Reengineering Through Information Technology

Recommendations and Actions

IT10: Develop Systems and Mechanisms to Ensure Privacy and Security

Business Relies on Secure Communications

Imagine this: A businesswoman walks into a post office, presents a picture ID, and is given a "public key." Using this key card, she electronically signs a federal contract and transmits it over the National Information Infrastructure to a contracting agency. The transaction is valid, secure, and paperless.

Automated teller machines (ATMs) are one of the most successful examples of using information technology to improve service. Viewed with skepticism at their introduction, they are now the principal means used to conduct routine banking transactions.Fundamental to their success is public confidence in the trustworthiness of the electronic banking system. Indeed, people's chief anxiety about using ATMs is the fear of being robbed while making a withdrawal.

A new type of crime is the "high-tech mugging," in which ATM access information is stolen and used to make unauthorized withdrawals. In a recent Brooklyn, N.Y., case, crooks used a hidden video camera to look over the shoulders of people withdrawing money at ATMs. The camera recorded their personal identification numbers (PINs); later the thieves matched these with discarded receipts to withdraw money illegally.

In another ATM caper, crooks placed a bogus ATM machine in a Connecticut mall. The bogus machine not only recorded hundreds of PINs, but also read the private account information stored on each ATM card. The bogus ATM machine returned cards to the unsuspecting owner and displayed a message indicating that the transaction could not be completed. These criminals later used the information to withdraw money. In both of these crimes, the crooks succeeded in stealing over $100,000.

These cases illustrate real money loss by exploiting system security vulnerabilities. However, they also illustrate the real potential for a loss of public confidence in electronic government.[1]

Unless the information systems and electronic services delivery systems protect the information being processed and the privacy of the individuals using them, electronic government will not work. Government is beginning to use the recent advances in information technology to lower costs; increase efficiency and productivity; and collect, use, and analyze far more information, much of it personal.

As government use of electronic services and information systems grows more extensive and widespread, government and citizens will demand continued confidentiality and integrity in the information processed. Also, as government, businesses, and other organizations rely more on electronic records and information, they will also demand more access to diverse, interconnected databases. Information technology can provide tremendous benefits in improved service and, used properly, enhanced privacy and security. But without proper attention, it can also permit inappropriate, unauthorized, or illegal access to information.

Furthermore, new electronic government applications--particularly those focused on service-to-the-citizen programs--present nontraditional challenges and vulnerabilities regarding accuracy, authentication, privacy, and security. These challenges and vulnerabilities are both technical and policy-related.[2]

Although overcoming the technical challenges is straightforward, a tradeoff must be made between cost and risk. Information technology- based solutions and prototypes (cryptography, digital signatures, security protocols) for protecting distributed internetworked systems will soon be available. The implementation of these solutions should be weighed against all identifiable risks.

Overcoming the political and policy challenges, however, is not straightforward. Prominent among these today is the appropriate role of the federal government in privacy and security. Examples of particularly challenging policy issues include balancing national security interests with private sector business interests, and maintaining a balance between individual privacy and governmental efficiency.

The American people want trustworthy, readily available information, and computer systems that are user-friendly, secure, and protective of individual privacy. These systems must:

---safeguard information, facilities, information systems, and networks against illegal or unauthorized access, modification, or disclosure;

---balance access to agency information and records with appropriate privacy controls;

---respect private ownership of information and be subject to policies and disclosure procedures for government use of individual information; and

---incorporate privacy and security safeguards early in the design of the system.

Finally, as the nation develops information highways and expands the national information infrastructure, systems should be designed and used within a framework that

---protects national security interests,

---permits legitimate law enforcement activities,

---enhances global competitiveness and productivity for U.S. business and industry, and

---ensures the privacy and civil liberties of all citizens.

Need for Change

Public acceptance and reliance on electronic information and data requires

---striking the proper balance between an individual's personal privacy and the government's need for information,

---providing a high degree of security against unauthorized access or use, and

---maintaining the accuracy of the information stored or processed.

Need for Privacy.

Americans are becoming increasingly concerned about threats to their personal privacy resulting from wider use of information technology to collect, maintain, and manipulate personal information. A poll conducted in 1970 showed that only 33 percent of respondents were concerned about personal privacy.[3] By 1990 polls, that proportion had risen to 79 percent.[4].

