6 Other Dimensions of National Cryptography Policy
In addition to export controls and escrowed encryption, current national policy on cryptography is affected by government use of a large number of levers available to it, including the Communications Assistance for Law Enforcement Act, the standards-setting process, R&D funding, procurement practices, education and public jawboning, licenses and certification, and arrangements both formal and informal with various other governments (state, local, and foreign) and organizations (e.g., specific private companies). All of these are controversial because they embody judgments about how the interests of law enforcement and national security should be reconciled against the needs of the private sector. In addition, the international dimensions of cryptography are both critical (because cryptography affects communications and communications are fundamentally international) and enormously difficult (because national interests differ from government to government).
6.1 THE COMMUNICATIONS ASSISTANCE FOR LAW ENFORCEMENT ACT
The Communications Assistance for Law Enforcement Act (CALEA) was widely known as the "digital telephony" bill before its formal passage. The CALEA is not explicitly connected to national cryptography policy, but it is an important aspect of the political context in which national cryptography policy has been discussed and debated.
6.1.1 Brief Description of and Stated Rationale for the CALEA
The Communications Assistance for Law Enforcement Act (CALEA) was passed in October 1994. The act imposes on telecommunications carriers four requirements in connection with those services or facilities that allow customers to originate, terminate, or direct communications:
• To expeditiously isolate and enable the government to intercept, pursuant to court order or other lawful authorization, all wire and electronic communications in the carrier's control to or from the equipment, facilities, or services of a subscriber, in real time or at any later time acceptable to the government. Carriers are not responsible for decrypting encrypted communications that are the subject of court-ordered wiretaps, unless the carrier provided the encryption and can decrypt it. Moreover, carriers are not prohibited from deploying an encryption service for which it does not retain the ability to decrypt communications for law enforcement access.
• To expeditiously isolate and enable the government to access, pursuant to court order or other lawful authorization, reasonably available call-identifying information about the origin and destination of communications. Access must be provided in such a manner that the information may be associated with the communication to which it pertains and is provided to the government before, during, or immediately after the communication's transmission to or from the subscriber.
• To make intercepted communications and call-identifying information available to government, pursuant to court order or other lawful authorization, so that they may be transmitted over lines or facilities leased or procured by law enforcement to a location away from the carrier's premises.
• To meet these requirements with a minimum of interference with the subscriber's service and in such a way that protects the privacy of communications and call-identifying information that are not targeted by electronic surveillance orders, and that maintains the confidentiality of the government's interceptions.
The CALEA also authorizes federal money for retrofitting common carrier systems to comply with these requirements. As this report is being written, no money has yet been appropriated for this task.
The CALEA requirements apply only to those services or facilities that enable a subscriber to make, receive, or direct calls. They do not apply to information services, such as the services of electronic mail providers; on-line services such as Compuserve or America Online; or
Internet access providers; or to private networks or services whose sole purpose is to interconnect carriers. Furthermore, the CALEA requires law enforcement authorities to use carrier employees or personnel to activate a surveillance. The CALEA also provides that a warrant is needed to tap a cordless telephone; wiretaps on cellular telephones are already governed by Title III or the Foreign Intelligence Surveillance Act.
The Stated Rationale for the CALEA
Historically, telecommunications service providers have cooperated with law enforcement officials in allowing access to communications upon legal authorization. New telecommunications services (e.g., call forwarding, paging, cellular calls) and others expected in the future have diminished the ability of law enforcement agencies to carry out legally authorized electronic surveillance. The primary rationale for the CALEA is to ensure that within 4 years, telecommunications service providers will still be able to provide the assistance necessary to law enforcement officials to conduct surveillance of wire and electronic communications (both content and call-identifying information) controlled by the carrier, regardless of the nature of the particular services being offered.
6.1.2 Reducing Resource Requirements for Wiretaps
Once a surveillance order has been approved judicially, it must be implemented. In practice, the implementation of a surveillance order requires the presence of at least two agents around the clock. Such a presence is required if real-time minimization requirements are to be met.1 As a result, personnel requirements are the most expensive aspect of electronic surveillance. The average cost of a wiretap order is $57,000 (Appendix D), or approximately one-half of a full-time-equivalent agent-year. Such costs are not incurred lightly by law enforcement agencies.
1 Minimization refers to the practice, required by Title III, of monitoring only those portions of a conversation that are relevant to the crime under investigation. If a subject discusses matters that are strictly personal, such discussions are not subject to monitoring. In practice, a team of agents operate a tape recorder on the wiretapped line. Minimization requires agents to turn off the tape recorder and to cease monitoring the conversation for a short period of time if they overhear nonrelevant discussions. At the end of that time period, they are permitted to resume monitoring. For obvious reasons, this practice is conducted in real time. When agents encounter a foreign language with which they are unfamiliar, they are allowed to record the entire conversation; the tape is then "minimized" after the fact of wiretapping. Additional discussion of the requirements imposed on wiretapping by Title III is contained in Appendix D.
Under these circumstances, procedures and/or technologies that could reduce the labor required to conduct wiretaps pose a potential problem for individuals concerned about excessive use of wiretaps. Specifically, these individuals are concerned that the ability to route wiretapped calls to a central location would enable a single team of agents to monitor multiple conversations.2 Such time sharing among monitoring teams could lower wiretap costs significantly. From the standpoint of law enforcement, these savings could be used for other law enforcement purposes, and they would have the additional effect of eliminating an operational constraint on the frequency with which wiretap authority is sought today.
Technologies that would enable minimization without human assistance are in their infancy today. For example, the technology of speech recognition for the most part cannot cope with speech that is speaker-independent and continuous, and artificial intelligence programs today and for the foreseeable future will be unable to distinguish between the criminally relevant and nonrelevant parts of a conversation. Human agents are an essential component of a wiretap, and law enforcement officials have made three key points in response to the concern raised above:
• Most importantly, today's wiretaps are performed generally with law enforcement agencies paying telecommunications service providers for delivering the intercepted communications to a point of law enforcement's choosing.
• From an operational standpoint, the real-time minimization of wiretapped conversations requires agents who are personally familiar with the details of the case under investigation, so that they know when the subjects are engaged in conversations related to the caseagents exceed their authority if they monitor unrelated conversations.
• Procedural rules require that all evidence be maintained through a proper chain of custody and in a manner such that the authenticity of evidence can be established. Law enforcement officials believe that the
2 For example, such a concern was raised at the Fifth Conference on Computers, Freedom, and Privacy held in San Francisco in March 1995. The argument goes as follows. While the CALEA authorizes $500 million to pay for existing in-place telephone switch conversions to implement the capabilities desired by law enforcement, this amount is intended as a onetime cost; upgrades of switching systems are expected to implement these capabilities without government subsidy. The point is that additional wiretap orders would not pose an additional incremental cost (though the original cost of $57,000 would still obtain), and the barrier of incremental cost would not impede more wiretap orders. In short, critics argue that it would make good economic sense to make additional use of resources if such use can "piggyback" on an already-made investment.
use of one team to monitor different conversations could call into question the ability to establish a clear chain of custody.
6.1.3 Obtaining Access to Digital Streams in the Future
In the conduct of any wiretap, the first technical problem is simply gaining access to the relevant traffic itself, whether encrypted or not. For law enforcement, products with encryption capabilities and features that allow exceptional access are useless without access to the traffic in question. The CALEA was an initiative spearheaded by law enforcement to deal with the access problem created by new telecommunications services.
