1 Growing Vulnerability in the Information Age
Chapter 1 frames a fundamental problem facing the United States todaythe need to protect against the growing vulnerability of information to unauthorized access and/or change as the nation makes the transition from an industrial age to an information age. Society's reliance on a changing panoply of information technologies and technology-enabled services, the increasingly global nature of commerce and business, and the ongoing desire to protect traditional freedoms as well as to ensure that government remains capable of fulfilling its responsibilities to the nation all suggest that future needs for information security will be large. These factors make clear the need for a broadly acceptable national cryptography policy that will help to secure vital national interests.
1.1 THE TECHNOLOGY CONTEXT OF THE INFORMATION AGE
The information age is enabled by computing and communications technologies (collectively known as information technologies) whose rapid evolution is almost taken for granted today. Computing and communications systems appear in virtually every sector of the economy and increasingly in homes and other locations. These systems focus economic and social activity on informationgathering, analyzing, storing, presenting, and disseminating information in text, numerical, audio, image,
and video formatsas a product itself or as a complement to physical or tangible products.1
Today's increasingly sophisticated information technologies cover a wide range of technical progress:
• Microprocessors and workstations are increasingly important to the computing infrastructure of companies and the nation. Further increases in speed and computational power today come from parallel or distributed processing with many microcomputers and processors rather than faster supercomputers.
• Special-purpose electronic hardware is becoming easier to develop. Thus, it may make good sense to build specialized hardware optimized for performance, speed, or security with respect to particular tasks; such specialized hardware will in general be better adapted to these purposes than general-purpose machines applied to the same tasks.
• Media for transporting digital information are rapidly becoming faster (e.g., fiber optics instead of coaxial cables), more flexible (e.g., the spread of wireless communications media), and less expensive (e.g., the spread of CD-ROMs as a vehicle for distributing digital information). Thus, it becomes feasible to rely on the electronic transmission of larger and larger volumes of information and on the storage of such volumes on ever-smaller physical objects.
• Convergence of technologies for communications and for computing. Today, the primary difference between communications and computing is the distance traversed by data flows: in communications, the traversed distance is measured in miles (e.g., two people talking to each other), while in computing the traversed distance is measured in microns (e.g., between two subcomponents on a single integrated circuit). A similar convergence affects companies in communications and in computingtheir boundaries are blurring, their scopes are changing, and their production processes overlap increasingly.
• Software is increasingly carrying the burden of providing functionality in information technology. In general, software is what gives hardware its functional capabilities, and different software running on the same hardware can change the functionality of that hardware entirely. Since software is intangible, it can be deployed widely on a very short
1Citations to a variety of press accounts can be found in Computer Science and Telecommunications Board (CSTB), National Research Council, Information Technology and Manufacturing: A Research Agenda, National Academy Press, Washington, D.C., 1993; CSTB, Information Technology in the Service Society: A Twenty-First Century Lever, 1993; CSTB, Realizing the Information Future: The Internet and Beyond, 1994; CSTB, Keeping the Computer and Communications Industry Competitive: Convergence of Computing, Communications, and Entertainment, 1995; and CSTB, The Unpredictable Certainty: Information Infrastructure Through 2000, 1996.
Communications and computing devices can be dedicated to a single purpose or may serve multiple purposes. Dedicated single-purpose devices are usually (though not always) hardware devices whose functionality cannot be easily altered. Examples include unprogrammable pocket calculators, traditional telephones, walkie-talkies, pagers, fax machines, and ordinary telephone answering machines.
A multipurpose device is one whose functionality can be altered by the end user. In some instances, a hardware device may be "reprogrammed" to perform different functions simply by the physical replacement of a single chip by another chip or by the addition of a new circuit board. Open bus architectures and standard hardware interfaces such as the PC card are intended to facilitate multipurpose functionality.
Despite such interfaces and architectures for hardware, software is the primary means for implementing multipurpose functionality in a hardware device. With software, physical replacement of a hardware component is unnecessarya new software program is simply loaded and executed. Examples include personal computers (which do word processing or mathematical calculations, depending on what software the user chooses to run), programmable calculators (which solve different problems, depending on the programming given to them), and even many modern telephones (which can be programmed to execute functions such as speed dialing). In these instances, the software is the medium in which the expectations of the user are embedded.
Today, the lines between hardware and software are blurring. For example, some "hardware" devices are controlled by programs stored in semi-permanent read-only memory. "Read-only memory" (ROM) originally referred to memory for storing instructions and data that could never be changed, but this characteristic made ROM-controlled devices less flexible. Thus, the electronics industry responded with "read-only'' memory whose contents take special effort to change (such as exposing the memory chip to a burst of ultraviolet light or sending only a particular signal to a particular pin on the chip). The flexibility and cheapness of today's electronic devices make them ubiquitous. Most homes now have dozens of microprocessors in coffee makers, TVs, refrigerators, and virtually anything that has a control panel.
time scale compared to that of hardware. Box 1.1 contains more discussion of this point.
As these examples suggest, information technologies are ever more affordable and ubiquitous. In all sectors of the economy, they drive demand for information systems; such demand will continue to be strong and experience significant growth rates. High-bandwidth and/or wireless media are becoming more and more common. Interest in and use of the Internet and similar public networks will continue to grow rapidly.
1.2 TRANSITION TO AN INFORMATION SOCIETY INCREASING INTERCONNECTIONS AND INTERDEPENDENCE
As the availability and use of computer-based systems grow, so, too, does their interconnection. The result is a shared infrastructure of information, computing, and communications resources that facilitates collaboration at a distance, geographic dispersal of operations, and sharing of data. With the benefits of a shared infrastructure also come costs. Changes in the technology base have created more vulnerabilities, as well as the potential to contain them. For example, easier access for users in general implies easier access for unauthorized users.
The design, mode of use, and nature of a shared infrastructure create vulnerabilities for all users. For national institutions such as banking, new risks arise as the result of greater public exposure through such interconnections. For example, a criminal who penetrates one bank interconnected to the world's banking system can steal much larger amounts of money than are stored at that one bank. (Box 1.2 describes a recent electronic bank robbery.) Reducing vulnerability to breaches of security will depend on the ability to identify and authenticate people, systems, and processes and to assure with high confidence that information is not improperly manipulated, corrupted, or destroyed.
Although society is entering an era abounding with new capabilities, many societal practices today remain similar to those of the 1960s and 1970s, when computing was dominated by large, centralized mainframe computers. In the 1980s and 1990s, they have not evolved to reflect the introduction of personal computers, portable computing, and increasingly ubiquitous communications networks. Thus, people continue to relinquish control over substantial amounts of personal information through credit card transactions, proliferating uses of Social Security numbers, and participation in frequent-buyer programs with airlines and stores. Organizations implement trivial or no protection for proprietary data and critical systems, trusting policies to protect portable storage media or relying on simple passwords to protect information.
These practices have endured against a backdrop of relatively modest levels of commercial and individual risk; for example, the liability of a credit card owner for credit card fraud perpetrated by another party is limited by law to $50. Yet most computer and communications hardware and software systems are subject to a wide range of vulnerabilities, as described in Box 1.3. Moreover, information on how to exploit such vulnerabilities is often easy to obtain. As a result, a large amount of information that people say they would like to protect is in fact available through entirely legal channels (e.g., purchasing a credit report on an individual) or in places that can be accessed improperly through technical attacks requiring relatively modest effort.
Electronic money transfers are among the most closely guarded activities in banking. In 1994, an international group of criminals penetrated Citicorp's computerized electronic transfer system and moved about $12 million from legitimate customer accounts to their own accounts in banks around the world. According to Citicorp, this is the first time its computerized cash-management system has been breached. Corporate customers access the system directly to transfer funds for making investments, paying bills, and extending loans, among other purposes. The Citicorp system moves about $500 billion worldwide each day. Authority to access the system is verified with a cryptographic code that only the customer knows.
The case began in June 1994, when Vladimir Levin of St. Petersburg, Russia, allegedly accessed Citicorp computers in New York through the international telephone network, posing as one of Citicorp's customers. He moved some customer funds to a bank account in Finland, where an accomplice withdrew the money in person. In the next few months, Levin moved various Citicorp customers' funds to accomplices' personal or business accounts in banks in St. Petersburg, San Francisco, Tel Aviv, Rotterdam, and Switzerland.