Although advancing technology can create new opportunities for misuse, the real problem lies in the lack of adequate management controls over those with access to personal records. For example, in a recent well-publicized case, the U.S. Attorneys announced the arrest of over two dozen individuals who engaged in schemes to buy and sell information from Social Security Administration (SSA) computer files.[5] Most of those arrested were current or former employees of the SSA or the Department of Health and Human Services' Office of Inspector General. This case brought to the public's attention the fact that SSA employees in over 1,300 offices all across the country have unrestricted access to over 130 million records on working Americans. In another case, HHS's Inspector General found social security number fraud: An SSA employee had used social security numbers taken from the SSA records to obtain and establish credit.[6]

Giving increased attention to personal privacy policies and procedures would allow the federal government to better represent American business interests abroad, particularly in Europe, where privacy protection approaches differ from U.S. approaches.[7] Information, and the records associated with this information, is a global commodity, which readily flows across international borders. Trade conflicts and issues may arise for U.S. businesses when dealing with the privacy laws of other countries, such as the recent privacy laws advocated within the European Community for transborder flow of information.

Need for Security.

As society becomes more dependent on computers and computer communications systems for the conduct of business, government, and personal matters, it relies more on the availability, confidentiality, and integrity of the information these systems rocess. Information security has become especially important for applications such as electronic transactions where accuracy, authentication, or secrecy are essential.

OMB estimates that by 2000 approximately 75 percent of public transactions will be processed electronically.[8] The private sector already uses electronic transactions widely. One trillion dollars in worldwide banking and financial transactions occur each day.[9] Yet the best security systems in use today lose money, credit and financial reports, and private and proprietary data due to electronically perpetrated theft and unauthorized browsing. For example, in the United States, computer crime losses alone total $15 billion per year.[10] These losses are minor when compared to potential losses from harmful and illegal acts such as service disruption, terrorism, and industrial espionage. The cost could be billions for a single debilitating disruption of service or criminal act.

More than dollar losses are at stake. In distributed, electronically based information systems, if access controls and security concerns are not addressed as government proceeds with reinvention, vulnerabilities to U.S. national security may be inadvertently created by making information readily available to foreign governments, competitors, or criminals.[11] Finally, large-scale service disruptions could adversely affect recipients of federal benefits and information-based services of all kinds.

Actions A division between sensitive unclassified and classified information is statutorily mandated by the 1987 Computer Security Act. The following actions use existing privacy and security boards, councils, and groups. Exceptions are two near-term task forces to develop high priority, essential standards or generally acceptable principles needed for rapid progress in creating an electronic government.

1. Establish a Privacy Organization. (3)

The President should direct the Information Infrastructure Task Force to advise on the establishment of a Privacy Organization within the executive branch to serve as a focal point for both public and private sector privacy issues. Such an organization would advise the President on privacy issues and concerns affecting Federal agencies; assist Federal agencies in identifying and resolving privacy issues related to the implementation of their programs; coordinate U.S. privacy policy with international organizations and foreign governments; and assist and advise State, local, tribal governments and private sector organizations with privacy issues and concerns.

The IITF should provide the President with specific recommendations about the placement, membership, authority, powers, duties, (including budget and legislative relationships), and staff size of such an organization. If establishment of such an organization can be accomplished by executive order, the IITF should create a draft executive order for presidential approval. If specific legislation is needed, the IITF should provide a draft of such proposed legislation. In developing either/or both methods of establishing such an organization, the IITF should seek comment from experts in both the public and private sectors.

2. Establish uniform privacy protection practices and generally acceptable implementation methods for these practices. (2)

The IITF by July 1994 should direct the creation of an interagency task force to create uniform privacy protection practices for information systems and generally acceptable implementation methods for these practices. The task force should include membership from the Departments of Justice, Treasury, Commerce, Defense, Energy, Health and Human Services, Education, and State, OMB, and the Office of Science and Technology Policy and should solicit participation and input from groups such as business, consumer, computer science, telecommunications, civil liberties, and state and local governments.

OMB should have a coordination and advisory role, and the chair should be selected from the participating federal agencies. The task force should be directed to prepare a report within 12 months following its creation that details uniform privacy protection practices and provides generally acceptable implementation methods for these practices. Methods for implementing the uniform privacy protection practices may differ by sector, e.g., health care, personnel, or law enforcement. These practices and methods should be viewed as the recommended privacy standards federal agencies will follow and the private sector will consider.

The direction to the task force should require that the generally acceptable implementation methods aggressively use information technology--including the use of distributed interconnected systems--and should effectively use technology to balance government's responsibility to provide individuals a reasonable degree of control of information about themselves and appropriate confidentiality with government's desire for efficient and high-quality recordkeeping; detection and prevention of fraud, waste, and abuse; and effective law enforcement investigations.

OMB should issue new guidance (e.g., a circular), within six months of receiving the task force's final report. This guidance will adopt, for use governmentwide, uniform privacy protection standards and generally acceptable implementation methods as set forth in that report.