The problems addressed by the CALEA will inevitably resurface as newer communications services are developed and deployed for use by common carriers and private entities (e.g., corporations) alike. It is axiomatic that the complexity of interactions among communications systems will continually increase, both as a result of increased functionality and the need to make more efficient use of available bandwidth. Consequently, isolation of the digital streams associated with the party or parties targeted by law enforcement will become increasingly difficult if the cooperation of the service provider is not forthcoming, for all of the reasons described in Chapter 2. (It is for this reason that the CALEA applies to parties that are not common carriers today upon appropriate designation by the Federal Communications Commission (FCC).)
Moreover, even when access to the digital stream of an application is assured, the structure of the digital stream may be so complex that it would be extremely costly to determine all of the information present without the assistance of the application developer. Tools designed to isolate the relevant portions of a given digital stream transmitted on open systems will generally be less expensive than tools for proprietary systems, but since both open and proprietary systems will be present in any future telecommunications environment, law enforcement authorities will need tools for both. The development of such tools will require considerable technical skill, skill that is most likely possessed by the application developers; cooperation with product developers may decrease the cost of developing these tools.
Finally, as the telecommunications system becomes more and more heterogeneous, even the term "common carrier" will become harder to define or apply. The routing of an individual data communication through the "network" will be dynamic and may take any one of a number of paths, decisions about which are not under the user's control. While only one link in a given route need be a common carrier for CALEA purposes, identifying that common carrier in practice may be quite difficult.
6.1.4 The CALEA Exemption of Information Service Providers and Distinctions Between Voice and Data Services
At present, users of data communications services access networks such as the Internet either through private networks (e.g., via their employers) or through Internet service providers that provide connections for a variety of individuals and organizations. Both typically make use of lines owned and operated by telecommunications service providers. In the former case, law enforcement access to the digital stream is more or less the same problem as it is for the employer (and law enforcement has access through the legal process to the employer). In the latter case, the CALEA requires the telephone service provider to provide to law enforcement authorities a copy of the digital stream being transported.
The CALEA exempts on-line information service providers such as America Online and Compuserve from its requirements. In the future, other CALEA issues may arise as the capabilities provided by advanced information technologies grow more sophisticated. For example, the technological capability exists to use Internet-based services to supply realtime voice communications.3 Even today, a number of Internet and network service providers are capable of supporting (or are planning to support) real-time "push-to-talk" voice communications. The CALEA provides that a party providing communications services that in the judgment of the FCC are "a replacement for a substantial portion of the local telephone exchange service" may be deemed a carrier subject to the requirements of the CALEA. Thus, one possible path along which telecommunications services may evolve could lead to the imposition of CALEA requirements on information service providers, even though they were exempted as an essential element of a legislative compromise that enabled the CALEA to pass in the first place.
These possibilities are indicative of a more general problem: the fact that lines between "voice" and "data" services are being increasingly blurred. This issue is addressed in greater detail in Chapter 7.
6.2 OTHER LEVERS USED IN NATIONAL CRYPTOGRAPHY POLICY
The government has a number of tools to influence the possession and use of cryptography domestically and abroad. How the government uses these tools in the context of national cryptography policy reflects the government's view of how to balance the interests of the various stakeholders affected by cryptography.
3 Fred Hapgood, "IPHONE," Wired, October 1995, p. 140; and Lawrence M. Fisher, "LongDistance Phone Calls in the Internet," New York Times, March 14, 1995, p. D6.
6.2.1 Federal Information Processing Standards
Federal Information Processing Standards (FIPSs) are an important element of national cryptography policy, and all federal agencies are encouraged to cite FIPSs in their procurement specifications. (Box 6.1 contains a brief description of all FIPSs related to cryptography.) The National Institute of Standards and Technology (NIST) is responsible for issuing FIPSs.
FIPSs can have enormous significance to the private sector as well, despite the face that the existence of a FIPS does not legally compel a private party to adopt it. One reason is that to the extent that a FIPS is based on existing private sector standards (which it often is), it codifies standards of existing practice and contributes to a planning environment of greater certainty. A second reason is that a FIPS is often taken as a government endorsement of the procedures, practices, and algorithms contained therein, and thus a FIPS may set a de facto ''best practices" standard for the private sector. A third reason is related to procurements that are FIPS-compliant as discussed in the next section.
NIST has traditionally relied on private sector standards-setting processes when developing FIPSs. Such practice reflects NIST's recognition of the fact that the standards it sets will be more likely to succeedin terms of reducing procurement costs, raising quality, and influencing the direction of information technology market developmentif they are supported by private producers and users.4
The existence of widely accepted standards is often an enormous boon to interoperability of computers and communication devices, and the converse is generally true as well: the absence of widely accepted standards often impedes the growth of a market.
In the domain of cryptography, FIPSs have had a mixed result. The promulgation of FIPS 46-1, the Data Encryption Standard (DES) algorithm for encrypting data, was a boon to cryptography and vendors of cryptographic products. On the other hand, the two cryptography-related FIPSs most recently produced by NIST (FIPS 185, the Escrowed Encryption Standard (EES), and FIPS 186, the Digital Signature Standard (DSS)) have met with a less favorable response. Neither was consistent with existing de facto industry standards or practice, and both met with significant negative response from private industry and users.5
4 Carl F. Cargill, Information Technology Standardization, Digital Press, Bedford, Mass., 1989, p. 213.
5 The story of resistance to the EES is provided in Susan Landau et al., Codes, Keys, and Conflicts, Association for Computing Machinery Inc., Washington, D.C., June 1994, p. 48; to DSS, in Landau et al., Codes, Keys, and Conflicts, 1994, pp. 41-43. In the case of DSS, a de facto industry standard had already emerged based on RSA Data Security Inc.'s public-key algorithm.
• FIPS 46, 46-1 and 46-2: Data Encryption Standard (DES). Specification of DES algorithm and rules for implementing DES in hardware. FIPS 46-1 recertifies DES and extends it for software implementation. FIPS 46-2 reaffirms the Data Encryption Standard algorithm until 1998 and allows for its implementation in software, firmware or hardware. Several other FIPSs address interoperability and security requirements for using DES in the physical layer of data communications (FIPS 139) and in fax machines (FIPS 141), guidelines for implementing and using DES (FIPS 74), modes of operation of DES (FIPS 81), and use of DES for authentication purposes (FIPS 113).
• FIPS 180-1: Secure Hash Standard. This standard specifies a Secure Hash Algorithm (SHA) that can be used to generate a condensed representation of a message called a message digest. The SHA is required for use with the Digital Signature Algorithm (DSA) as specified in the Digital Signature Standard (DSS) and whenever a secure hash algorithm is required for federal applications. The SHA is used by both the transmitter and intended receiver of a message in computing and verifying a digital signature.
• FIPS 186: Digital Signature Standard. This standard specifies a Digital Signature Algorithm (DSA) appropriate for applications requiring a digital rather than a written signature. The DSA digital signature is a pair of large numbers represented in a computer as strings of binary digits. The digital signature is computed using a set of rules (i.e., the DSA) and a set of parameters such that the identity of the signatory and integrity of the data can be verified. The DSA provides the capability to generate and verify signatures.
• FIPS 140-1: Security Requirements for Cryptographic Modules. This standard provides specifications for cryptographic modules which can be used within computer and telecommunications systems to protect unclassified information in a variety of different applications.
• FIPS 185: Escrowed Encryption Standard (see main text).
