National Academies Press: OpenBook

Cryptography's Role in Securing the Information Society (1996)

Chapter: M - Federal Information Processing Standards

« Previous: L - Other Looming Issues Related to Cryptography Policy
Suggested Citation:"M - Federal Information Processing Standards." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 485

M Federal Information Processing Standards

Agencies at all levels of government set regulatory standards for products and processes in order to protect health, safety, and the environment. They also produce specifications for public procurement of goods and services. The Federal Register regularly publishes requests for comments on standards proposed by federal agencies. Some of these are developed by agencies, while others originate as voluntary standards set in the private sector and are adopted by reference within the text of regulations and specifications.

In 1965 the Brooks Act gave responsibility for federal information technology procurement standards to the National Bureau of Standards, now the National Institute of Standards and Technology (NIST).1 To meet this requirement, NIST produces Federal Information Processing Standards (FIPSs). All federal agencies are encouraged to cite FIPSs in their procurement specifications.

NIST has traditionally relied on private sector standards-setting processes when developing FIPSs.2 Many standards-setting bodies follow

1 Carl Cargill, Information Technology Standardization, Digital Press, Bedford, Mass., 1989, pp. 212-213.

2 Many standards related to information used in private industry are developed through voluntary consensus processes. Among the most active information technology standards developers are the Institute of Electrical and Electronics Engineers (IEEE), a professional society; the Information Technology Industry Coalition (ITIC), which administers information processing standards development in Committee X3; and the Alliance for Telecommu-

Suggested Citation:"M - Federal Information Processing Standards." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 486

consensus standards development procedures promulgated by the American National Standards Institute (ANSI). These include open participation of volunteer technical experts in standards-writing committees; consensus among committee members in support of any proposed standard; and elements of administrative due process, such as opportunities for comment and voting by affected parties. These procedures increase the likelihood of achieving a broad-based consensus and enhancing the acceptance of the resulting standard.3

NIST personnel are frequent participants in consensus standards committees, and FIPSs generally cite or draw on consensus and de facto industry standards.4 This practice is consistent with government-wide policy; Office of Management and Budget Circular A-119 requires that all federal agencies cite existing consensus standards in regulation and procurement wherever possible, rather than develop government-unique

nications Industry Solutions (ATIS), coordinator of Committee T1 for telecommunication standards. The American Banking Association sponsors Committee X9, which is currently developing a cryptographic standard for interbank transactions based on the triple-DES algorithm. The Internet Engineering Task Force determines the protocols that are used (in varying degrees of compliance) to communicate between Internet sites.

Other private sector standards result from competition in the commercial marketplace. When one firm's product becomes so widespread that its specifications guide the decisions of other market participants, those specifications become a de facto industry standard. Firms may promote their technologies as de facto standards in pursuit of goals such as gaining economies of scale, protecting or increasing market share, and obtaining revenues from licensing intellectual property, among others. The IBM-compatible personal computer architecture is an example of a de facto industry standard. See Michael Hergert, "Technical Standards and Competition in the Microcomputer Industry," in H. Landis Gabel (ed.), Product Standardization and Competitive Strategy, Elsevier Science Publishers B.V., Amsterdam, 1987.

In recent years, some firms in the information technology industry have tried to establish de facto standards by promoting them through industry consortia. The Open Software Foundation's efforts to set a de facto UNIX operating system standard are an example. See Carl Cargill and Martin Weiss, "Consortia in the Standards Development Process," Journal of the American Society for Information Science, Volume 43(8), 1992, pp. 559-565.

The decentralized nature of standard setting in the United States can be confusing and inefficient in specific circumstances. A recent National Research Council study of standards and international trade in many industry sectors concluded, however, that the existence of multiple standard-setting processes generally serves the national interest well, for reasons that include flexibility in responding to changing technological and market forces and competitive pressures placed on rival standards developers. See National Research Council, Standards, Conformity Assessment, and Trade, National Academy Press, Washington, D.C., 1995, pp. 60-61.

