in-
Page 467
creasing its use of electronic processing and electronic interchange of information. 15
The TSM effort will allow the IRS to process 100% of all tax return data on line and will significantly increase the amounts of data that are submitted electronically. It is this latter capability that requires the use of cryptography, primarily in the form of digital signatures, to ensure that tax returns are submitted in a proper manner. Currently, the IRS is required to store the handwritten signature of the person(s) for each and every tax return, including those submitted electronically. The use of digital signatures will allow the IRS to eliminate handwritten signatures without loss of authentication, which will streamline the data-gathering process. The IRS will be supporting the Digital Signature Standard, as well as other signature standards that become de facto commercial standards.16 While most electronic filing of income tax returns is currently carried out by authorized tax preparers, the IRS is working on creating a secure system using cryptography that would enable taxpayers to file directly from their home computers.
Similar to the IRS, the Social Security Administration (SSA) also collects data from citizens and corporations on a regular basis. Furthermore, the SSA is responsible for disbursing funds for old-age and survivors' insurance, disability insurance, and supplemental security income programs. The effective and efficient management of these programs increasingly relies on automated data processing and electronic exchanges among the SSA, citizens, and corporations. The agency is also involved in the deployment of digital signatures to streamline its operations. Digital signatures will allow citizens with home computers to check the status of their benefits 24 hours a day, rather than waiting for a telephone service representative to provide the needed information. Without digital signatures, such a service cannot be provided electronically because of concerns about protecting the security of the private information involved in such an exchange.
The wide-scale government use of cryptography will require an extensive infrastructure for maintaining public keys for all citizens, corporations, and organizations. The Security Infrastructure Program Management Office at the General Services Administration is planning pilot
15 Computer Science and Telecommunications Board, National Research Council, Review of the Tax Systems Modernization of the Internal Revenue Service, National Academy Press, Washington, D.C., 1992; and CSTB, Continued Review of the Tax Systems Modernization of the Internal Revenue Service, 1994.
16 "IRS, SSA to Let Public Try Digital Signatures," Government Computer News, November 13, 1995, p. 1.
Page 468
projects to test the use of cryptography in electronic communications between agencies and citizens. Agencies such as SSA, IRS, and the Department of Education will participate. Citizens participating in the pilot tests will use a personal computer or government kiosk and the Internet to access Social Security information, file income tax forms, or—in time— apply for a student loan.
In the pilot studies, the U.S. Postal Service (USPS) will be responsible for issuing the digital signatures that will identify users through the use of tokens. It will develop an infrastructure for assigning and maintaining the critical ''certificates" that are needed for proper authentication.17 Many believe that the USPS is a natural candidate for such a responsibility because of its vast network of postal offices and operations that are aimed specifically at providing individual and business services. Furthermore, the USPS is a "trusted" organization that has the backing of legislation to perform its duties, as well as a mature oversight framework.
In addition to the citizen-to-government interactions described above, there is a complete spectrum of cryptographic methods used throughout the government for internal communication and processing purposes. The Treasury Department has long used cryptographic methods for the authentication, integrity, and confidentiality of financial transactions. The Department of Energy has also been a long-time user and developer of cryptographic methods, which are employed to safeguard nuclear control systems, among other things. A number of nondefense agencies have begun to adopt Fortezza PCMCIA cards (described in Chapter 5), including the Departments of Commerce, Justice, Energy, State, and Treasury, as well as the National Aeronautics and Space Administration, the IRS, and the Coast Guard. The broad-based use of this system among civilian agencies is as yet uncertain.18
The effort to make the federal government more efficient often increases the need for and difficulty of protecting copyrighted, private, and proprietary information. For example, improving federal services to citizens by providing them electronically requires more sharing of information and resources among agencies and between federal agencies and state or local agencies. Increased sharing of information requires interagency coordination of privacy and security policies to ensure uniformly adequate protection. During a time of tight federal budgets, information security managers in federal agencies increasingly must compete for resources and support to implement the needed safeguards properly. Agencies must look for the least expensive way to ensure security, and the cost of some encryption systems currently is prohibitive for some civilian agencies.
17 Government Computer News, November 13, 1995.
18 "Fortezza Faces Uncertain Future," Federal Computer Week, November 13, 1995, p. 12.