• FIPS 171: Key Management Using ANSI X9.17. This standard specifies a selection of options for the automated distribution of keying material by the federal government when using the protocols of ANSI X9.17. The standard defines procedures for the manual and automated management of keying materials and contains a number of options. The selected options will allow the development of cost-effective systems that will increase the likelihood of interoperability.
Other FIPSs that address matters related more generally to computer security include the following:
• FIPS 48: Guidelines on Evaluation of Techniques for Automated Personal Identification,
• FIPS 83: Guidelines on User Authentication Techniques for Computer Network Access Control,
• FIPS 112: Password Usage,
• FIPS 113: Computer Data Authentication, and
• FIPS 73: Guidelines for Security of Computer Applications.
The promulgation of the EES and the DSS, as well as current Administration plans to promulgate a modification of the EES to accommodate escrowed encryption for data storage and communications and another FIPS for key escrow to performance requirements for escrow agents and for escrowed encryption products, has generated a mixed market reaction. Some companies see the promulgation of these standards as a market opportunity, while others see these standards as creating yet more confusion and uncertainty in pushing escrowed encryption on a resistant market.
Appendix M contains a general discussion of FIPSs and the standards-setting process.
6.2.2 The Government Procurement Process
Government procurement occurs in two domains. One domain is special-purpose equipment and products, for which government is the only consumer. Such products are generally classified in certain ways; weapons and military-grade cryptography are two examples. The other domain is procurement of products that are useful in both the private and public sectors.
Where equipment and products serve both government and private sector needs, in some instances the ability of the government to buy in bulk guarantees vendors a large enough market to take advantage of mass production, thereby driving down for all consumers the unit costs of a product that the government is buying in bulk. Through its market power, government has some ability to affect the price of products that are offered for sale on the open market. Furthermore, acceptance by the government is often taken as a "seal of approval" for a given product that reassures potential buyers in the private sector.
History offers examples with variable success in promoting the widespread public use of specific information technologies through the use of government standards.
• The DES was highly successful. DES was first adopted as a cryptographic standard for federal use in 1975. Since then, its use has become commonplace in cryptographic applications around the world, and many implementations of DES now exist worldwide.
• A less successful standard is GOSIP, the Government OSI Profile, FIPS 146.6 The GOSIP was intended to specify the details of an OSI configuration for use in the government so that interoperable OSI net-
6 OSI refers to Open Systems Interconnect, a standardized suite of international networking protocols developed and promulgated in the early 1980s.
work products could be procured from commercial vendors and to encourage the market development of products. GOSIP has largely failed in this effort, and network products based on the TCP/IP protocols now dominate the market.7
In the case of the EES, the government chose not to seek legislation outlawing cryptography without features for exceptional access, but chose instead to use the EES to influence the marketplace for cryptography. This point was acknowledged by Administration officials to the committee on a number of occasions. Specifically, the government hoped that the adoption of the EES to ensure secure communications within the government and for communications of other parties with the federal government would lead to a significant demand for EES-compliant devices, thus making possible production in larger quantities and thereby driving unit costs down and making EES-compliant devices more attractive to other users. A secondary effect would be the fact that two nongovernmental parties wishing to engage in secure communications would be most likely to use EES-compliant devices if they already own them rather than purchase other devices. As part of this strategy to influence the market, the government persuaded AT&T in 1992 to base a secure telephone on the EES.
In the case of the Fortezza card, the large government procurement for use with the Defense Messaging System may well lower unit costs sufficiently that vendors of products intended solely for the commercial nondefense market will build support for the Fortezza card into their products.8 Given the wide availability of PC-Card slots on essentially all notebook and laptop computers, it is not inconceivable that the security advantages offered by hardware-based authentication would find a wide commercial market. At the same time, the disadvantages of hardware-based cryptographic functionality discussed in Chapter 5 would remain as well.
6.2.3 Implementation of Policy: Fear, Uncertainty, Doubt, Delay, Complexity
The implementation of policy contributes to how those affected by policy will respond to it. This important element is often unstated, and it refers to the role of government in creating a climate of predictability. A
7 See Computer Science and Telecommunications Board, National Research Council, Realizing the Information Future: The Internet and Beyond, National Academy Press, Washington, D.C., 1994, Chapter 6.
8 In a recent contract, a vendor agreed to provide Fortezza cards at $69 per card. See Paul Constance, "After Complaining $99 Was Too Low, Fortezza Vendors Come in at $69," Government Computer News, October 2, 1995, p. 6.
government that speaks with multiple voices on a question of policy, or one that articulates isolated elements of policy in a piecemeal fashion, or one that leaves the stakeholders uncertain about what is or is not permissible, creates an environment of fear, uncertainty, and doubt that can inhibit action. Such an environment can result from a deliberate choice on the part of policy makers, or it can be inadvertent, resulting from overlapping and/or multiple sources of authority that may have at least partial responsibility for the policy area in question. Decisions made behind closed doors and protected by government security classifications tend to reinforce the concerns of those who believe that fear, uncertainty, and doubt are created deliberately rather than inadvertently.
The committee observes that cryptography policy has indeed been shrouded in secrecy for many years and that many agencies have partial responsibility in this area. It also believes that fear, uncertainty, and doubt are common in the marketplace. For example, the introduction of nonmarket-driven standards such as the DSS and the EES may have created market uncertainty that impeded the rapid proliferation of high-quality products with encryption capabilities both internationally and domestically. Uncertainty over whether or not the federal government would recertify the DES as a FIPS has plagued the marketplace in recent years, because withdrawal of the DES as a FIPS could cause considerable consternation among some potential buyers that might suddenly be using products based on a decertified standard, although in fact the government has recertified the DES in each case. On the other hand, the DES is also a standard of the American National Standards Institute and the American Banking Association, and if these organizations continue to endorse it, the DES will arguably represent a viable algorithm for a wide range of products.
Many parties in industry believe that the complexity and opacity of the decision-making process with respect to cryptography are major contributors to this air of uncertainty. Of course, the creation of uncertainty may be desirable from the perspective of policy makers if their goal is to retard action in a given area. Impeding the spread of high-quality products with encryption capabilities internationally is the stated and explicit goal of export controls; on the domestic front, impeding the spread of high-quality products with encryption capabilities has been a desirable outcome from the standpoint of senior officials in the law enforcement community.
A very good example of the impact of fear, uncertainty, and doubt on the marketplace for cryptography can be found in the impact of government action (or more precisely, inaction) with respect to authentication. As noted in Chapter 2, cryptography supports digital signatures, a technology that provides high assurance for both data integrity and user au-
thentication. However, federal actions in this area have led to considerable controversy. One example is that the federal government failed to adopt what was (and still is) the de facto commercial standard algorithm on digital signatures, namely the RSA algorithm. Government sources told the committee that the fact that the RSA algorithm is capable of providing strong confidentiality as well as digital signatures was one reason that the government deemed it inappropriate for promulgation as a FIPS.9 Further, the government's adoption of the Digital Signature Standard 10 in 1993 occurred despite widespread opposition from industry to the specifics of that standard.
6.2.4 R&D Funding
An agency that supports research (and/or conducts such research on its own in-house) in a given area of technology is often able to shape the future options from which the private sector and policy makers will choose. For example, an agency that wishes to maintain a monopoly of expertise in a given area may not fund promising research proposals that originate from outside. Multiple agencies active in funding a given area may thus yield a broader range of options for future policy makers.
