Archive

A14: GUARANTEE PRIVACY AND SECURITY

CUSTOMERS DESERVE INTEGRITY, AVAILABILITY, AND CONFIDENTIALITY IN ALL ELECTRONIC TRANSACTIONS WITH THE FEDERAL GOVERNMENT

A businesswoman sends wage information to the government for tax and social security purposes. She can do so using a desktop computer without risking her employees' or company's privacy.

A small business owner applies for a federal loan over the company's office automation system using the Internet. The integrity of the loan application is maintained by digital authentication, and its confidentiality, by scrambling the information while it is being transmitted.

Interconnecting computers and databases -- integral to many of the Access America initiatives -- increases the need for privacy and security safeguards. Public confidence in the security of the government's electronic information and information technology is essential to creating government services that are more accessible, efficient, and easy to use. Electronic commerce, electronic mail, and electronic benefits transfer share sensitive information within government, between the government and private industry or individuals, and among governments. These electronic systems must protect the information's confidentiality, assure that the information is not altered in an unauthorized way, and be available when they are needed. A corresponding policy and management structure must support those protections. These systems must also be able to support the government's responsibilities to provide for national security, support law enforcement, enhance global competitiveness and productivity for U.S. business and industry, and protect privacy and civil liberties. All this must be done in a flexible, cost-effective manner, through a collaboration among the public, industry, academia, and the government.

This challenge was recognized in the September 1993 Report of the National Performance Review, which set out a series of actions to address it.¹  A great deal of progress has been made.

Information Privacy

One of the Nation's most important values is individual privacy. As with all areas of technology use, the challenges are not solely or even primarily technical ones. A policy and management infrastructure is needed.

In response to growing public concern, the Administration's Information Infrastructure Task Force (IITF) published Privacy Principles in June 1995 to guide future Administration privacy efforts.²  Developed with extensive consultation with the private sector, these principles were immediately endorsed by the private sector U.S. Advisory Council on the National Information Infrastructure.

Information Security

Many of the specific actions in the September 1993 Report involved information security. Progress on these actions includes:

• To enhance the performance of government and industry computer security incident response teams, the National Institute of Science and Technology (NIST) established the Computer Security Resource Clearinghouse to provide alert databases, and industry software patch and other technical information.
• To assist federal agencies in handling computer security incidents, NIST established the Federal Computer Incident Response Capability (FedCIRC) program to provide proactive and reactive computer security services.
• To promote security on the Internet, the Federal Networking Council published the first volume of the Draft Internet Security Plan in late 1995. Based on the findings of a May 1996 workshop, the second volume will be released in early 1997.³
• To promote computer security in federal agencies, OMB and NIST provided improved technical and policy guidance to federal agencies.⁴
• To foster an industry-government partnership for improving services and security in public telecommunications, the National Communications System, working closely with industry through the National Security Telecommunications Advisory Committee, drafted proposed legislation designed to improve public switched network (PSN) security, sponsored joint public-private fora for the exchange of network security information, and published studies in the areas of network analysis and threats to the PSN.
• To respond to changes brought about by the end of the cold war, Presidential Decision Directive 29, Security Policy Coordination (September 16, 1994), established the interagency Security Policy Board to formulate and oversee security policy for the protection of classified national security information. Executive Order 12958, “Classified National Security Information” (April 17, 1995), recast the classification system for national security information to be consistent with the new international environment.
• To ensure the protection and reduce the costs of classified information held by U.S. industry, the Information Security Oversight Office established the National Industrial Security Program. In October 1994, the Secretary of Defense issued the National Industrial Security Program Operating Manual that provides uniform security guidance and procedures to all agencies and their contractors.
• To coordinate security research and development, the Federal Networking Council established testbeds at several federal agencies that are coordinating research in such areas as public key infrastructures, advanced authentication, incident response, and secure Web technologies.

NEED FOR CHANGE

Although much has been accomplished, the dynamic changes in technology and its uses, the political and social climate, and potential threats to information systems only increase the urgency. The systems that support the initiatives in this report must be sufficiently reliable and trustworthy to gain the public's confidence. Without substantial progress on the security and privacy fronts, many of the initiatives will not realize their full potential of improving service to the public.

Particular attention is needed to protecting information privacy, and to making further progress in the use of cryptography to ensure the integrity and authentication of information.

