+--------------------------------------------------+
| |
| This information brought to you by |
| |
| _ | |_ o _ ,_ |
| (_|_|_|_)_|_(_)_| ) |
| |
| as a service to the cybercommunity. |
| |
+--------------------------------------------------+
Dear Friends:
Once again the U.S. government is embarked upon a campaign to restrict
our personal freedom on the electronic frontier. This time, the FBI &
NSA are asking the Congress to severly restrict the use of cryptography
in digital communications so that their electronic eavesdropping may
continue to be effective. (Recall the recent arrest of Acid Phreak,
Fiber Optik, & the rest, where the authorities used to wiretaps to
intercept their digital transmissions?) _Boardwatch_ magazine described
it this way:
The proposed law would ban the use of secure cryptography on any
message handled by a computerized communications network. It
would further force service providers to build access points
into their equipment through which the FBI--& conceivably any
polic officer at any level--could eavesdrop on any conversation
without ever leaving the comfort of headquarters.
I recommend that all U.S. citizens educate themselves on this issue &
contact their elected representatives NOW, before the proposal becomes
law. Remember, as a regular user of digital communications media, you
are far better equipped to understand the threat this poses to our
privacy than the average member of Congress; it is up to you to educate
them.
Here are some places to go for further information: _Boardwatch_
magazine, September 1992 ("FBI Seeks to Outlaw Cryptography" & "Pretty
Good Privacy Version 2.0--Free Cryptography Software") for information
about the proposed legislation; _2600_, Winter 1992 ("crypt() source")
& Spring 1992 ("UNIX Password Hacker"), for a discussion of defeating
UNIX encryption; & a recent issue of _Scientific American_ (sorry, no
reference handy), which contains a detailed description of one possible
method for using encryption to validate electronic signitures for bank
transactions & the like.
What follows is a recent mailing from CPSR concerning the current debate
over encryption.
Urizen
------------------------------------------------------------------------
Sender: Computer Professionals for Social Responsibility
<CPSR%GWUVM.BITNET@pucc.Princeton.EDU>
From: David Sobel <dsobel@washofc.cpsr.org>
Subject: CPSR Letter on Crypto Polic
X-To: CPSR List <cpsr@gwuvm.gwu.edu>
To: Multiple recipients of list CPSR <CPSR%GWUVM.BITNET@pucc.Princeton.EDU>
CPSR Letter on Crypto Policy
The following is the text of a letter Computer Professionals for Social
Responsibility (CPSR) recently sent to Rep. Jack Brooks, chairman of
the House Judiciary Committee. The letter raises several issues concerning
computer security and cryptography policy. For additional information on
CPSR's activities in this area, contact banisar@washofc.cpsr.org. For
information concerning CPSR generally (including membership information),
contact cpsr@csli.stanford.edu.
====================================================
August 11, 1992
Representative Jack Brooks
Chairman
House Judiciary Committee
2138 Rayburn House Office Bldg.
Washington, DC 20515-6216
Dear Mr. Chairman:
Earlier this year, you held hearings before the Subcommittee on
Economic and Commercial Law on the threat of foreign economic espionage
to U.S. corporations. Among the issues raised during the hearings were the
future of computer security authority and the efforts of government
agencies to restrict the use of new technologies, such as cryptography.
As a national organization of computer professionals interested in the
policies surrounding civil liberties and privacy, including computer
security and cryptography, CPSR supports your efforts to encourage public
dialogue of these matters. Particularly as the United States becomes
more dependent on advanced network technologies, such as cellular
communications, the long-term impact of proposed restrictions on
privacy-enhancing techniques should be carefully explored in a public
forum.
When we had the opportunity to testify before the Subcommittee on
Legislation and National Security in May 1989 on the enforcement of the
Computer Security Act of 1987, we raised a number of these issues. We
write to you now to provide new information about the role of the National
Security Agency in the development of the Digital Signature Standard and
the recent National Security Directive on computer security authority.
The information that we have gathered suggests that further hearings are
necessary to assess the activities of the National Security Agency since
passage of the Computer Security Act of 1987.