In the context of cryptography and computer and communications security, it is relevant that the National Security Agency (NSA) has been the main supporter and performer of R&D in this area.11 The NSA's R&D
9 The specific concern was that widespread adoption of RSA as a signature standard would result in an infrastructure that could support the easy and convenient distribution of DES keys. The two other reasons for the government's rejection of RSA were the desire to promulgate an approach to digital signatures that would be royalty-free (RSA is a patented algorithm) and the desire to reduce overall system costs for digital signatures. For a discussion of the intellectual issues involved in the rejection of the RSA algorithm and the concern over confidentiality, see Office of Technology Assessment, Information Security and Privacy in Network Environments, OTA-TCT-606, U.S. Government Printing Office, Washington, D.C., September 1994, pp. 167-168 and pp. 217-222.
10 The DSS is based on an unclassified algorithm known as the Digital Signature Algorithm that does not explicitly support confidentiality. However, the DSS and its supporting documentation do amount to U.S. government endorsement of a particular one-way hash function, and document in detail how to generate the appropriate number-theoretic constants needed to implement it. Given this standard, it is possible to design a confidentiality standard that is as secure as the DSS. In other words, the DSS is a road map to a confidentiality standard, although it is not such a standard explicitly. Whether an ersatz confidentiality standard would pass muster in the commercial market remains to be seen.
11 It is important to distinguish between R&D undertaken internally and externally to NSA. Internal R&D work can be controlled and kept private to NSA; by contrast, it is much more difficult to control the extent to which external R&D work is disseminated. Thus, decisions regarding specific external cryptography-related R&D projects could promote or inhibit public knowledge of cryptography.
orientation has been, quite properly, on technologies that would help it to perform more effectively and efficiently its two basic missions: (1) defending national security by designing and deploying strong cryptography to protect classified information and (2) performing signals intelligence against potential foreign adversaries. In the information security side of the operation, NSA-developed technology has extraordinary strengths that have proven well suited to the protection of classified information relevant to defense or foreign policy needs.
How useful such technologies will prove for corporate information security remains to be seen. Increasing needs for information security in the private sector suggest that NSA technology may have much to offer, especially if such technology can be made available to the private sector without limitation. At the same time, the environment in which private sector information security needs are manifested may be different enough from the defense and foreign policy worlds that these technologies may not be particularly relevant in practice to the private sector. Furthermore, the rapid pace of commercial developments in information technology may make it difficult for the private sector to use technologies developed for national security purposes in a less rapidly changing environment.
These observations suggest that commercial needs for cryptographic technology may be able to draw on NSA technologies for certain applications, and most certainly will draw on nonclassified R&D work in cryptography (both in the United States and abroad); even the latter will have a high degree of sophistication. Precisely how the private sector will draw on these two sources of technology will depend on policy decisions to be made in the future. Finally, it is worth noting that nonclassified research on cryptography appearing in the open literature has been one of the most important factors leading to the dilemma that policy makers face today with respect to cryptography.
6.2.5 Patents and Intellectual Property
A number of patents involving cryptography have been issued. Patents affect cryptography because patent protection can be used by both vendors and governments to keep various patented approaches to cryptography out of broad use in the public domain.12
The DES, first issued in 1977, is an open standard, and the algorithm it uses is widely known. According to NIST, devices implementing the DES may be covered by U.S. and foreign patents issued to IBM (although the original patents have by now expired).13 However, IBM granted
12 See footnote 9.
13 National Institute of Standards and Technology, "FIPS 46-2: Announcing the Data Encryption Standard," NIST, Gaithersburg, Md., December 30, 1993.
nonexclusive, royalty-free licenses under the patents to make, use, and sell apparatus that complies with the standard.
RSA Data Security Inc. (RSA) holds the licensing rights to RC2, RC4, and RC5, which are variable-key-length ciphers developed by Ronald Rivest.14 RC2 and RC4 are not patented, but rather are protected as trade secrets (although both algorithms have been published on the Internet without RSA's approval). RSA has applied for a patent for RC5 and has proposed it as a security standard for the Internet. Another alternative for data encryption is IDEA, a block cipher developed by James Massey and Xueija Lai of the Swiss Federal Institute of Technology (ETH), Zurich. The patent rights to IDEA are held by Ascom Systec AG, a Swiss firm. IDEA is implemented in the software application PGP.
In addition to the above patents, which address symmetric-key encryption technologies, there are several important patent issues related to public-key cryptography. The concept of public-key cryptography, as well as some specific implementing methods, is covered by U.S. Patents 4,200,770 (M. Hellman, W. Diffie, and R. Merkle, 1980) and 4,218,582 (M. Hellman and R. Merkle, 1980), both of which are owned by Stanford University. The basic patent for the RSA public-key crypto-system, U.S. Patent 4,405,829 (R. Rivest, A. Shamir, and L. Adelman, 1983), is owned by the Massachusetts Institute of Technology. The 4,218,582 patent has counterparts in several other countries. These basic public-key patents and related ones have been licensed to many vendors worldwide. With the breakup of the partnership that administered the licensing of Stanford University's and MIT's patents, the validity of the various patents has become the subject of current litigation. In any event, the terms will expire in 1997 for the first two of the above patents and in 2000 for the third.15
In 1994, NIST issued the Digital Signature Standard, FIPS 186. The DSS uses the NIST-developed Digital Signature Algorithm, which according to NIST is available for use without a license. However, during the DSS's development, concern arose about whether the DSS might infringe on the public-key patents cited above, as well as a patent related to signature verification held by Claus Schnorr of Goethe University in Frankfurt, Germany.16 NIST asserts that the DSS does not infringe on any of these
14 See RSA Data Security Inc. home page at http://www.rsa.com.
15 In 1994, Congress changed patent terms from 17 years after issuance to 20 years from the date of filing the patent application; however, applications for these patents were filed in or before 1977, and so they will not be affected.
16 See Office of Technology Assessment, Information Security and Privacy in Network Environments, 1994, p. 220.
patents.17 At the least, U.S. government users have the right to use public-key cryptography without paying a license fee for the Stanford and MIT patents because the concepts were developed at these universities with federal research support. However, there remains some disagreement about whether commercial uses of the DSS (e.g., in a public-key infrastructure) will require a license from one or more of the various patent holders.
A potential patent dispute regarding the key-escrow features of the EES may have been headed off by NIST's negotiation of a nonexclusive licensing agreement with Silvio Micali in 1994.18 Micali has patents that are relevant to dividing a key into components that can be separately safeguarded (e.g., by escrow agents) and later combined to recover the original key.
A provision of the U.S. Code (Title 35, U.S.C., Section 181) allows the Patent and Trademark Office (PTO) to withhold a patent and order that the invention be kept secret if publication of the patent is detrimental to national security. Relevant to cryptography is the fact that a patent application for the Skipjack encryption algorithm was filed on February 7, 1994. This application was examined and all of the claims allowed, and notification of the algorithm's patentability was issued on March 28, 1995. Based on a determination by NSA, the Armed Services Patent Advisory Board issued a secrecy order for the Skipjack patent application; the effect of the secrecy order is that even though Skipjack can be patented, a patent will not be issued until the secrecy order is rescinded. Since applications are kept in confidence until a patent is issued, no uninvolved party can find out any information concerning the application. In this way, the patentability of the algorithm has been established without having to disclose the detailed information publicly.19 Since 35 U.S.C. 181 also provides that the PTO can rescind the secrecy order upon notification that publication is no longer detrimental to national security, compromise and subsequent public revelation of the Skipjack algorithm (e.g., through reverse engineering of a Clipper chip) might well cause a patent to be issued for Skipjack that would give the U.S. government control over its subsequent use in products.