Accomplices had withdrawn a total of about $400,000 by August 1994. By that time, bank officials and their customers were on alert. Citicorp detected subsequent transfers quickly enough to warn the banks into which funds were moved to freeze the destination accounts. (Bank officials noted that they could have blocked some of these transfers, but they permitted and covertly monitored them as part of the effort to identify the perpetrators.) Other perpetrators were arrested in Tel Aviv and Rotterdam; they revealed that they were working with someone in St. Petersburg. An examination of telephone company records in St. Petersburg showed that Citicorp computers had been accessed through a telephone line at AO Saturn, a software company. A person arrested after attempting to make a withdrawal from a frozen account in San Francisco subsequently identified Levin, who was an AO Saturn employee. Russia has no extradition treaty with the United States; however, Levin traveled to Britain in March 1995 and was arrested there. As of September 1995, proceedings to extradite him for trial in the United States were in progress.
Levin allegedly penetrated Citicorp computers using customers' user identifications and passwords. In each case, Levin electronically impersonated a legitimate customer, such as a bank or an investment capital firm. Some investigators suspect that an accomplice inside Citicorp provided Levin with necessary information; otherwise, it is unclear how he could have succeeded in accessing customer accounts. He is believed to have penetrated Citicorp's computers 40 times in all. Citicorp says it has upgraded its system's security to prevent future break-ins.
SOURCES: William Carley and Timothy O'Brien, "Cyber Caper: How Citicorp System Was Raided and Funds Moved Around World," Wall Street Journal, September 12, 1995, p. A1; Saul Hansell, "A $10 Million Lesson in the Risks of Electronic Banking," New York Times, August 19, 1995, p. 31.
Information systems and networks can be subject to four generic vulnerabilities:
1. Eavesdropping or data browsing. By surreptitiously obtaining the confidential data of a company or by browsing a sensitive file stored on a computer to which one has obtained improper access, an adversary could be in a position to undercut a company bid, learn company trade secrets (e.g., knowledge developed through proprietary company research) that would eliminate a competitive advantage of the company, or obtain the company's client list in order to steal customers. Moreover, damage can occur independent of the use of stealthmany companies would be damaged if their sensitive data were disclosed, even if they knew that such a disclosure had occurred.
2. Clandestine alteration of data. By altering a company's data clandestinely, an adversary could destroy the confidence of the company's customers in the company, disrupt internal operations of the company, or subject the company to shareholder litigation.
3. Spoofing. By illicitly posing as a company, an adversary could place false orders for services, make unauthorized commitments to customers, defraud clients, and cause no end of public relations difficulties for the company. Similarly, an adversary might pose as a legitimate customer, and a companywith an interest in being responsive to user preferences to remain anonymous under a variety of circumstancescould then find itself handicapped in seeking proper confirmation of the customer's identity.
4. Denial of service. By denying access to electronic services, an adversary could shut down company operations, especially time-critical ones. On a national scale, critical infrastructures controlled by electronic networks (e.g., the air traffic control system, the electrical power grid) involving many systems linked to each other are particularly sensitive.
Today, the rising level of familiarity with computer-based systems is combining with an explosion of experimentation with information and communications infrastructure in industry, education, health care, government, and personal settings to motivate new uses of and societal expectations about the evolving infrastructure. A key feature of the new environment is connection or exchange: organizations are connecting internal private facilities to external public ones; they are using public networks to create virtual private networks, and they are allowing outsiders such as potential and actual customers, suppliers, and business allies to access their systems directly. One vision of a world of electronic commerce and what it means for interconnection is described in Box 1.4.
Whereas a traditional national security perspective might call for keeping people out of sensitive stores of information or communications networks, national economic and social activity increasingly involves the
A number of reports have addressed the potential nature and impact of electronic commerce.1Out of such reports, several common elements can be distilled:
• The interconnection of geographically dispersed units into a "virtual" company.
• The linking of customers, vendors, and suppliers through videoconferencing, electronic data interchange, and electronic networks.
• The creation of temporary or more permanent strategic alliances for business purposes.
• A vast increase in the on-line availability of information and information products, both free and for a fee, that are useful to individuals and organizations.
• The electronic transaction of retail business, beginning with today's toll-free catalog shopping and extending to electronic network applications that enable customers to:
apply for bank loans;
order tangible merchandise (e.g., groceries) for later physical delivery;
order intangible merchandise (e.g., music, movies) for electronic delivery;
obtain information and electronic documents (e.g., official documents such as driver's licenses and birth certificates).
• The creation of a genuinely worldwide marketplace that matches buyers to sellers largely without intermediaries.
• New business opportunities for small entrepreneurs that could sell low-value products to the large numbers of potential customers that an electronic marketplace might reach.
In general, visions of electronic commerce writ large attempt to leverage the competitive edge that information technologies can provide for commercial enterprises. Originally used exclusively to facilitate internal communications, information technology is now used by corporations to connect directly with their suppliers and business partners.2In the future, corporate networks will extend all the way to customers, enabling improvements in customer service and more direct channels for customer feedback. Furthermore, information technologies will facilitate the formation of ad hoc strategic alliances among diverse enterprises and even among competitors on a short time scale, driven by changes in business conditions that demand prompt action. This entire set of activities is already well under way.
1 See, for example, Cross-Industry Working Team, Electronic Cash, Tokens, and Payments in the National Information Infrastructure, Corporation for National Research Initiatives, 1895 Preston White Drive, Suite 100, Reston, Virginia 22091-5434 (Internet: firstname.lastname@example.org; Tel: 703/620-8990), 1994; Office of Technology Assessment, Electronic Enterprises: Looking to the Future, U.S. Government Printing Office, Washington, D.C., July 1994.
2For example, in manufacturing, collaborative information technologies can help to improve the quality of designs and reduce the cost and time needed to revise designs; product designers will be able to create a "virtual" product, make extensive computer simulations of its behavior without supplying all of
BOX 1.4 continued
its details, and "show" it to the customer for rapid feedback. Networks will enable the entire manufacturing enterprise to be integrated all along the supply chain, from design shops to truck fleets that deliver the finished products. (See Computer Science and Telecommunications Board, National Research Council, Information Technology and Manufacturing: A Research Agenda, National Academy Press, Washington, D.C., 1995.)
In the delivery of services, the more effective use and transmission of information have had dramatic effects. Today's air transportation system would not exist without rapid and reliable information flows regarding air traffic control, sales, marketing, maintenance, safety, and logistics planning. Retailers and wholesalers depend on the rapid collection and analysis of sales data to plan purchasing and marketing activities, to offer more differentiated services to customers, and to reduce operational costs. The insurance industry depends on rapid and reliable information flows to its sales force and to customize policies and manage risks. (See Computer Science and Telecommunications Board, National Research Council, Information Technology in the Service Society: A Twenty-First Century Lever, National Academy Press, Washington, D.C., 1994.)
Businesses have long been concerned about the tension between openness and security. An environment that is open to everyone is not secure, while an environment that is closed to everyone is highly secure but not useful. A number of trends in business today tend to exacerbate this conflict. For example:
• Modem competitive strategies emphasize openness to interactions with potential customers and suppliers. For example, such strategies would demand that a bank present itself as willing to do business with anyone, everywhere, and at any time. However, such strategies also offer potential adversaries a greater chance of success, because increasing ease of access often facilitates the penetration of security protections.
• Many businesses today emphasize decentralized management that pushes decision-making authority toward the customer and away from the corporate hierarchy. Yet security often has been (and is) approached from a centralized perspective. (For example, access controls are necessarily hierarchical (and thus centralized) if they are to be maintained uniformly.)
• Many businesses rely increasingly on highly mobile individuals. When key employees were tied to one physical location, it made sense to base security on physical presence, e.g., to have a user present a photo ID card to an operator at the central corporate computer center. Today, mobile computing and communications are common, with not even a physical wire to ensure that the person claiming to be an authorized user is accessing a computer from an authorized location or to prevent passive eavesdropping on unencrypted transmissions with a radio scanner.
exact opposite: inviting people from around the world to come inwith varying degrees of recognition that all who come in may not be benevolent. Box 1.5 describes some of the tensions between security and openness. Such a change in expectations and perspective is unfolding in a context in which controls on system access have typically been deficient, beginning with weak operating system security. The distributed and internetworked communications systems that are emerging raise questions about protecting information regardless of the path traveled (endto-end security), as close to the source and destination as possible.
The international dimensions of business and the growing importance of competitiveness in the global marketplace complicate the picture further. Although "multinationals" have long been a feature of the U.S. economy, the inherently international nature of communications networks and the growing capabilities for distributing and accessing information worldwide are helping many activities and institutions to transcend national boundaries. (See Box 1.6.)