3. Develop standard encryption capabilities and digital signatures for sensitive unclassified data. (2)

The National Institute of Standards and Technology (NIST), in coordination with OMB and with technical assistance from the National Security Agency (NSA), should issue a final digital signature standard by December 1994. NIST, in coordination with OMB and with technical assistance from NSA, should also create opportunities for industry to develop the encryption capabilities required for protection of networked distributed systems. NIST should then make that information available to federal managers. A high priority should also be given to finalizing and promulgating digital encryption standards and security protocol standards.

4. Develop generally accepted principles and practices for information security. (2)

NIST, in coordination with OMB and with technical assistance from NSA, should plan and coordinate the development of generally accepted principles and practices for information security which are to be applied in the use, protection, and design of government information and data systems, particularly front-line systems for electronically delivering service to citizens. Draft guidance should be issued by September 1994. More than one set of generally accepted principles and practices may be required for the affected communities.

5. Develop a national crisis response clearinghouse. (2)

By September 1994, NIST, in coordination with OMB and with technical assistance from NSA, should promulgate better security information to the existing group of agency crisis response teams. This clearinghouse should address security problems including collection, analysis, and technical vulnerability assessment. It would also disseminate information about incidents governmentwide. The mission of this clearinghouse would be to serve as a broker of computer security crisis information and of computer security resources. This can be accomplished by expanding the role of the NIST program and by formalizing Memoranda of Agreement that facilitate networking and coordination among various existing independent crisis response bodies.

6. Emphasize the need for information security in sensitive unclassified systems. (2)

OMB and NIST, with technical assistance from NSA, should (1) improve planning capabilities for security by requiring an information security plan to be part of each agency's strategic IT plan; (2) identify computer security as a material weakness in the Federal Managers Financial Integrity Act report if it does not meet established thresholds; (3) require employees and contractors to complete awareness and training; (4) improve planning for contingencies; and (5) establish and employ formal contingency response capabilities. These requirements should be included in future revisions to OMB Circular No. A-130, Management of Federal Information Resources, to be issued no later than December 1994.

7. Reevaluate security practices related to national security data. (2)

By December 1994, the PRD Task Force--chaired by the Information Security Oversight Office, in cooperation with the Joint Security Commission, and the National Advisory Group for Security Countermeasures--should aggressively pursue a reevaluation of information security and information systems security practices. These groups should also examine classification and safeguard practices for the purposes of improving security within rapidly changing technological and threat environments. This reevaluation should be accomplished within the context of the Presidential Review Directives on national security information and advanced telecommunications and encryption, as well as the Presidential Decision Directive on public encryption management.

8. Foster the industry-government partnership for improving services and security in public telecommunications.[12] (2)

Since government relies heavily on public telecommunications systems (e.g., about 90 percent of DOD's telecommunications are provided by public carriers), improved security, integrity, and assurance of services is crucial. Electronic government will rely even more heavily on public carrier telecommunications for services. Fostering this relationship includes the following:

---The voluntary and cooperative development of a unified concept of operational security for new technological developments such as universal personal telecommunications. The universal personal telecommunications concept provides personal telecommunications services regardless of location, terminal or network access point. For example, individuals are assigned a unique personal network number so that services may reach them anytime and anywhere in the network. Within this context, the standards community needs to address the issues of national security, emergency preparedness, priority, access, fraud, and information privacy. The National Communica-tions System should work through the National Security Telecommunications Advisory Committee, with technical assistance from NSA and NIST, to foster government and industry liaison for developing security for Universal Personal Telecommunications capabilities and ensure National Security/ Emergency Preparedness.

---The development and issuance of appropriate technical information bulletins for shared industry use that address security assessments of wireless access to commercial systems. The National Communications System and the Federal Communications Commission, working with public telecommunications services providers, should ensure information bulletins address all telecommunications threats.

---Working with industry to cooperatively improve security, integrity, and availability of the public switched network (PSN) provided by the telecommunications industry. The National Communications System and industry, through the National Security Telecommunications Advisory Committee and its supporting groups, should foster conducting vulnerability assessments, sharing lessons learned, identifying improvements in legislation to protect PSNs, reporting on vulnerability incidents, and research on telecommunications security areas.

9. Implement the National Industrial Security Program. (2)

The Information Security Oversight Office, currently in GSA, should aggressively continue to work with industrial organizations under contract with the government to ensure the protection of classified information while reducing costs and redundant requirements and improving efficiency as described in Executive Order 12829, January 8, 1993, National Industrial Security Program (NISP).[13] This office, along with the Secretary of Defense, Secretary of Energy, and Director of Central Intelligence, should continue to work cooperatively with industry to implement the NISP. The following should be considered as a minimum: publication of a NISP operating manual; development of cost collection and tracking mechanisms; development of governmentwide standardized background investigation forms and processes, as appropriate; standardized policy on reciprocity of investigations and inspections; portability of security clearances across agencies; development of uniform, standardized training and education requirements for industry and associated curricula and competency evaluation for government industrial security representatives; and the implementation and enforcement of NISP standards.