17 National Institute of Standards and Technology, "Digital Signature Standard," Computer Systems Laboratory (CSL) Bulletin, NIST, Gaithersburg, Md., November 1994. Available on-line at http://csrc.ncsl.nist.gov/nistbul/cs194-11.txt.
18 National Institute of Standards and Technology press release, "Patent Agreement Removes Perceived Barrier to Telecommunications Security System," NIST, Gaithersburg, Md., July 11, 1994. Available on-line at gopher://rigel.nist.gov:7346/0/.docs/.releases/N9428.REL.
19 Clinton C. Brooks, National Security Agency, provided this information to the committee in an e-mail message dated May 23, 1995.
6.2.6 Formal and Informal Arrangements with Various Other Governments and Organizations
International agreements can be an important part of national policy. For example, for many years the Coordinating Committee (CoCom) nations cooperated in establishing a common export control policy on militarily significant items with civilian purposes, including cryptography (Appendix G has more details).
International agreements can take a variety of different forms. The most formal type of agreement is a treaty between (or among) nations that specifies the permissible, required, and prohibited actions of the various nations. Treaties require ratification by the relevant national political bodies as well as signature before entry into force. In the United States treaties must be approved by the U.S. Senate by a two-thirds vote. Sometimes treaties are self-executing, but often they need to be followed by implementing legislation enacted by the Congress in the normal manner for legislation.
Another type of agreement is an executive agreement. In the United States, executive agreements are, as the name implies, entered into by the executive branch. Unlike the treaty, no Senate ratification is involved, but the executive branch has frequently sought approval by a majority of both houses of the Congress. For all practical purposes executive agreements with other countries bind the United States in international law just as firmly as treaties do, although a treaty may carry greater weight internally due to the concurrence by a two-thirds vote of the Senate. Executive agreements can also be changed with much greater flexibility than treaties.
Finally, nations can agree to cooperate through diplomacy. Even though cooperation is not legally required under such arrangements, informal understandings can work very effectively so long as relationships remain good and the countries involved continue to have common goals. In fact, informal understanding is the main product of much diplomacy and is the form that most of the world's business between governments takes. For example, although the United States maintains formal mutual legal assistance treaties with a number of nations, U.S. law enforcement agencies cooperate (sometimes extensively) with foreign counterparts in a much larger number of nations. Indeed, in some instances, such cooperation is stronger, more reliable, and more extensive than is the case with nations that are a party to a formal mutual legal assistance treaty with the United States.
Note that the more formal the agreement, the more public is the substance of the agreement; such publicity often leads to attention that may compromise important and very sensitive matters, such as the extent to
which a nation supports a given policy position or the scope and nature of a nation's capabilities. When informal arrangements are negotiated and entered into force, they may not be known by all citizens or even by all parts of the governments involved. Because they are less public, informal arrangements also allow more latitude for governments to make decisions on a case-by-case basis. In conducting negotiations that may involve sensitive matters or agreements that may require considerable flexibility, governments are often inclined to pursue more informal avenues of approach.
6.2.7 Certification and Evaluation
Analogous to Good Housekeeping seals of approval or ''check ratings" for products reviewed in Consumer Reports, independent testing and certification of products can provide assurance in the commercial marketplace that a product can indeed deliver the services and functionality that it purports to deliver. For example, the results of government crash tests of automobiles are widely circulated as data relevant to consumer purchases of automobiles. Government certification that a commercial airplane is safe to fly provides significant reassurance to the public about flight safety. At the same time, while evaluation and certification would in principle help users to avoid products that implement a sound algorithm in a way that undermines the security offered by the algorithm, the actual behavior of users demonstrates that certification of a product is not necessarily a selling point. Many of the DES products in the United States have never been evaluated relative to FS 1027 or FIPS 140-1, and yet such products are used by many parties.
The government track record in the cryptography and computer security domain is mixed. For example, a number of DES products were evaluated with respect to FS 1027 (the precursor to FIPS 140-1) over several years and a number of products were certified by NSA. For a time, government agencies purchased DES hardware only if it met FS 1027, or FIPS 140. Commercial clients often required compliance because it provided the only assurance that a product embodying DES was secure in a broader sense. In this case, the alignment between government and commercial security requirements seems to have been reasonably good, and thus this program had some success. Two problems with this evaluation program were that it addressed only hardware and that it lagged in allowing use of public-key management technology in products (in the absence of suitable standards).
A second attempt to provide product evaluation was represented by the National Computer Security Center (NCSC), which was established by the Department of Defense (DOD) for the purpose of certifying vari-
ous computer systems for security. The theory underlying the center was that the government needed secure systems but could not afford to build them. The quid pro quo was that industry would design and implement secure operating systems that the government would test and evaluate at no cost to industry; systems meeting government requirements would receive a seal of approval.
Although the NCSC still exists, the security evaluation program it sponsors, the Trusted Product Evaluation Program (TPEP), has more or less lapsed into disuse. In the judgment of many, the TPEP was a relative failure because of an underlying premise that the information security problems of the government and the private sector were identical to those of the defense establishment. In fact, the private sector has for the most part found that a military approach to computer security is inadequate for its needs. A second major problem was that the time scale of the evaluation process was much longer than the private sector could tolerate, and products that depended on NCSC evaluation would reach market already on the road to obsolescence, perhaps superseded by a new version to which a given evaluation would not necessarily apply. In late 1995, articles in the trade press reported that the DOD was attempting to revive the evaluation program in a way that would involve private contractors.20
A recent attempt to provide certification services is the Cryptographic Module Validation Program (CMVP) to test products for conformance to FIPS 140-1, Security Requirements for Cryptographic Modules.21 FIPS 140-1 provides a broad framework for all NIST cryptographic standards, specifying design, function, and documentation requirements for cryptographic modulesincluding hardware, software, "firmware," and combinations thereofused to protect sensitive, unclassified information in computer and telecommunication systems.22 The CMVP was established in July 1995 by NIST and the Communications Security Establishment of the government of Canada.
The validation program is currently optional: agencies may purchase products based on a vendor's written assurance of compliance with the standard. However, beginning in 1997, U.S. federal procurement will require cryptographic products to be validated by an independent, third
20 See, for example, Paul Constance, "Secure Products List Gets CPR," Government Computing News, November 13, 1995, p. 40.
21 National Institute of Standards and Technology press release, "Cryptographic Module Validation Program Announced," NIST, Gaithersburg, Md., July 17, 1995.
22 National Institute of Standards and Technology, Federal Information Processing Standards Publication 140-1: Security Requirements for Cryptographic Modules, NIST, Gaithersburg, Md., January 11, 1994.
party. Under the program, vendors will submit their products for testing by an independent, NIST-accredited laboratory.23
Such a laboratory evaluates both the product and its associated documentation against the requirements in FIPS 140-1. NIST has also specified test procedures for all aspects of the standard. Examples include attempting to penetrate tamper-resistant coatings and casings, inspecting software source code and documentation, attempting to bypass protection of stored secret keys, and statistically verifying the performance of random number generators.24 The vendor sends the results of independent tests to NIST, which determines whether these results show that the tested product complies with the standard and then issues validation certificates for products that do. Time will tell whether the CMVP will prove more successful than the NCSC.