ACTIONS

1. Create a privacy “champion” within the Government Information Technology Services (GITS) Board.

Given the importance of information privacy to the ideas in this report, the GITS Board should immediately add a member who has responsibility for ensuring that privacy issues are considered and addressed in all government wide information technology initiatives.

2. Complete the privacy work of the IITF.

By May 1997, the Information Policy Committee of the Information Infrastructure Task Force should publish for comment a discussion of the pros and cons of creating a permanent entity within the federal government that would focus on resolving privacy issues. The Committee should also determine how the Privacy Principles can be further publicized and formalized.

3. Accelerate work on digital signatures and encryption.

The Federal Public Key Infrastructure Steering Committee, under the direction of the Interagency Working Group on Cryptography Policy (IWG), should expand its demonstrations of the practicability of a key management infrastructure that supports the use of digital signatures and, for confidentiality keys, the use of key recovery. The demonstration should include the core set of electronic self-service transactions identified by the GITS Board. (See Action A01.1.) The IWG should provide a progress report on the demonstration projects by December 1997.

ENDNOTES

¹ That Report stated that in order to have trustworthy, readily available information, and computer systems that are user-friendly, secure, and protective of individual privacy, those systems must: safeguard information, facilities, information systems, and networks against illegal or unauthorized access, modification, or disclosure; balance access to agency information and records with appropriate privacy controls; respect private ownership of information and comply with policies and disclosure procedures for government use of individual information; and incorporate privacy and security safeguards early in the design of the system. "Reengineering Through Information Technology," Accompanying Report of the National Performance Review, September 1993.

² PRINCIPLES FOR PROVIDING AND USING PERSONAL INFORMATION

National Information Infrastructure Task Force, June 1995

General Principles for All National Information Infrastructure Participants

Personal information should be acquired, disclosed, and used only in ways that respect an individual's privacy.

Personal information should not be improperly altered or destroyed.

Personal information should be accurate, timely, complete, and relevant for the purpose for which it is provided and used.

Principles for Users of Personal Information

Information users should:

• assess the impact on privacy in deciding whether to acquire, disclose, or use personal information.
• acquire and keep only information reasonably expected to support current or planned activities.

• why they are collecting the information;
• what the information is expected to be used for;
• what steps will be taken to protect its confidentiality, integrity, and quality;
• the consequences of providing or withholding information; and
• any rights of redress.

Information users should use appropriate technical and managerial controls to protect the confidentiality and integrity of personal information.

Information users should not use personal information in ways that are incompatible with the individual's understanding of how it will be used, unless there is a compelling public interest for such use.

Information users should educate themselves and the public about how information privacy can be maintained.

Principles for Individuals Who Provide Personal Information

Individuals should obtain adequate, relevant information about:

• why the information is being collected;
• what the information is expected to be used for;
• what steps will be taken to protect its confidentiality, integrity, and quality;
• the consequences of providing or withholding information; and
• any rights of redress.

Individuals should be able to safeguard their own privacy by having:

• a means to obtain their personal information;
• a means to correct their personal information that lacks sufficient quality to ensure fairness in its use;
• the opportunity to use appropriate technical controls, such as encryption, to protect the confidentiality and integrity of communications and transactions; and
• the opportunity to remain anonymous when appropriate.

Individuals should, as appropriate, have a means of redress if harmed by an improper disclosure or use of personal information.

³ The plans are accessible on the Federal Networking Council's home page at http://www.fnc.gov.

⁴ OMB revised Appendix III, Security of Federal Automated Information, of OMB Circular A-130, “Management of Federal Information Resources,“   February 1996. The new Appendix: (1) requires agencies to include information security as part of each agency's strategic IT plan; (2) includes computer security issues as a material weakness in the Federal Managers Financial Integrity Act report; (3) requires employees and contractors to complete awareness training; (4) improves planning for contingencies; and (5) establishes and employs formal emergency response capabilities.

NIST published Special Publication 800-14, “Generally Accepted Principles and Practices for Securing Information Technology Systems”   in September 1996. In the encryption area, NIST developed, and the Secretary of Commerce approved and issued, the Secure Hash (FIPS 180) and Digital Signature (FIPS 186) Standards, the Data Encryption Standard (FIPS 46) and the Key Escrow Standard (FIPS 185).

These documents and other information security reference materials can be found on the Computer Security Resource Clearinghouse World Wide Web site at http://csrc.nist.gov.