10. Develop a comprehensive Internet security plan. (2)

The existing interagency team, the Federal Networking Council, chaired by the National Science Foundation (NSF), should, in consultation with NIST and OMB, develop and promulgate a Federal Internet Umbrella Security Plan, by November 1994, for interconnecting the federal IT community with appropriate state, local, commercial, public and private, and foreign government activities. Such a global architecture should allow for security differences between networks. Use of layered protocol standards and techniques can be employed with a range or set of security service standards with appropriate gateway protection devices so that small restricted communities and large open communities can safely interoperate. The security architecture should identify, as a minimum, the grades of services offered, how each is implemented and assured, how interconnections between networks should be made, and what can be done for those users not adequately served by any of the agreed-upon standard grades of service.

11. Coordinate security research and development. (2)

The GITS Working Group should direct NIST, in coordination with OMB and with technical assistance from NSA, and the Office of Science and Technology Policy's Federal Coordinating Council on Science, Engineering, and Technology, to coordinate the development of a governmentwide plan for security research and development (R&D). The plan should be completed by December 1995. It should provide a baseline assessment of the current R&D investment in privacy and security. The plan should address development and prototyping of the next generation of information systems within the context of appropriate, adequate security and individual privacy features. The plan should also describe a process for continuous technology improvement or advancement, which includes evolving basic research into technology development and prototyping initiatives followed by the introduction of mature features into operational systems. Finally, the plan should recommend prototyping experiments to accelerate use of new technologies in trusted systems and systems having individual privacy protection features.


1. "On PINs and Needles Over ATMs, "Washington Post (May 21, 1993), pp. G1, G8, and "ATM Scams; High-Tech Caper Prompts Banks to Step Up Security," The Hartford Courant (July 11, 1993), p. D1.

2. U.S. Congress, Office of Technology Assessment (OTA), Federal Government Information Technology: Electronic Record Systems and Individual Privacy, OTA-CIT-296 (Washington, D.C.,June 1986); The Report of the Privacy Protection Study Commission, Personal Privacy in an Information Society (Washington, D.C.: U.S. Government Printing Office, July 1977); and U.S. Congress, Office of Technology Assessment, Defending Secrets, Sharing Data: New Locks and Keys for Electronic Information, OTA-CIT-310 (Washington, D.C., October 1987).

3. Piller, Charles, "Special Report: Workplace and Consumer Privacy Under Siege, "MacWorld (July 1993), pp. 1-14.

4. See Weston, Alan F., and Louis Harris and Associates, The Equifax Report on Consumers in the Information Age (Columbia University, 1990).

5. U.S. Congress, House, Committee on Ways and Means, Subcommittee on Social Security, "Illegal Disclosure of Social Security Earnings Information by Employees of the Social Security Administration and the Department of Health and Human Services" Office of Inspector General: Hearing," 102th Congress, 2nd Session, Serial 102-131, September 24, 1992.

6. Ibid.

7. Congressional Record-House, H755-757, January 29, 1991.

8. U.S. General Accounting Office, Comptroller General's 1989 Annual Report: Facing Facts (Washington, D.C.: U.S. General Accounting Office, 1990), p. 28.

9. Adam, John A., "Special Report: Data Security," IEEE Spectrum (August 1992), pp. 18-44.

10. Illustrative Risks to the Public in the Use of Computer Systems and Related Technology, vol. 18 (Menlo Park, CA: SRI International, undated).

11. See OTA, Defending Secrets, Sharing Data: New Locks and Keys for Electronic Information, and Department of Defense Security Institute, "Security Awareness News: A Compilation of News Articles on Counterintelligence and Security," Richmond, VA, May 1993, pp. 2, 23.

12. The Office of the Manager, National Communications System, Technology and Standards Analysis Report, "Concept of Operations for NS/EP Applications of Universal Personal Telecommunications," May 1993.

13. Executive Order 12829, "National Industrial Security Program," Federal Register, vol. 58, no. 5 (January 8, 1993), pp. 3479-3483.

Return To Report Index

Who We Are |||Latest Additions |||Initiatives |||Customer Service |||News Room |||Accomplishments |||Awards |||"How To" Tools |||Library |||Web Links

Reinvention Comments
Technical Comments