6.2.8 Nonstatutory Influence
By virtue of its size and role in society, government has considerable ability to influence public opinion and to build support for policies. In many cases, this ability is not based on specific legislative authority, but rather on the use of the "bully pulpit." For example, the government can act in a convening role to bring focus and to stimulate the private sector to work on a problem.25 The bully pulpit can be used to convey a sense of urgency that is tremendously important in how the private sector reacts, especially large companies that try to be good corporate citizens and responsive to informal persuasion by senior government officials. Both vendors and users can be influenced by such authority.26
23 As of September 1995, the National Institute of Standards and Technology's National Voluntary Laboratory Accreditation Program had accredited three U.S. companies as competent to perform the necessary procedures: CygnaCom Solutions Laboratory (McLean, Va.), DOMUS Software Limited (Ottawa, Canada), and InfoGard Laboratories (San Luis Obispo, Calif.). A current list of these companies is available on-line at http:// csrc.ncsl.nist.gov /fips/1401labs.txt.
24 National Institute of Standards and Technology, Derived Test Requirements for FIPS Publication 140-1, NIST, Gaithersburg, Md., March 1995.
25 One advantage of government's acting in this way is that it may provide some assurance to the private sector that any coordinated action taken in response to government calls for action will be less likely to be interpreted by government as a violation of antitrust provisions.
26 For example, in responding favorably to a request by President Clinton for a particular action in a labor dispute, the chairman of American Airlines noted, "He [President Clinton] is the elected leader of the country. For any citizen or any company or any union to say 'No, I won't do that' to the President requires an awfully good reason." See Gwen Ifill, "Strike at American Airlines; Airline Strike Ends as Clinton Steps In," New York Times, November 23, 1993, p. 1.
In the security domain, the Clinton Administration has sponsored several widely publicized public meetings to address security dimensions of the national information infrastructure (NII). These meetings were meetings of the NII Security Issues Forum, held in 1994 and 1995.27 They were announced in the Federal Register and were intended to provide a forum in which members of the interested public could air their concerns about security.
In the cryptography domain, the U.S. government has used its convening authority to seek comments on various proposed cryptographic standards and to hold a number of workshops related to key escrow (discussed in Chapter 5). Many in the affected communities believe that these attempts at outreach were too few and too late to influence anything more than the details of a policy outline on which the government had already decided. A second example demonstrating the government's nonstatutory influence was the successful government request to AT&T to base the 3600 Secure Telephone Unit on the Clipper chip instead of an unescrowed DES chip (as described in Appendix E).
6.2.9 Interagency Agreements Within the Executive Branch
Given that one government agency may have expertise or personnel that would assist another agency in doing its job better, government agencies often conclude agreements between them that specify the terms and nature of their cooperative efforts. In the domain of cryptography policy, NSA's technical expertise in the field has led to memorandums of understanding with NIST and with the FBI (Appendix N).
The memorandum of understanding (MOU) between NIST and NSA outlines several areas of cooperation between the two agencies that are intended to implement the Computer Security Act of 1987; joint NISTNSA activities are described in Box 6.2. This MOU has been the subject of some controversy, with critics believing that the MOU and its implementation cede too much authority to NSA and defenders believing that the
27 Office of Management and Budget press release, "National Information Infrastructure Security Issues Forum Releases 'NII Security: The Federal Role,"' Washington, D.C., June 14, 1995. The subjects of these meetings were "Commercial Security on the NII," which focused on the need for intellectual property rights protection in the entertainment, software, and computer industries; ''Security of Insurance and Financial Information"; "Security of Health and Education Information"; "Security of the Electronic Delivery of Government Services and Information"; "Security for Intelligent Transportation Systems and Trade Information"; and "The NII: Will It Be There When You Need It?," addressing the availability and reliability of the Internet, the public switched telecommunicatins network, and cable, wireless, and satellite communications services. Available on-line at gopher:// ntiantl.ntia.doc.gov:70/00/iitf/security/files/fedworld.txt.
The National Security Agency provides technical advice and assistance to the National Institute of Standards and Technology in accordance with Public LaW 100235, the Computer Security Act of 1987. An overview of NIST-NSA activities follows.
National conference. NIST and NSA jointly sponsor, organize, and chair the prestigious National Computer Security Conference, held yearly for the past 16 years. The conference is attended by over 2,000 people from government and private industry.
Common criteria. NSA is providing technical assistance to NIST for the development of computer security criteria that would be used by both the civillian and defense sides of the government. Representatives from Canada and Europe are joining the United States in the development of the criteria.
Product evaluations. NIST and NSA are working together to perform evaluations of computer security products. In the Trusted Technology Assessment Program, evaluations of some computer security products will be performed by NIST and its laboratories, while others will be performed by NSA. NIST and NSA engineers routinely exchange information and experiences to ensure uniformity of evaluations.
Standards development. NSA supports NIST in the development of standards that promote interoperability among security products. Sample standards include security protocol standards, digital signature standards, key management standards, and encryption algorithm standards (e.g., the DES, Skipjack).
Research and development. Under the Joint R&D Technology Exchange Program, NIST and NSA hold periodic technical exchanges to share information on new and ongoing programs. Research and development are performed in are such as security architectures, labeling standards, privilege management, and identification and authentication. Test-bed activities are conducted in areas related to electronic mail, certificate exchange and management, protocol conformity, and encryption technologies.
SOURCE: National Security Agency, April 1994 (as reprinted in Office of Technology Assessment, Information Security and Privacy in Network Environments, OTA-TCT-606, U.S. Government Printing Office, Washington D.C., September 1994, Box 4-8, p. 165).
MOU is faithful to both the spirit and letter of the Computer Security Act of 1987.28
The MOU between the FBI and NSA, declassified for the National Research Council, states that the NSA will provide assistance to the FBI upon request, when the assistance is consistent with NSA policy (includ-
28 For more discussion of these critical perspectives, see Office of Technology Assessment, Information Security and Privacy in Network Environments, 1994, Box 4-8, pp. 164-171.
ing protection of sources and methods), and in accordance with certain administrative requirements. Furthermore, if the assistance requested is for the support of an activity that may be conducted only pursuant to a court order or with the authorization of the Attorney General, the FBI request to the NSA must include a copy of that order or authorization.
In 1995, the National Security Agency, the Advanced Research Projects Agency, and the Defense Information Systems Agency (DISA) signed a memorandum of agreement (MOA) to coordinate research and development efforts in system security. This MOA provides for the establishment of the Information Systems Security Research-Joint Technology Office (ISSR-JTO). The role of the ISSR-JTO is "to optimize use of the limited research funds available, and strengthen the responsiveness of the programs to DISA, expediting delivery of technologies that meet DISA's requirements to safeguard the confidentiality, integrity, authenticity, and availability of data in DOD information systems, provide a robust first line of defense for defensive information warfare, and permit electronic commerce between the DOD and its contractors."29
6.3 ORGANIZATION OF THE FEDERAL GOVERNMENT WITH RESPECT TO INFORMATION SECURITY
6.3.1 Role of National Security vis-à-vis Civilian Information Infrastructures
The extent to which the traditional national security model is appropriate for an information infrastructure supporting both civilian and military applications is a major point of contention in the public debate. There are two schools of thought on this subject:
• The traditional national security model should be applied to the national information infrastructure, because protecting those networks also protects services that are essential to the military, and the role of the defense establishment is indeed to protect important components of the national infrastructure that private citizens and businesses depend upon.30
29 See "Memorandum of Agreement Between the Advanced Research Projects Agency, the Defense Information Systems Agency, and the National Security Agency Concerning the Information Systems Security Research-Joint Technology Office"; MOA effective April 2, 1995. The full text of the MOA is available in Appendix N and on-line at http:// www.ito.darpa.mil/ResearchAreas/Information_Survivability /MOA.html.