At the same time, export markets are at least as important as domestic U.S. markets for a growing number of goods and service producers, including producers of information technology products as well as a growing variety of high- and low-technology products. The various aspects of globalizationidentifying product and merchandising needs that vary by country; establishing and maintaining employment, customer, supplier, and distribution relationships by country; coordinating activities that may be dispersed among countries but result in products delivered to several countries; and so onplace new demands on U.S.-based and U.S.-owned information, communication, organizational, and personal resources and systems.
1.3 COPING WITH INFORMATION VULNERABILITY
Solutions to cope with the vulnerabilities described above require both appropriate technology and user behavior and are as varied as the needs of individual users and organizations. Cryptographya technology described more fully in Chapter 2 and Appendix Cis an important element of many solutions to information vulnerability that can be used in a number of different ways. National cryptography policythe focus of this reportconcerns how and to what extent government affects the development, deployment, and use of this important technology. To date, public discussion of national cryptography policy has focused on one particular application of cryptography, namely its use in protecting the confidentiality of information and communications.
Accordingly, consideration of national cryptography policy must take into account two fundamental issues:
U.S. firms increasingly operate in a global environment obtaining goods and services from companies worldwide, participating in global virtual corporations, and working as part of international strategic alliances. One key dimension of increasing globalization has been the dismantling of barriers to trade and investment. In the past 40 years, tariffs among developed countries have been reduced by more than two-thirds. After the Uruguay Round reductions are phased in, tariffs in these countries will be under 4%, with 43% of current trade free of any customs duties.
While tariffs of developing countries are at higher levels, they have recently begun to decline substantially. After the Uruguay Round, tariffs in these countries will average 12.3% by agreement and will be even lower as a result of unilateral reductions. In response to the reductions in trade barriers, trade has grown rapidly. From 1950 to 1993, U.S. and world trade grew at an average compound rate of 10% annually.
Investment has also grown rapidly in recent years, stimulated by the removal of restrictions and by international rules that provide assurances to investors against discriminatory or arbitrary treatment. U.S. foreign direct investment also has grown at almost 10% annually during the past 20 years and now totals about half a trillion dollars. Foreign direct investment in the United States has risen even faster over the same periodat almost 19% annuallyand now also totals almost $500 billion.
The expansion of international trade and investment has resulted in a much more integrated and interdependent world economy. For the United States, this has meant a much greater dependence on the outside world. More than a quarter of the U.S. gross domestic product is now accounted for by trade in goods and services and returns on foreign investment. Over 11 million jobs are now directly or indirectly related to our merchandise trade.
Because the U.S. economy is mature, the maintenance of a satisfactory rate of economic growth requires that the United States compete vigorously for international markets, especially in the faster growing regions of the world. Many sectors of our economy are now highly dependent on export markets. This is particularly the case for, but is not limited to, high-technology goods, as indicated in Table 1.1.
A second international dimension is the enormous growth in recent years of multinational enterprises. Such firms operate across national boundaries, frequently in multiple countries. According to the 1993 World Investment Report of the United
TABLE 1.1 Dependence of U.S. Business Sectors on Export Markets
Area of Export
Exports as a Percentage of U.S. Output
Electronic computing and parts
Semiconductors and related devices
Magnetic and optical recording media (includes software products)
SOURCE: U.S. Department of Commerce, Commerce News, August 9, 1995.
Nations, transnational corporations (TNCs) with varying degrees of integration account for about a third of the world's private sector productive assets.
The number of TNCs has more than tripled in the last 20 years. At the outset of this decade, about 37,000 U.S. firms had a controlling equity interest in some 170,000 foreign affiliates. This does not include nonequity relationships, such as management contracts, subcontracting, franchising, or strategic alliances. There are some 300 TNCs based in the United States and almost 15,000 foreign affiliates, of which some 10,000 are nonbank enterprises.
The strategies employed by TNCs vary among firms. They may be based on trade in goods and services alone or, more often, involve more complex patterns of integrated production, outsourcing, and marketing. One measure of the extent of integration by U.S. firms is illustrated by the U.S. Census Bureau, which reported that in 1994, 46% of U.S. imports and 32% of U.S. exports were between related firms. Of U.S. exports to Canada and Mexico, 44% were between related parties; for the European Union and Japan, the share was 37%.
With respect to imports, the shares of related-party transactions were 75.5% for Japan, 47.2% for the European Union, 44.6% for Canada, and 69.2% for Mexico. Among those sectors with the highest levels of interparty trade are data processing equipment, including computers, and parts and telecommunications equipment, ranging from 50% to 90%.
• If the public information and communications infrastructure continues to evolve with very weak security throughout, reflecting both deployed technology and user behavior, the benefits from cryptography for confidentiality will be significantly less than they might otherwise be.
• The vulnerabilities implied by weak security overall affect the ability of specific mechanisms such as cryptography to protect not only confidentiality but also the integrity of information and systems and the availability of systems for use when sought by their users. Simply protecting (e.g., encrypting) sensitive information from disclosure can still leave the rest of a system open to attacks that can undermine the encryption (e.g., the lack of access controls that could prevent the insertion of malicious software) or destroy the sensitive information.
Cryptography thus must be considered in a wider context. It is not a panacea, but it is extremely important to ensuring security and can be used to counter several vulnerabilities.
Recognition of the need for system and infrastructure security and demand for solutions are growing. Although demand for solutions has yet to become widespread, the trend is away from a marketplace in which the federal government2was the only meaningful customer. Growing reliance
2 The more general statement is that the market historically involved national governments in several countries as the principal customers.
on a shared information and communications infrastructure means that all individuals and organizations should be, and the committee believes will become, the dominant customers for better security. That observation is inherent in the concept of infrastructure as something on which people rely.
What may be less obvious is that as visions of ubiquitous access and interconnection are increasingly realized, individual, organizational, and governmental needs may become aligned. Such an alignment would mark a major change from the past. Again, sharing of a common infrastructure is the cause: everyone, individual or organization, public or private sector, is a user. As significantly, all of these parties face a multitude of threats to the security of information (Box 1.7). Consideration of the nation's massive dependence on the public switched telecommunications network, which is one of many components of the information and communications infrastructure, provides insight into the larger set of challenges posed by a more complex infrastructure (Box 1.8).
To illustrate the broad panorama of stakeholder interests in which national cryptography policy is formulated, the next several sections examine different aspects of society from the standpoint of needs for information security.
1.4 THE BUSINESS AND ECONOMIC PERSPECTIVE
For purposes of this report, the relationship of U.S. businesses to the information society has two main elements. One element is that of protecting information important to the success of U.S. businesses in a global marketplace. The second element is ensuring the nation's continuing ability to exploit U.S. strengths in information technology on a worldwide basis.
1.4.1 Protecting Important Business Information
A wide range of U.S. companies operating internationally are threatened by foreign information-collection efforts. The National Counterintelligence Center (NACIC) reports that "the U.S. industries that have been the targets in most cases of economic espionage and other foreign collection activities include biotechnology; aerospace; telecommunications; computer hardware/software, advanced transportation and engine technology; advanced materials and coatings; energy research; defense and armaments technology; manufacturing processes; and semiconductors."3 Foreign col-
3National Counterintelligence Center, Annual Report to Congress on Foreign Economic Collection and Industrial Espionage, Washington, D.C., July 1995, p. 15.
lectors target proprietary business information such as bid, contract, customer, and strategy information, as well as corporate financial and trade data.
Of all of the information vulnerabilities facing U.S. companies internationally (see Box 1.7), electronic vulnerabilities appear to be the most significant. For example, the NACIC concluded that ''specialized technical operations (including computer intrusions, telecommunications targeting and intercept, and private-sector encryption weaknesses) account for the largest portion of economic and industrial information lost by U.S. corporations." The NACIC noted,
Because they are so easily accessed and intercepted, corporate telecommunicationsparticularly international telecommunicationsprovide a highly vulnerable and lucrative source for anyone interested in obtaining trade secrets or competitive information. Because of the increased usage of these links for bulk computer data transmission and electronic mail, intelligence collectors find telecommunications intercepts costeffective. For example, foreign intelligence collectors intercept facsimile transmissions through government-owned telephone companies, and the stakes are largeapproximately half of all overseas telecommunications are facsimile transmissions. Innovative "hackers" connected to computers containing competitive information evade the controls and access companies' information. In addition, many American companies have begun using electronic data interchange, a system of transferring corporate bidding, invoice, and pricing data electronically overseas. Many foreign government and corporate intelligence collectors find this information invaluable.4
Why is electronic information so vulnerable? The primary reason is that it is computer readable and thus much more vulnerable to automated search than are intercepted voice or postal mail transmissions. Once the information is collected (e.g., through an existing wiretap or a protocol analyzer on an Internet router), it is relatively simple for computers to search streams of electronic information for word combinations of interest (e.g., "IBM," "research," and "superconductivity" in the same message). As the cost of computing drops, the cost of performing such
4From the National Counterintelligence Center, Annual Report to Congress on Foreign Economic Collection and Industrial Espionage, July 1995. Further, intelligence collections by foreign powers are facilitated when a hostile government interested in eavesdropping controls the physical environment in which a U.S. company may be operating. For example, the U.S. company may be in a nation in which the telecommunications system is under the direct control of the government. When a potentially hostile government controls the territory on which a company must operate, many more compromises are possible.