3 Ross Cheit, Setting Safety Standards: Regulation in the Public and Private Sectors, University of California Press, Berkeley, 1990, p. 15.

4 Cargill, Information Technology Standardization, 1989, pp. 213-214.

Suggested Citation:"M - Federal Information Processing Standards." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 487

standards.5 NIST's participation also reflects its recognition of the fact that the standards it sets will be more likely to succeed—in terms of reducing procurement costs, raising quality, and influencing the direction of information technology market development—if they are supported by private producers and users.6

There is an additional benefit to government reliance on industry standards that is especially relevant to information technology. Recent economic analysis and ample experience demonstrate that standards governing the interoperability of information technology products pose special challenges. Such standards control the ability of separate users, devices, software, and services to work with each other. Examples include computer operating systems and cryptographic algorithms used for communication or data exchange.

Reliance on de facto industry standards may involve problems as well. For example, the establishment of a formal standard based on de facto informal industry standards may freeze technology prematurely. User commitments to the use of that standard and a hard-to-change infrastructure can then restrict the development and deployment of new and more useful technologies. Moreover, a standard that is popular in the marketplace may not necessarily be the most appropriate for all end-user applications.

One vexing problem with industry standards relates to the competitive nature of the marketplace. The setting of a formal standard that has the effect of favoring any individual company or set of companies could be viewed as unfair and anticompetitive if it has the effect of suppressing other, equally useful technologies. Further problems arise if the payment of royalties is necessary to use a particular formal standard, and many standards-setting bodies do not adopt patented technology unless the patent holders agree to certain terms with regard to licensing those who wish to implement the standards.

The issuance of a FIPS can have enormous significance to the private sector as well, despite the face that the existence of a FIPS does not legally compel a private party to adopt it. One reason has already been stated-

5 Office of Management and Budget, Circular No. A-119, Revised, Federal Register, October 26, 1993, p. 57644. The Department of Defense, among others, has experienced dramatic reductions in procurement costs by taking advantage of the economies of scale inherent in large-volume commercial production relative to production solely for the government market. Purchasing commercial products also reduces significant cost burdens on suppliers of meeting separate commercial and military-unique standards. For further discussion of government use of private standards, see National Research Council, Standards, Conformity Assessment, and Trade, 1995, pp. 54-57.

6 Cargill, Information Technology Standardization, 1989, p. 213.

Suggested Citation:"M - Federal Information Processing Standards." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×

Page 488

to the extent that a FIPS is based on existing private sector standards, it codifies standards of existing practice with all of the benefits (and costs) described above. A second reason is that a FIPS is often taken as a government endorsement of the procedures, practices, and algorithms contained therein and thus sets a de facto ''best-practices" standard for the private sector. A third reason is related to procurements that are FIPS-compliant as discussed in Chapter 6.

Products such as computers and communication devices that are intended to interoperate with other equipment are of little value if they are based on a standard few others use—there is no one to communicate with. For this reason, interoperability standards often foster a sudden acceleration in market share growth—a bandwagon effect—in which users afraid of being left out rush to adopt a standard once it appears clear that most other users will adopt that standard. The flip side of this phenomenon is the potential for significant delay in development of a market prior to this takeoff point: users put off purchasing products and services that might become "orphaned" in the future. During a period in which more than one competing standard exists, the entire market's growth may be adversely affected. The failure of a consumer market for AM stereo receivers, for example, was largely due to the lack of a dominant standard.7

Competing standards developed in the private and public sectors could be slowing the spread of cryptographic products and services. The two cryptography-related FIPSs most recently produced by NIST were not consistent with existing de facto industry standards. As discussed previously, the Escrowed Encryption Standard was adopted as FIPS 185 despite the overwhelmingly negative response from private industry and users to the public notice in the Federal Register.8 The Digital Signature Standard was also adopted despite both negative public comments and the apparent emergence of a de facto industry based on RSA's public-key algorithm.9

7 For further discussion of the interactions between interoperability standards and development of markets for goods and services, see Stanley Besen and Joseph Farrell, "Choosing How to Compete: Strategies and Tactics in Standardization," Journal of Economic Perspectives, Volume 8(2), Spring 1994, pp. 1-15; and Joseph Farrell and Garth Saloner, "Competition, Compatibility and Standards," Product Standardization and Competitive Strategy, H. Landis Gabel, ed. Elsevier Science Publishers B.V., Amsterdam, 1987.