30 For example, the Joint Security Commission recommended that "policy formulation for information systems security be consolidated under a joint DoD/DCI security executive committee, and that the committee oversee development of a coherent network-oriented information systems security policy for the DoD and the Intelligence Community that could also serve the entire government." See Joint Security Commission, Redefining Security, Washington, D.C., February 28, 1994, p. 107.
• The traditional national security model should not be applied to the national information infrastructure, because the needs of civilian activities are so different from those of the military, and the imposition of a national security model would impose an unacceptable burden on the civilian sector. Proponents of this view argue that the traditional national security model of information securitya top-down approach to information security managementwould be very difficult to scale up to a highly heterogeneous private sector involving hundreds of millions of people and tens of millions of computers in the United States alone.
There is essential unanimity that the world of classified information (both military and nonmilitary) is properly a domain in which the DOD and NSA can and should exercise considerable influence. But moving outside this domain raises many questions that have a high profile in the public debatespecifically, what the DOD and NSA role should be in dealing with the following categories of information:
1. Unclassified government information that is military in nature,
2. Unclassified government information that is nonmilitary in nature, and
3. Nongovernment information.
To date, policy decisions have been made that give the DOD jurisdiction in information security policy for category 1. For categories 2 and 3, the debate continues. It is clear that the security needs for business and for national security purposes are both similar (Box 6.3) and different (Box 6.4). In category 2, the argument is made that DOD and NSA have a great deal of expertise in protecting information, and that the government should draw on an enormous historical investment in NSA expertise to protect all government information. At the same time, NIST has the responsibility for protecting such information under the Computer Security Act of 1987, with NSA's role being one of providing technical assistance. Some commentators believe that NIST has not received resources adequate to support its role in this area.31
31 For example, the Office of Technology Assessment stated that "the current state of government security practice for unclassified information has been depressed by the chronic shortage of resources for NIST's computer security activities in fulfillment of its government-wide responsibilities under the Computer Security Act of 1987. Since enactment of the Computer Security Act, there has been no serious (i.e., adequately funded and properly staffed), sustained effort to establish a center of information-security expertise and leadership outside the defense/intelligence communities." See Office of Technology Assessment, Issue Update on Information Security and Privacy in Network Environments, OTA-BP-ITC-147, U.S. Government Printing Office, Washington, D.C., June 1995, p. 42. A similar conclusion
• Strong aversion to public discussion of security breaches. Information about threats is regarded as highly sensitive. Such a classification makes it very difficult to conduct effective user education, because security awareness depends on an understanding of the true scope and nature of a threat.
• Need to make cost-benefit trade-offs in using security technology. Neither party can afford the resources to protect against an arbitrary threat model.
• Strong preference for self-reliance (government relying on government, industry relying on industry) to meet security needs.
• Strong need for high security. Both government and industry need strong cryptography with no limitations for certain applications. However, the best technology and tools are often reserved for government and military use because commercial deployment cannot be adequately controlled, resulting in opportunities for adversaries to obtain and examine the systems so that they can plan how to exploit them.
• Increasing reliance on commercial products in many domains (business, Third World nations).
• Increasing scale and sophistication of the security threat for businesses, which is now approaching that posed by foreign intelligence services and foreign governments.
• Possibility that exceptional access to encrypted information and data may become important to commercial entities.
In category 3, the same argument is made with respect to nongovernment information on the grounds that the proper role of government is to serve the needs of the entire nation. A second argument is made that the military depends critically on nongovernment information infrastructures (e.g., the public switched telecommunications network) and that it is essential to protect those networks not just for civilian use but also for military purposes. (Note that NSA does not have broad authority to assist private industry with information security, although it does conduct for industry, upon request, unclassified briefings related to foreign information security threats; NSD 42 (text provided in Appendix N) also gives NSA
was reached by the Board on Assessment of NIST Programs of the National Research Council, which wrote that "the Computer Security Division is severely understaffed and underfunded given its statutory security responsibilities, the growing national recognition of the need to protect unclassified but sensitive information, and the unique role the division can play in fostering security in commercial architectures, hardware, and software." See Board on Assessment of NIST Programs, National Research Council, An Assessment of the National Institute of Standards and Technology, Fiscal Year 1993, National Academy Press, Washington, D.C., 1994, p. 228.
• Business wants market-driven cryptographic technology; government is apprehensive about such technology. For example, standards are a critical element of market-driven cryptography. Market forces and the need to respond to rapidly evolving dynamic new markets demand an approach to establishing cryptographic standards; businesses want standards for interoperability, and they want to create market critical mass in order to lower the cost of cryptography.
• By its nature, the environment of business must include potential adversaries within its security perimeter. Commercial enterprises now realize that electronic delivery of their products and services to their customers will increase. They must design systems and processes explicitly so that customer can enter into transactions with considerable ease. Business strategies of today empower the customer through software and technology. Enterprise networks have value inallowing the maximum number of people to be attached to the network. Customers will choose which enterprise to enter in order to engage in electronic commerce, and making it difficult for the customer will result in loss of business. But adversaries masquerading as customers (or who indeed may be customers themselves) can enter as well. By contrast, the traditional national security model keeps poteial adversaries outside the security perimeter, allowing access only to those with areal need. However, to the extent that U.S. military forces work in collaboration with forces of other nations, the security perimeter for the military may also become similarly blurred.
• Business paradigms value teamwork, openness, trust, empowerment, and speed. Such values are often difficult to sustain in the national security establishment. The cultures of the two worlds are different and are reflected in, for example, the unwillingness of business to use multilevel security systems designed for military use. Such systems failed the market test, although they met Defense Department criteria for security.
• National security resources (personnel with cryptoraphic expertise, funding) are much larger than the resources in nondefense government sectors and in private industry and universities. As a result, a great deal of cryptographic knowledge resides within the world of national security. Industry wants access to this knowledge to ensure appropriate use of protocols and strong algorithms, as well as development of innovative new products and services.
• National security places considerable emphasis on confidentiality as well as on authentication and integrity. Today's commercial enterprises stress authentication of users and data integrity much more than they stress confidentiality (although this balance may shift in the future). For example, improperly denying a junior military officer access to a computer facility may not be particularly important in a military context, whereas improperly denying a customer access to his bank account because of a faulty authentication can pose enormous problems for the bank.
• While both businesses and national security authorities have an interest in safeguarding secrets, the tools available to businesses to discourage individuals from disclosing secrets (generally civil suits) are less stringent than those available to national security authorities (criminal prosecution).
the authority to work with private industry when such work involves national security information systems used by private industry.)
6.3.2 Other Government Entities with Influence on Information Security
As noted above, NSA has primary responsibility for information security in the classified domain, while NIST has primary responsibility for information security in the unclassified domain, but for government information only. No organization or entity within the federal government has the responsibility for promoting information security in the private sector.32
The Security Policy Board (SPB) does have a coordination function. Specifically, the charge of the SPB is to consider, coordinate, and recommend for implementation to the President policy directives for U.S. security policies, procedures, and practices, including those related to security for both classified and unclassified government information. The SPB is intended to be the principal mechanism for reviewing and proposing legislation and executive orders pertaining to security policy, procedures, and practices. The Security Policy Advisory Board provides a nongovernmental perspective on security policy initiatives to the SPB and independent input on such matters to the President. The SPB does not have operational responsibilities.