• Foreign national agencies (including intelligence services). Foreign intelligence operations target key U.S. businesses. For example, two former directors of the French intelligence service have confirmed pubicly that the French intelligence service collects economic intelligence information, including classified government information and information related to or associated with specific companies of interest.1Foreign intelligence agencies may break into facilities such as the foreign offices of a U.S. company or the hotel suite of a U.S. executive and copy computer files from within that facility (e.g., from a laptop computer in a hotel room, or a desktop computer connected to a network in an office).2Having attained such access, they can also insert malicious code that will enable future information theft.
• Disgruntled or disloyal employees that work "from the inside." Such parties may collude with outside agents. Threats involving insiders are particularly pernicious because insiders are trusted with critical information that is not available to outsiders. Such information is generally necessary to understand the meaning of various data flows that may have been intercepted, even when those data flows are received in the clear.
• Network hackers and electronic vandas that are having fun or making political statements through the destruction of intellectual property without the intent of theft. Information terrorists may threaten to bring down an information network unless certain demands are met; extortionists may threaten to bring down an information network unless a ransom is paid. Disgruntled customers seeking revenge on a company also fall into this category.
• Thieves attempting to steal money or resources from businesses. Such individuals may be working for themselves or acting as part of a larger conspiracy (e.g., in association with organized crime). The spreading of electronic commerce will increase the opportunities for new and different types of fraud, as illustrated by the large increase in fraud seen as the result of increased electronic filing to the Internal Revenue Service. Even worse, customers traditionally regarded as the first line of defense against fraud (because they check their statements and alert the merchants or banks involved to problems) may become adversaries as they seek to deny a signature on a check or alter the amount of a transaction.
It is difficult to know the prevalence of such threats, because many companies do not discuss for the record specific incidents of information theft. In some cases, they fear stockholder ire and losses in customer confidence over security breaches; in others, they are afraid of inspiring "copy-cat" attacks or revealing security weaknesses. In still other cases, they simply do not know that they have been the victim of such theft. Finally, only a patchwork of state laws apply to the theft of trade secrets and the like (and not all states have such laws). There is no federal statute that protects trade secrets or that addresses commercial information theft, and federal authorities probing the theft of commercial information must rely on proving violations of other statutes, such as wire and mail fraud laws, interstate transport of stolen property, conspiracy, or computer fraud and abuse laws; as a result, documentation of what would be a federal offense if such a law were present is necessarily spotty.
For all of these reasons, what is known on the public record about economic losses from information theft almost certainly understates the true extent of the problem.
1 Two former directors of the DGSE (the French intelligence service), have publicly stated that one of the DGSE's top priorities was to collect economic intelligence. During a September 1991 NBC news program, Pierre Marion, former DGSE Director, revealed that he had initiated an espionage program against US businesses for the purpose of keeping France internationally competitive. Marion justified these actions on the grounds that the United States and France, although political and military allies, are economic and technological competitors. During an interview in March 1993, then DGSE Director Charles Silberzahn stated that political espionage was no longer a real priority for France but that France was interested in economic intelligence, "a field which is crucial to the world's evolution." Silberzahn advised that the French had some success in economic intelligence but stated that much work is still needed because of the growing global economy. Silberzahn advised during a subsequent interview that theft of classified information, as well as information about large corporations, was a long-term French Government policy. These statements were seemingly corroborated by a DGSE targeting document prepared in late 1989 and leaked anonymously to the US Government and the press in May 1993. It alleged that French intelligence had targeted numerous US Government agencies and corporations to collect economic and industrial information. Industry leaders such as Boeing, General Dynamics, Hughes Aircraft, Lockheed, McDonnell Douglas, and Martin Marietta all were on the list. Heading the US Government listing was the Office of the US Trade Representative.
The above unclassified paragraph can be found in the secret version of Annual Report to Congress on Foreign Economic Collection and Industrial Espionage, National Counterintelligence Center, Washington, D.C., July 1995.
2According to a report from the National Communications System, countries that currently have significant intelligence operations against the United States for national security and/or economic purposes include Russia, the People's Republic of China, Cuba, France, Taiwan, South Korea, India, Pakistan, Israel, Syria, Iran, Iraq, and Libya. "All of the intelligence organizations listed [above] have the capability to target telecommunications and information systems for information or clandestine attacks. The potential for exploitation of such systems may be significantly larger." See National Communications System (NCS), The Electronic Intrusion Threat to National Security and Emergency Preparedness Telecommunications: An Awareness Document, 2nd ed., NCS, Alexandria, Va., December 5, 1994, pp. 2-20.
The nation's single most critical national-level component of information infrastructure vulnerable to compromise is the public switched telecommunications network (PSTN). The PSTN provides information transport services for geographically dispersed and national assets such as the banking system and financial markets,1 and the air traffic control system.2Even the traditional military3is highly dependent on the PSTN. Parties connected to the PSTN are therefore vulnerable to failure of the PSTN itself and to attacks transmitted over the PSTN.
The fundamental characteristic of the PSTN from the standpoint of information vulnerability is that it is a highly interconnected network of heterogeneously controlled and operated computer-based switching stations. Network connectivity implies that an attacker-which might range from a foreign government to a teen-aged hacker-can in principle connect to any network site (including sites of critical importance for the entire network) from any other network site (which may be geographically remote and even outside the United States).4The sites of critical importance for the PSTN are the switching nodes that channel the vast majority of telecommunications traffic in the United States. Access to these critical nodes, and to other switching facilities, is supposed to be limited to authorized personnel, but in practice these nodes are often vulnerable to penetration. Once in place on a critical node, hostile and unauthorized users are in a position to disrupt the entire network.
The systemic vulnerabilities of the PSTN are the result of many factors. One is the increasing accessibility of network software to third parties other than the common carriers, resulting from the Federal Communications Commission requirement that the PSTN support open, equal access for third-party providers of enhanced services as well as for the common carriers; such accessibility offers intruders many opportunities to capture user information, monitor traffic, and remotely manipulate the network. A second reason is that service providers are allowing customers more direct access to network elements, in order to offer customer-definable services such as call forwarding. A third reason is that advanced services made possible by Signaling System 7 are dependent on a common, out-of-band signaling system for control of calls through a separate packet-switched data network that adds to network vulnerability.5Finally, space-based PSTN components (i.e., satellites) have few control centers, are susceptible to electronic attack, and generally do not encrypt their command channels, making the systems vulnerable to hackers copying their commands and disrupting service.6These conditions imply that the PSTN is a system that would benefit from better protection of system integrity and availability.
Threats to the PSTN affect all national institutions whose ability to function fully and properly depends on being able to communicate, be it through telephony, data transmission, video, or all of these. Indeed, many data networks operated "privately" by large national corporations or national institutions such as those described above are private only in the sense that access is supposed to be limited to corporate purposes; in fact, national institutions or corporations generally use all forms of communications, including those physically carried by the PSTN.7However, the physical and computational infrastructure of these networks is in general owned by the telecommunications service provider, and this infrastructure is part of the larger PSTN infrastructure. Thus, like the Internet, the "private" data network of a national corporation is in general not physically independent of the PSTN. Similarly, it is depen-
dence on the PSTN that has led to failures in the air traffic control system and important financial markets:
• In January 1991, the accidental severing of an AT&T fiber-optic cable in Newark, New Jersey, led to the disruption of Federal Aviation Administration (FAA) air traffic control communications in the Boston-Washington corridor and the shutdown of the New York Mercantile Exchange and several commodities exchanges. In May 1991, the severing of a fiber-optic cable led to the shutdown of four of the FAA's 20 major air traffic control centers with "massive operational impact."8
• The 1991 failure of a PSTN component in New York caused the loss of connectivity between a major securities house and the Securities Industry Automation Corporation, resulting in an inability to settle the day's trades over the network.9
Examples of small-scale activities by the computer "underground" against the PSTN demonstrate capabilities that, if coupled to an intent to wage serious information warfare against the United States, pose a serious threat to the U.S. information infrastructure:
• In 1990, several members of the Legion of Doom's Atlanta branch were charged with penetrating and disrupting telecommunications network elements. They were accused of planting "time bomb" programs in network elements in Denver, Atlanta, and New Jersey; these were designed to shut down major switching hubs but were defused by telephone carriers before causing damage.10
• Members of a group known as MOD were indicted on July 8, 1992, on 11 accounts. It is significant that they appear to have worked as a team. Among their alleged activities were developing and unleashing "programmed attacks" (see below) on telephone company computers and accessing telephone company computers to create new circuits and add services with no billing records.11
• Reported (but not well documented) is a growing incidence of "programmed attacks.''12These have been detected in several networks and rely on customized software targeting specific types of computers or network elements. They are rarely destructive, but rather seek to add or modify services. "The capability illustrated by this category of attacks has not fully matured. However, if a coordinated attack using these types of tools were directed at the PSTN with a goal of disrupting national security/emergency preparedness (NS/EP) telecommunications, the result could be significant."13(The same point probably applies to the goal of disrupting other kinds of telecommunications beyond those used for NS/EP.)