8 Susan Landau et al., Codes, Keys, and Conflicts: Issues in U.S. Crypto Policy, Association for Computing Machinery Inc., New York, 1994, p. 48.

9 Landau et al., Codes, Keys, and Conflicts, 1994, pp. 41-43.

Suggested Citation:"M - Federal Information Processing Standards." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×
Page 485
Suggested Citation:"M - Federal Information Processing Standards." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×
Page 486
Suggested Citation:"M - Federal Information Processing Standards." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×
Page 487
Suggested Citation:"M - Federal Information Processing Standards." National Research Council. 1996. Cryptography's Role in Securing the Information Society. Washington, DC: The National Academies Press. doi: 10.17226/5131.
×
Page 488
Next: N - Laws, Regulations, and Documents Relevant to Cryptography »
Cryptography's Role in Securing the Information Society Get This Book
×
Buy Hardback | $80.00 Buy Ebook | $64.99
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

For every opportunity presented by the information age, there is an opening to invade the privacy and threaten the security of the nation, U.S. businesses, and citizens in their private lives. The more information that is transmitted in computer-readable form, the more vulnerable we become to automated spying. It's been estimated that some 10 billion words of computer-readable data can be searched for as little as $1. Rival companies can glean proprietary secrets . . . anti-U.S. terrorists can research targets . . . network hackers can do anything from charging purchases on someone else's credit card to accessing military installations. With patience and persistence, numerous pieces of data can be assembled into a revealing mosaic. Cryptography's Role in Securing the Information Society addresses the urgent need for a strong national policy on cryptography that promotes and encourages the widespread use of this powerful tool for protecting of the information interests of individuals, businesses, and the nation as a whole, while respecting legitimate national needs of law enforcement and intelligence for national security and foreign policy purposes. This book presents a comprehensive examination of cryptography--the representation of messages in code--and its transformation from a national security tool to a key component of the global information superhighway. The committee enlarges the scope of policy options and offers specific conclusions and recommendations for decision makers. Cryptography's Role in Securing the Information Society explores how all of us are affected by information security issues: private companies and businesses; law enforcement and other agencies; people in their private lives. This volume takes a realistic look at what cryptography can and cannot do and how its development has been shaped by the forces of supply and demand. How can a business ensure that employees use encryption to protect proprietary data but not to conceal illegal actions? Is encryption of voice traffic a serious threat to legitimate law enforcement wiretaps? What is the systemic threat to the nation's information infrastructure? These and other thought-provoking questions are explored. Cryptography's Role in Securing the Information Society provides a detailed review of the Escrowed Encryption Standard (known informally as the Clipper chip proposal), a federal cryptography standard for telephony promulgated in 1994 that raised nationwide controversy over its "Big Brother" implications. The committee examines the strategy of export control over cryptography: although this tool has been used for years in support of national security, it is increasingly criticized by the vendors who are subject to federal export regulation. The book also examines other less well known but nevertheless critical issues in national cryptography policy such as digital telephony and the interplay between international and national issues. The themes of Cryptography's Role in Securing the Information Society are illustrated throughout with many examples -- some alarming and all instructive -- from the worlds of government and business as well as the international network of hackers. This book will be of critical importance to everyone concerned about electronic security: policymakers, regulators, attorneys, security officials, law enforcement agents, business leaders, information managers, program developers, privacy advocates, and Internet users.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    Switch between the Original Pages, where you can read the report as it appeared in print, and Text Pages for the web version, where you can highlight and search the text.

    « Back Next »
  6. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  7. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  8. ×

    View our suggested citation for this chapter.

    « Back Next »
  9. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!