Other entities supported by the federal government have some influence over information security, though little actual policy-making authority. These include:
• The Computer Emergency Response Team (CERT). CERT was formed by the Defense Advanced Research Projects Agency (DARPA) in November 1988 in response to the needs exhibited during the Internet worm incident. CERT's charge is to work with the Internet community to facilitate its response to computer security events involving Internet hosts, to take proactive steps to raise the community's awareness of computer security issues, and to conduct research targeted at improving the security of existing systems.33 CERT offers around-the-clock technical assistance for responding to computer security incidents, educates users regarding product vulnerability
32 This observation was also made in Computer Science and Telecommunications Board, National Research Council, Computers at Risk: Safe Computing in the Information Age, National Academy Press, Washington, D.C., 1991, a report that proposed an Information Security Foundation as the most plausible type of organization to promote information security in the private sector.
33 Available on-line at http://www.sei.cmu.edu/technology/cert.faqintro.html.
through technical documents and seminars, and provides tools for users to undertake their own vulnerability analyses.
• The Information Infrastructure Task Force's (IITF) National Information Infrastructure Security Issues Forum. The forum is charged with addressing institutional, legal, and technical issues surrounding security in the NII. A draft report issued by the forum proposes federal actions to address these issues.34 The intent of the report, and of the Security Issues Forum more generally, is to stimulate a dialogue on how the federal government should cooperate with other levels of government and the private sector to ensure that participants can trust the NII. The draft report proposes a number of security guidelines (proposed NII security tenets), the adoption of Organization of Economic Cooperation and Development security principles for use on the NII, and a number of federal actions to promote security.
• The Computer System Security and Privacy Advisory Board (CSSPAB). CSSPAB was created by the Computer Security Act of 1987 as a statutory federal public advisory committee. The law provides that the board shall identify emerging managerial, technical, administrative, and physical safeguard issues relative to computer systems security and privacy; advise the National Institute of Standards and Technology and the secretary of commerce on security and privacy issues pertaining to federal computer systems; and report its findings to the secretary of commerce, the directors of the Office of Management and Budget and the National Security Agency, and the appropriate committees of the Congress. The board's scope is limited to federal computer systems or those operated by a contractor on behalf of the federal government and which process sensitive but unclassified information. The board's authority does not extend to private sector systems, systems that process classified information, or DOD unclassified systems related to military or intelligence missions as covered by the Warner Amendment (10 U.S.C. 2315). The activities of the board bring it into contact with a broad cross section of the nondefense agencies and departments; consequently, it often deals with latent policy considerations and societal consequences of information technology.
• The National Counterintelligence Center (NACIC). Established in 1994 by Presidential Decision Directive NSC-24, NACIC is primarily responsible for coordinating national-level counterintelligence activities, and it reports to the National Security Council. Operationally, the NACIC works
34 Office of Management and Budget press release, "National Information Infrastructure Security Issues Forum Releases 'NII Security: The Federal Role,'" Washington, D.C., June 14, 1995. Available on-line at gopher://ntiant1.ntia.doc.gov:70/00/iitf/security/files/ fedworld.txt.
with private industry through an industry council (consisting of senior security officials or other senior officials of major U.S. corporations) and sponsors counterintelligence training and awareness programs, seminars, and conferences for private industry. NACIC also produces coordinated national-level, all-source, foreign intelligence threat assessments to support private sector entities having responsibility for the protection of classified, sensitive, or proprietary information, as well as such assessments for government use.35
In addition, a number of private organizations (e.g., trade or professional groups) are active in information security.
6.4 INTERNATIONAL DIMENSIONS OF CRYPTOGRAPHY POLICY
The cryptography policy of the United States must take into account a number of international dimensions. Most importantly, the United States does not have the unquestioned dominance in the economic, financial, technological, and political affairs of the world as it might have had at the end of World War II. Indeed, the U.S. economy is increasingly intertwined with that of other nations. To the extent that these economically significant links are based on communications that must be secure, cryptography is one aspect of ensuring such security. Differing national policies on cryptography that lead to difficulties in communicating internationally work against overall national policies that are aimed at opening markets and reducing commercial and trade barriers.
Other nations have the option to maintain some form of export controls on cryptography, as well as controls on imports and use of cryptography; such controls form part of the context in which U.S. cryptography policy must be formulated. Specifically, foreign export control regimes more liberal than that of the United States have the potential to undercut U.S. export control efforts to limit the spread of cryptography. On the other hand, foreign controls on imports and use of cryptography could vitiate relaxation of U.S. export control laws; indeed, relaxation of U.S. export controls laws might well prompt a larger number of nations to impose additional barriers on the import and use of cryptography within their borders. Finally, a number of other nations have no explicit laws regarding the use of cryptography, but nevertheless have tools at their
35 National Counterintelligence Center (NACIC), Counterintelligence News and Developments, Issue No. 1, NACIC, Washington, D.C. This newsletter is available on-line at http:// www. oss.net/oss.
disposal to discourage its use; such tools include laws related to the postal, telephone, and telegraph (PTT) system, laws related to content carried by electronic media, laws related to the protection of domestic industries that discourage the entry of foreign products, laws related to classification of patents, and informal arrangements related to licensing of businesses.
As a first step in harmonizing cryptography policies across national boundaries, the Organization for Economic Cooperation and Development (OECD) held a December 1995 meeting in France among member nations to discuss how these nations were planning to cope with the public policy problems posed by cryptography. What the Paris meeting made clear is that many OECD member nations are starting to come to grips with the public policy problems posed by encryption, but that the dialogue on harmonizing policies across national borders has not yet matured. Moreover, national policies are quite fluid at this time, with various nations considering different types of regulation regarding the use, export, and import of cryptography.
Appendix G contains more discussion of international issues relevant to national cryptography policy.
While export controls and escrowed encryption are fundamental pillars of current national cryptography policy, many other aspects of government action also have some bearing on it. The Communications Assistance for Law Enforcement (Digital Telephony) Act calls attention to the relationship between access to a communications stream and government access to the plaintext associated with that digital stream. The former problem must be solved (and was solved, by the CALEA, for telephone communications) before the latter problem is relevant.
The government can influence the deployment and use of cryptography in many ways. Federal Information Processing Standards often set a "best practice" standard for the private sector, even though they have no official standing outside government use. By assuring large-volume sales when a product is new, government procurement practices can reduce the cost of preferred cryptography products to the private sector, giving these products a price advantage over possible competitors. Policy itself can be implemented in ways that instill action-inhibiting uncertainty in the private sector. Government R&D funding and patents on cryptographic algorithms can narrow technical options to some degree. Formal and informal arrangements with various other governments and organizations can promote various policies or types of cooperation. Product certification can be used to provide the information necessary for a flour-
ishing free market in products with encryption capabilities. Convening authority can help to establish the importance of a topic or approach to policy.
In some ways, the debate over national cryptography policy reflects a tension in the role of the national security establishment with respect to information infrastructures that are increasingly important to civilian use. In particular, the use of cryptography has been the domain of national security and foreign policy for most of its history, a history that has led to a national cryptography policy that today has the effect of discouraging the use of cryptography in the private sector.