A number of reports and studies14have called attention to the vulnerability of components of the national telecommunications infrastructure.
1 These private networks for banking include Fedwire (operated by the Federal Reserve banks), the Clearinghouse for Interbank Payment Systems (CHIPS; operated by New York Clearinghouse, an association of money center banks), the Society for Worldwide Interbank Financial Telecommunication (SWIFT; an international messaging system that carries instructions for wire transfers between pairs of correspondent banks), and the Automated Clearing House (ACH)
BOX 1.8 continued
systems for domestic transfers, typically used for routine smaller purchases and payments. In the 1980s, several U.S. banks aggressively developed globalnetworks with packet switches, routers, and so on, to interconnect their local and wide area networks; or, they used third-party service providers to interconnect. In the 1990s, there are signs that U.S. international banks are moving to greater use of carrier-provided or hybrid networks because of the availability of virtual private networks from carriers. Carrier-provided networks are more efficient than networks built on top of dedicated leased lines, because they can allocate demand dynamically among multiple customers.
2 The air traffic control system uses leased lines to connect regional air traffic control centers.
3Over 95% of U.S. military and intelligence community voice and data communications are carried over facilities owned by public carriers. (See Joint Security Commission, Redefining Security: A Report to the Secretary of Defense and the Director of Central Intelligence, February 28, 1994, Chapter 8.) Of course, the 95% figure includes some noncritical military communications; however, only 30% of the telecommunications networks that would be used during wartime operate in the classified environment (and are presumably more secure), while the other 70% are based on the use of unclassified facilities of public carriers. See Richard Powers, Information Warfare: A CSI Special Report, Computer Security Institute, Washington, D.C., Fall 1995.
4Clifford Stoll, The Cuckoo's Egg, Pocket Books, New York, 1989.
5National Research Council, Growing Vulnerability of the Public Switched Networks: Implications for National Security and Emergency Preparedness (National Academy Press, Washington, D.C., 1989), p. 36; Reliability and Vulnerability Working Group, Telecommunications Policy Committee, Information Infrastructure Task Force, Reliability and Vulnerability of the Nll: Capability Assessments, from the National Communications System home page at http://126.96.36.199/ nc-ia/html.
6Reliability and Vulnerability Working Group, Telecommunications Policy Committee, Information Infrastructure Task Force, Reliability and Vulnerability of the Nll: Capability Assessments, from the National Communications System home page at http://188.8.131.52/nc-ia/html.
7Both shared circuits and private networks are expected to grow dramatically in the next several years. See, for example, Michael Csenger, "Private Lines Dead? Don't Buy Those Flowers Just Yet," Network World, May 1, 1995, p. 1.
8Software Engineering Notes, Volume 17, January 1992, as cited in Peter G. Neumann, Computer-Related Risks, Addison-Wesley, New York, 1995, p. 17.
9See Office of Technology Assessment, U.S. Congress, U.S. Banks and International TelecommunicationsBackground Paper, OTA-BP-TCT-100, U.S. Government Printing Office, Washington, D.C., September 1992, pp. 32-33.
10 National Communications System (NCS), The Electronic Intrusion Threat to National Security and Emergency Preparedness Telecommunications: An Awareness Document, 2nd ed., NCS, Alexandria, Va., December 5, 1994, p. 2-5.
11 NCS, The Electronic Intrusion Threat to National Security and Emergency Preparedness Telecommunications, 1994, pp. 2-8 to 2-9.
12NCS, The Electronic Intrusion Threat to National Security and Emergency Preparedness Telecommunications, 1994, p. 2-6.
13 NCS, The Electronic Intrusion Threat to National Security and Emergency Preparedness Telecommunications, 1994, p. 2-6.
14 Joint Security Commission, Redefining Security: A Report to the Secretary of Defense and the Director of Central Intelligence, Washington, D.C., February 28, 1994; National Research Council, Growing Vulnerability of the Public Switched Networks: Implications for National Security and Emergency Preparedness, 1989; NCS, The Electronic Intrusion Threat to National Security and Emergency Preparedness Telecommunications, 1994; Reliability and Vulnerability Working Group, Telecommunications Policy Committee, Information Infrastructure Task Force, Reliability and Vulnerability of the Nll: Capability Assessments, from the National Communications System home page at http://184.108.40.206/nc-ia/html.
searches drops.5The threat posed by automated search, coupled with the sensitivity of certain communications that are critical for nongovernment users, is at the root of nongovernment demand for security.6
Note that solutions for coping with information-age vulnerabilities may well create new responsibilities for businesses. For example, businesses may have to ensure that the security measures they take are appropriate for the information they are protecting, and/or that the information they are protecting remains available for authorized use. Failure to discharge these responsibilities properly may result in a set of liabilities that these businesses currently do not face.
5As a rough rule of thumb, Martin Hellman estimates that 10 billion (1010) words can be searched for $1. This estimate is based on an experiment in which Hellman used the Unix utility program "fgrep" to search a 1 million (106) character file for a specific string of 10 characters known to be at the end of the file and nowhere else. It took the NeXT workstation on which this experiment was run approximately 1 second to find these last 10 characters. Since there are approximately 105 seconds in a day and 103 days (about 3 years) in the useful life of the workstation, it can search roughly 1013 over its life. Since such a workstation is worth on the order of $1,000 today, this works out to 1010 words searched for $1. (With the use of specialized hardware, this cost could be reduced significantly. For example, in the 1976 Book IV of the Senate Select Committee on Intelligence Report, R.L. Garwin describes the use of "match registers" to efficiently implement queries against a database; see Frank Church et al., U.S. Congress, Senate Select Committee to Study Governmental Operations with Respect to Intelligence Activities, U.S. Government Printing Office, Washington, D.C., 1976, Volume 4.)
6Other noncomputer-based technology for the clandestine gathering of information is widely available on the retail market. In recent years, concern over the ready availability of such equipment has grown. See, for example, Ross E. Milloy, "Spying Toys for Adults or Supplies for Crimes?," New York Times, August 28, 1995, p. A10; Pam Belluck, "A Shadow over the Spy-Shop Business," New York Times, September 22, 1995, p. B3; and James C. McKinley, Jr., "U.S. Agents Raid Stores in 24 Cities to Seize Spy Gear," New York Times, April 6, 1995, p. Al.
Appendix I of this report elaborates issues of information vulnerability in the context of key industries such as banking and financial services, health care, manufacturing, the petroleum industry, pharmaceuticals, the entertainment industry, and government.
1.4.2 Ensuring the Nation's Ability to Exploit Global Markets
With the increasing globalization of business operations, information technology plays a key role in maintaining the competitive strengths of U.S. business. In particular, U.S. businesses have proven adept at exploiting information and information technologies to create new market niches and expand old ones. This pattern has deep roots. For example, beginning in the 1960s, American Airlines pioneered in computerized reservations systems and extended use of the information captured and stored in such systems, generating an entire new business that is more profitable than air transport services. More recently, creative uses of information technology have advanced U.S. leadership in the production of entertainment products (e.g., movies and videos, recorded music, on-line services) for the world.
U.S. innovation in using information technology reflects in part the economic vitality that makes new technology affordable. It also reflects proximity to the research and production communities that supply key information technology products, communities with which a variety of U.S. industries have successfully exchanged talent, communicated their needs as customers, and collaborated in the innovation process. In other words, it is not an accident that innovation in both use and production of information technology has blossomed in the United States.
The business advantages enjoyed by U.S. companies that use information technology are one important reason that the health of U.S. computer, telecommunications, and information industries is important to the economy as a whole. A second important reason is the simple fact that the U.S. information technology sector (the set of industries that supply information technology goods and services) is the world's strongest.7The industry has an impressive record of product innovation; key U.S.
7For example, a staff study by the U.S. International Trade Commission found that 8 of the world's top 10 applications software vendors, 7 of the world's top 10 systems software vendors, the top 5 systems integration firms, and 8 of the top 10 custom programming firms are U.S. firms; the top 9 global outsourcing firms have headquarters in the United States. See Office of Industries, U.S. International Trade Commission, Global Competitiveness of the U.S. Computer Software and Service Industries, Staff Research Study #21, Washington, D.C., June 1995, Chapter 5.
products are de facto world standards; U.S. marketing and distribution capabilities for software products are unparalleled; and U.S. companies have considerable strengths in the manufacture of specialized semiconductor technologies and other key components. A strong information technology sector makes a significant contribution to the U.S. balance of payments and is responsible for large numbers of high-paying jobs. These strengths establish a firm foundation for continued growth in sales for U.S. information technology products and services as countries worldwide assimilate these technologies into their economies.
Finally, because of its technological leadership the United States should be better positioned to extend that lead, even if the specific benefits that may result are not known in advance. The head start in learning how to use information technology provides a high baseline on which U.S. individuals and organizations can build.
The committee believes that information technology is one of a few high-technology areas (others might include aerospace and electronics) that play a special role in the economic health of the nation, and that leadership in this area is one important factor underlying U.S. economic strength in the world today.8To the extent that this belief is valid, the economic dimension of national security and perhaps even traditional national security itself may well depend critically on a few key industries that are significant to military capabilities, the industrial base, and the overall economic health of the nation. Policy that acts against the health and global viability of these industries or that damages the ability of the private sector to exploit new markets and identify niches globally thus deserves the most careful scrutiny.
Because it is inevitable that other countries will expand their installed information technology bases and develop their own innovations and
8The committee acknowledges that there is a wide range of judgment among responsible economists on this matter. Some argue that the economy is so diverse that the fate of a single industry or even a small set of industries has a relatively small effect on broader economic trends. Others argue that certain industries are important enough to warrant subsidy or industrial policy to promote their interests. The committee discussed this specific issue to a considerable extent and found a middle ground between these two extremesthat information technology is one important industry among others, and that the health and well-being of that industry are important to the nation. This position is also supported by the U.S. government, which notes that telecommunications and computer hardware/software are among a number of industries that are of "strategic interest to the United States . . . because they produce classified products for the government, produce dual use technology used in both the public and private sectors, and are responsible for leading-edge technologies critical to maintaining U.S. economic security" (National Counterintelligence Center, Annual Report to Congress on Foreign Economic Collection and Industrial Espionage, Washington, D.C., July 1995, p. 15).
entrepreneurial strengths, U.S. leadership is not automatic. Already, evidence of such development is available, as these nations build on the falling costs of underlying technologies (e.g., microprocessors, aggregate communications bandwidth) and worldwide growth in relevant skills. The past three decades of information technology history provide enough examples of both successful first movers and strategic missteps to suggest that U.S. leadership can be either reinforced or undercut: leadership is an asset, and it is sensitive to both public policy and private action.
Public and private factors affecting the competitive health of U.S. information technology producers are most tightly coupled in the arena of foreign trade.9 U.S. producers place high priority on ease of access to foreign markets. That access reflects policies imposed by U.S. and foreign governments, including governmental controls on what can be exported to whom. Export controls affect foreign trade in a variety of hardware, software, and communications systems.10They are the subject of chronic complaints from industry, to which government officials often respond by pointing to other, industry-centered explanations (e.g., deficiencies in product design or merchandising) for observed levels of foreign sales and market shares. Chapter 4 addresses export controls in the context of cryptography and national cryptography policy.
1.5 INDIVIDUAL AND PERSONAL INTERESTS IN PRIVACY
The emergence of the information age affects individuals as well as businesses and other organizations. As numerous reports argue, the nation's information infrastructure promises many opportunities for selfeducation, social exchange, recreation, personal business, cost-effective delivery of social programs, and entrepreneurship.11 Yet the same tech-
90f course, many intrafirm and intraindustry factors shape competitive strength, such as good management, adequate financing, good fit between products and consumer preferences, and so on.
10 See, for example, John Harvey et al., A Common-Sense Approach to High-Technology Export Controls, Center for International Security and Arms Control, Stanford University, Stanford, Calif., March 1995; National Research Council, Finding Common Ground: U.S. Export Controls in a Changed Global Environment, National Academy Press, Washington, D.C., 1991; Computer Science and Technology Board, National Research Council, Global Trends in Computer Technology and Their Impact on Export Control, National Academy Press, Washington, D.C., 1988.
11 See, for example, Computer Science and Telecommunications Board (CSTB), National Research Council, The Unpredictable Certainty: Information Infrastructure Through 2000, National Academy Press, Washington, D.C., 1996; CSTB, White Papers: The Unpredictable Certainty, 1996; and CSTB, The Changing Nature of Telecommunications/Information Infrastructure, 1995.
nologies that enable such benefits may also convey unwanted side effects. Some of those can be considered automated versions of problems seen in the paper world; others are either larger in scale or different in kind. For individuals, the area relevant to this report is privacy and the protection of personal information. Increasing reliance on electronic commerce and the use of networked communication for all manner of activities suggest that more information about more people will be stored in network-accessible systems and will be communicated more broadly and more often, thus raising questions about the security of that information.
Privacy is generally regarded as an important American value, a right whose assertion has not been limited to those "with something to hide." Indeed, assertion of the right to privacy as a matter of principle (rather than as an instrumental action) has figured prominently in U.S. political and social history; it is not merely abstract or theoretical.
In the context of an information age, an individual's privacy can be affected on two levels: privacy in the context of personal transactions (with businesses or other institutions and with other individuals), and privacy vis-à-vis governmental units. Both levels are affected by the availability of tools, such as cryptography in the context of information and communications systems, that can help to preserve privacy. Today's information security technology, for example, makes it possible to maintain or even raise the cost of collecting information about individuals. It also provides more mechanisms for government to help protect that information. The Clinton Administration has recognized concerns about the need to guard individual privacy, incorporating them into the security and privacy guidelines of its Information Infrastructure Task Force.12These guidelines represent an important step in the process of protecting individual privacy.
1.5.1 Privacy in an Information Economy
Today, the prospect of easier and more widespread collection and use of personal data as a byproduct of ordinary activities raises questions about inappropriate activities by industry, nosy individuals, and/or criminal elements in society. Criminals may obtain sensitive financial information to defraud individuals (credit card fraud, for example, amounts to approximately $20 per card per year). Insurance companies may use health data collected on individuals to decide whether to provide or deny health insuranceputting concerns about business profit-
12Information Infrastructure Task Force, National Information Infrastructure Security Issues Forum, Nll Security: The Federal Role, Washington, D.C., June 5, 1995.
ability in possible conflict with individual and public health needs. On the other hand, much of the personal data in circulation is willingly divulged by individuals for specific purposes; the difficulty is that once shared, such information is available for additional uses. Controlling the further dissemination of personal data is a function both of procedures for how information should be used and of technology (including but not limited to cryptography) and procedures for restricting access to those authorized.
Given such considerations, individuals in an information age may wish to be able to:
• Keep specific information private. Disclosure of information of a personal nature that could be embarrassing if known, whether or not such disclosure is legal, is regarded as an invasion of privacy by many people. A letter to Ann Landers from a reader described his inadvertent eavesdropping on some very sensitive financial transactions being conducted on a cordless telephone.13 A staff member of this study committee has heard broadcasts of conversations that apparently emanate from a nextdoor baby monitor whose existence has been forgotten. Home banking services using telephone lines or network connections and personal computers will result in the flow on public networks of large amounts of personal information regarding finances. Even the ad copy in some of today's consumer catalogues contains references to information security threats.14
• Ensure that a party with whom they are transacting business is indeed the party he or she claims to be. Likewise, they may seek to authenticate their own identity with confidence that such authentication will be accepted by other parties, and that anyone lacking such authentication will be denied the ability to impersonate them.15Such a capability is needed
13Ann Landers, "Ann Landers," Washington Post, Creators Syndicate, October 20, 1995, p. D5.
14For example, a catalogue from Comtrad Industries notes that "burglars use 'Code Grabbers' to open electric garage doors and break into homes," defining "code grabbers" as "devices that can record and play back the signal produced from your garage door remote control" (Comtrad Industries catalogue, 1995, p. 20). The Herrington catalogue advertises the ''Enigma" phone scrambler by noting that "[a] recent Wall Street Journal article documents the increasing acceptance and prevalence of industrial espionage" and mentions as an "example of the alarming intrusion of the federal government into citizens' private lives" the fact that "the FBI petitioned Congress to further expand its wiretapping authority" (Herrington catalogue, Winter 1996, p. 13). Note that both of these mail-order firms cater to mainstream consumer sentiment.
15 For example, a journalist who had reported on the trafficking of illegally copied software on America Online was the victim of hackers who assumed his on-line identity, thereby intercepting his e-mail messages and otherwise impersonating him. See Peter
to transfer money among mutual funds with a telephone call or to minimize unauthorized use of credit card accounts.16In an electronic domain without face-to-face communications or recognizable indicators such as voices and speech patterns (as used today in telephone calls), forgery of identity becomes increasingly easy.
• Prevent the false repudiation of agreed-to transactions. It is undesirable for a party to a transaction to be able to repudiate (deny) his agreement to the terms of the transaction. For example, an individual may agree to pay a certain price for a given product; he or she should not then be able to deny having made that agreement (as he or she might be tempted to do upon finding a lower price elsewhere).
• Communicate anonymously (i.e., carry out the opposite of authenticated communication). Individuals may wish to communicate anonymously to criticize the government or a supervisor, report illegal or unethical activity without becoming further involved, or obtain assistance for a problem that carries a social stigma. In other instances, they may simply wish to speak freely without fear of social reprisal or for the entertainment value of assuming a new digital identity in cyberspace.
• Ensure the accuracy of data relevant to them. Many institutions such as banks, financial institutions, and hospitals keep records on individuals. These individuals often have no personal control of the records, even though the integrity of the data in these records can be of crucial significance. Occasional publicity attests to instances of the inaccuracy of such data (e.g., credit records) and to the consequences for individuals.
Practical safeguards for privacy such as those outlined above may be more compelling than abstract or principled protection of a right to privacy.
Lewis, "Security Is Lost in Cyberspace," New York Times, February 22, 1995, p. D1. Other cases of "stolen identities" have been reported in the press, and while these cases remain relatively isolated, they are still a matter of public concern. Thieves forge signatures and impersonate the identities of law-abiding citizens to steal money from bank accounts and to obtain credit cards in the name of those citizens; see Charles Hall, "A Personal Approach to Stealing," Washington Post, April 1, 1996, p. Al.
16For example, a recent press article calls attention to security concerns raised by the ease of access to 401(k) retirement accounts (for which there is no cap on the liability incurred if a third party with unauthorized access transfers funds improperly). See Timothy Middleton, "Will Thieves Crack Your Automated Nest Egg?," New York Times, March 10, 1996, Business Section, p. 10. Another article describes a half-dozen easy-to-apply methods that can be used by criminals to undertake fraud. See Albert Crenshaw, "Creative Credit Card Crooks Draw High-Tech Response," Washington Post, August 6, 1995, Business Section, p. H1.
1.5.2 Privacy for Citizens
To many people, freedom of expression and association, protection against undue governmental, commercial, or public intrusion into their personal affairs, and fair treatment by various authorities are concerns shaped by memories of highly publicized incidents in which such rights were flouted.17It can be argued that such incidents were detectable and correctable precisely because they involved government units that were obligated to be publicly accountableand indeed, these incidents prompted new policies and procedures as well as greater public vigilance. It is also easy to dismiss them as isolated instances in a social system that for the most part works well. But where these episodes involve government, many of those skeptical about government believe that they demonstrate a capacity of government to violate civil liberties of
17 Some incidents that are often cited include the surveillance of political dissidents, such as Martin Luther King, Jr., Malcolm X, and the Student Non-Violent Coordinating Committee in the mid to late 1960s; the activities of the Nixon "plumbers" in the late 1960s, including the harassment and surveillance of sitting and former government officials and journalists and their associates in the name of preventing leaks of sensitive national security information; U.S. intelligence surveillance of the international cable and telephone communications of U.S. citizens from the early 1940s through the early 1970s in support of FBI and other domestic law enforcement agencies; and the creation of FBI dossiers on opponents of the Vietnam War in the mid-1960s. The description of these events is taken largely from Frank J. Donner, The Age of Surveillance, Alfred A. Knopf, New York, 1980 (surveillance of political dissidents, pp. 244-248; plumbers, pp. 248-252; FBI dossiers on antiwar protesters, pp. 252-256; NSA surveillance, pp. 276-277). Donner's book documents many of these events. See also Final Report of the Senate Select Committee to Study Governmental Operations with Respect to Intelligence Activities, Book II, April 26, 1974, U.S. Government Printing Office, Washington, D.C., p. 12.
Americans who are exercising their constitutional rights.18This perception is compounded by attempts to justify past incidents as having been required for purposes of national security. Such an approach both limits public scrutiny and vitiates policy-based protection of personal privacy.
It is hard to determine with any kind of certainty the prevalence of the sentiments described in this section. By some measures, over half of the public is skeptical about government in general,19but whether that skepticism translates into widespread public concern about government surveillance is unclear. The committee believes that most people acting as private individuals feel that their electronic communications are secure and do not generally consider it necessary to take special precautions against threats to the confidentiality of those communications. These attitudes reflect the fact that most people, including many who are highly knowledgeable about the risks, do not give much conscious thought to these issues in their day-to-day activities.
At the same time, the committee acknowledges the concerns of many law-abiding individuals about government surveillance. It believes that such concerns and the questions they raise about individual rights and government responsibilities must be taken seriously. It would be inappropriate to dismiss such individuals as paranoid or overly suspicious. Moreover, even if only a minority is worried about government surveillance, it is an important consideration, given the nation's history as a
18For example, at the 4th Conference on Computers, Freedom, and Privacy in Chicago, Illinois, held in 1994, a government speaker asked the audience if they were more concerned about government abuse and harassment or about criminal activity that might be directed at them. An overwhelming majority of the audience indicated greater concern about the first possibility. For recent accounts that give the flavor of concerns about malfeasance by law enforcement officials, see Ronald Smothers, "Atlanta Holds Six Policemen in Crackdown," New York Times, September 7, 1995, p. 9; George James, "Police Officer Is Arrested on Burglary Charges in Sting Operation," New York Times, September 7, 1995, p. B5; Kenneth B. Noble, "Many Complain of Bias in Los Angeles Police," New York Times, September 4, 1995, p. 11; Kevin Sack, "Racism of a Rogue Officer Casts Suspicion on Police Nationwide," New York Times, September 4, 1995, p. 1; Gordon Witkin, "When the Bad Guys Are Cops,'' U.S. News & World Report, September 11, 1995, p. 20; Barry Tarlow, "Doing the Fuhrman Shuffle," Washington Post, August 27, 1995, p. C2; and David W. Dunlap, "F.B.I. Kept Watch on AIDS Group During Protest Years," New York Times, May 16, 1995, p. B3.
19For example, a national Harris poll in January 1994 asked "Which type of invasions of privacy worry you the most in America todayactivities of government agencies or businesses?" Fifty-two percent said that government agencies were their greater worry, while 40% selected business. See Center for Social and Legal Research, Privacy & American Business, Volume 1(3), Hackensack, N.J., 1994, p. 7.
democracy,20for determining whether and how access to and use of cryptography may be considered a citizen's right (Chapter 7).
1.6 SPECIAL NEEDS OF GOVERNMENT
Government encompasses many functions that generate or depend on information, and current efforts to reduce the scope and size of government depend heavily on information technology. In many areas of government, the information and information security needs resemble those of industry (see Appendix I). Government also has important responsibilities beyond those of industry, including those related to public safety. For two of the most important and least understood in detail, law enforcement and national security, the need for strong information security has long been recognized.
Domestic law enforcement authorities in our society have two fundamental responsibilities: preventing crime and prosecuting individuals who have committed crimes. Crimes committed and prosecuted are more visible to the public than crimes prevented (see Chapter 3).
The following areas relevant to law enforcement require high levels of information security:
• Prevention of information theft from businesses and individuals, consistent with the transformation of economic and social activities outlined above.
• Tactical law enforcement communications. Law enforcement officials working in the field need secure communications. At present, police scanners available at retail electronics stores can monitor wireless com-
20Protecting communications from government surveillance is a time-honored technique for defending against tyranny. A most poignant example is the U.S. insistence in 1945 that the postwar Japanese constitution include protection against government surveillance of the communications of Japanese citizens. In the aftermath of the Japanese surrender in World War II, the United States drafted a constitution for Japan. The initial U.S. draft contained a provision saying that "[n]o censorship shall be maintained, nor shall the secrecy of any means of communication be violated." The Japanese response to this provision was a revised provision stating that "[t]he secrecy of letter and other means of communication is guaranteed to all of the people, provided that necessary measures to be taken for the maintenance of public peace and order, shall be provided by law." General Douglas MacArthur, who was supervising the drafting of the new Japanese constitution, insisted that the original provision regarding communications secrecy and most other provisions of the original U.S. draft be maintained. The Japanese agreed, this time requesting only minor changes in the U.S. draft and accepting fully the original U.S. provision on communications secrecy. See Osamu Nishi, Ten Days Inside General Headquarters (GHQ): How the Original Draft of the Japanese Constitution Was Written in 1946, Seibundo Publishing Co. Ltd., Tokyo, 1989.
munications channels used by police; criminals eavesdropping on such communications can receive advance warning of police responding to crimes being committed.
• Efficient use by law enforcement officials of the large amounts of information compiled on criminal activity. Getting the most use from such information implies that it be remotely accessible and not be improperly modified (assuming its accuracy and proper context, a requirement that in itself leads to much controversy21).
• Reliable authentication of law enforcement officials. Criminals have been known to impersonate law enforcement officials for nefarious purposes, and the information age presents additional opportunities.
In the domain of national security, traditional missions involve protection against military threats originating from other nation-states and directed against the interests of the United States or its friends and allies. These traditional missions require strong protection for vital information:
• U.S. military forces require secure communications. Without cryptography and other information security technologies in the hands of friendly forces, hostile forces can monitor the operational plans of friendly forces to gain an advantage.22
• Force planners must organize and coordinate flows of supplies, personnel, and equipment. Such logistical coordination involves databases whose integrity and confidentiality as well as remote access must be maintained.
• Sensitive diplomatic communications between the United States and its representatives or allies abroad, and/or between critical elements
21See, for example, U.S. General Accounting Office (GAO), National Crime Information Center: Legislation Needed to Deter Misuse of Criminal Justice Information, GAO/T-GGD-93-41, GAO, Washington, D.C., 1993.
22For example, the compromise of the BLACK code used by Allied military forces in World War II enabled German forces in Africa in 1942, led by General Erwin Rommel, to determine the British order of battle (quantities, types, and locations of forces), estimate British supply and morale problems, and know the tactical plans of the British. The compromise of one particular message enabled Rommel to thwart a critical British counterattack. In July of that year, the British switched to a new code, thus denying Rommel an important source of strategic intelligence. Rommel was thus surprised at the Battle of Alamein, widely regarded as a turning point in the conflict in the African theater. See David Kahn, The Codebreakers: The Story of Secret Writing, MacMillan, New York, 1967, pp. 472-477.
of the U.S. government, must be protected as part of the successful conduct of foreign affairs, even in peacetime.23
In addition, the traditional missions of national security have expanded in recent years to include protection against terrorists24and international criminals, especially drug cartels.25Furthermore, recognition has been growing that in an information age, economic security is part of national security.
More broadly, there is a practical convergence under way among protection of individual liberties, public safety, economic activity, and military security. For example, the nation is beginning to realize that critical elements of the U.S. civilian infrastructure-including the banking system, the air traffic control system, and the electric power grid-must be protected against the threats described above, as must the civilian information infrastructure that supports the conduct of sensitive government communications. Because civilian infrastructure provides a significant degree of functionality on which the military and defense sector depends, traditional national security interests are at stake as well, and concerns have grown about the implications of what has come to be known as information warfare (Box 1.9). More generally, the need for more secure systems, updated security policies, and effective procedural controls is taking on truly nationwide dimensions.
Chapter 1 underscores the need for attention to protecting vital U.S. interests and values in an information age characterized by a number of trends:
• The world economy is in the midst of a transition from an indus-
23An agreement on Palestinian self-rule was reached in September 1995. According to public reports, the parties involved, Yasir Arafat (leader of the Palestinian Liberation Organization) and Shimon Peres (then Foreign Minister of Israel), depended heavily on the telephone efforts of Dennis Ross, a U.S. negotiator, in mediating the negotiations that led to the agreement. Obviously, in such circumstances, the security of these telephone efforts was critical. See Steven Greenhouse, "Twist to Shuttle Diplomacy: U.S. Aide Mediated by Phone," New York Times, September 25, 1995, p. 1.
24Terrorist threats generally emanate from nongovernmental groups, though at times involving the tacit or implicit (but publicly denied) support of sponsoring national governments. Furthermore, the United States is regarded by many parties as a particularly important target for political reasons by virtue of its prominence in world affairs. Thus, terrorists in confrontation with a U.S. ally may wish to make a statement by attacking the United States directly rather than its ally.
25 See, for example, Phil Williams, "Transnational Criminal Organizations and International Security," Survival, Volume 36(1), Spring 1994, pp. 96-113.
"Information warfare" (IW) is a term used in many different ways. Of most utility for this report is the definition of IW as hostile action that targets the information systems and information infrastructure of an opponent (i.e., offensive actions that attack an opponent's communications, weapon systems, command and control systems, intelligence systems, information components of the civil and societal infrastructure such as the power grid and banking system) coupled with simultaneous actions seeking to protect U.S. and allied systems and infrastructure from such attacks. Other looser uses of the term IW include the following:
• The use of information and tactical intelligence to apply weapon systems more effectively. IW may be used in connection with information-based suppression of enemy air defenses or "smart" weapons using sensor data to minimize the volume of ordnance needed to destroy a target.
• The targeting of companies' information systems for IW attacks. As industrial espionage spreads and/or international competitiveness drives multinational corporations into military-like escapades, the underlying notion of information-based probing of and attack on a competitor's information secrets could take on a flavor of intergovernment military or intelligence activities.
• The fight against terrorism, organized crime, and even street crime, which might be characterized as IW to the extent that information about these subjects is used to prosecute the battle. This usage is not widespread, although it may develop in the future.
Usage of the term has shifted somewhat as federal agencies, notably the Department of Defense, struggle to fully appreciate this new domain of warfare (or lowintensity conflict) and to create relevant policy and doctrine for it. Conversely, there is some discussion of the vulnerabilities of the U.S. civil information infrastructure to such offense. A broad range of activities can take place in information warfare:
• Physical destruction of information-handling facilities to destroy or degrade functionality;
• Denial of use of an opponent's important information systems;
• Degradation of effectiveness (e.g., accuracy, speed of response) of an opponent's information systems;
• Insertion of spurious, incorrect, or otherwise misleading data into an opponent's information systems (e.g., to destroy or modify data, or to subvert software processes via improper data inputs);
• Withdrawal of significant tactical or strategic data from an opponent's information systems;
• Insertion of malicious software into an opponent's system to affect its intended behavior in various ways and, perhaps, to do so at a time controlled by the aggressor; and
• Subversion of an opponent's software and/or hardware installation to make it an in-place self-reporting mole for intelligence purposes.
As an operational activity, information warfare clearly is related closely to, but yet is distinct from, intelligence functions that are largely analytical. IW is also related to information security, since its techniques are pertinent both to prosecution of offensive IW and to protection for defensive IW.
trial to an information age in which information products are extensively bought and sold, information assets provide leverage in undertaking business activities, and communications assume ever-greater significance in the lives of ordinary citizens. At the same time, national economies are increasingly interlinked across national borders, with the result that international dimensions of public policy are important.
• Trends in information technology suggest an ever-increasing panoply of technologies and technology-enabled services characterized by high degrees of heterogeneity, enormous computing power, and large data storage and transmission capabilities.
• Given the transition to a global information society and trends in information technology, the future of individuals and businesses alike is likely to be one in which information of all types plays a central role. Electronic commerce in particular is likely to become a fundamental underpinning of the information future.
• Government has special needs for information security that arise from its role in society, including the protection of classified information and its responsibility for ensuring the integrity of information assets on which the entire nation depends.
Collectively, these trends suggest that future needs for information security will be large. Threats to information security will emerge from a variety of different sources, and they will affect the confidentiality and integrity of data and the reliable authentication of users; these threats do and will affect businesses, government, and private individuals.
Chapter 2 describes how cryptography may help to address all of these problems.