The National Security Agency
and the Digital Signature Standard
Through the Freedom of Information Act, CPSR has recently learned
that the NSA was the driving force behind the selection and development
of the Digital Signature Standard (DSS). We believe that the NSA's actions
contravene the Computer Security Act of 1987. We have also determined
that the National Institute of Standards and Technology (NIST) attempted
to shield the NSA's role in the development of the DSS from public
scrutiny.
The Digital Signature Standard will be used for the authentication of
computer messages that travel across the public computer network. Its
development was closely watched in the computer science community.
Questions about the factors leading to the selection of the standard were
raised by a Federal Register notice, 56 Fed. Reg. 42, (Aug 30, 1991), in
which NIST indicated that it had considered the impact of the proposed
standard on "national security and law enforcement," though there was no
apparent reason why these factors might be considered in the development
of a technical standard for communications security.
In August 1991, CPSR filed a FOIA request with the National Institute
of Standards and Technology seeking all documentation relating to the
development of the DSS. NIST denied our request in its entirety. The
agency did not indicate that they had responsive documents from the
National Security Agency in their files, as they were required to do under
their own regulations. 15 C.F.R. Sec. 4.6(a)(4) (1992). In October 1991,
we
filed a similar request for documents concerning the development of the
DSS with the Department of Defense. The Department replied that they
were forwarding the request to the NSA, from whom we never received
even an acknowledgement of our request.
In April 1992, CPSR filed suit against NIST to force disclosure of the
documents. CPSR v. NIST, et al., Civil Action No. 92-0972-RCL (D.D.C.). As
a result of that lawsuit, NIST released 140 out of a total of 142 pages.
Among those documents is a memo from Roy Saltman to Lynn McNulty
which suggests that there were better algorithms available than the one
NIST eventually recommended for adoption. If that is so, why did NIST
recommend a standard that its own expert believed was inferior?
Further, NIST was required under Section 2 of the Computer Security
Act to develop standards and guidelines to "assure the cost-effective
security and privacy of sensitive information in federal systems."
However, the algorithm selected by NIST as the DSS was purposely
designed to minimize privacy protection: its use is limited to message
authentication. Other algorithms that were considered by NIST included
both the ability to authenticate messages and the capability to
incorporate privacy-enhancing features. Was NSA's interest in
communication surveillance one of the factors that lead to the NIST
decision to select an algorithm that was useful for authentication, but not
for communications privacy?
Most significantly, NIST also disclosed that 1,138 pages on the DSS
that were created by the NSA were in their files and were being sent back
to the NSA for processing. Note that only 142 pages of material were
identified as originating with NIST. In addition, it appears that the
patent
for the DSS is filed in the name of an NSA contractor.
The events surrounding the development of the Digital Signature
Standard warrant further Congressional investigation. When Congress
passed the Computer Security Act, it sought to return authority for
technical standard-setting to the civilian sector. It explicitly rejected
the proposition that NSA should have authority for developing technical
guidelines:
Since work on technical standards represents virtually
all of the research effort being done today, NSA would
take over virtually the entire computer standards job
from the [National Institute of Standards and
Technology]. By putting the NSA in charge of developing
technical security guidelines (software, hardware,
communications), [NIST] would be left with the
responsibility for only administrative and physical
security measures -- which have generally been done
years ago. [NIST], in effect, would on the surface be
given the responsibility for the computer standards
program with little to say about the most important part
of the program -- the technical guidelines developed by
NSA.
Government Operation Committee Report at 25-26, reprinted in 1988 U.S.
Code Cong. and Admin. News at 3177-78. See also Science Committee
Report at 27, reprinted in 1988 U.S.C.A.N. 3142.
Despite the clear mandate of the Computer Security Act, NSA does,
indeed, appear to have assumed the lead role in the development of the
DSS. In a letter to MacWeek magazine last fall, NSA's Chief of Information
Policy acknowledged that the Agency "evaluated and provided candidate
algorithms including the one ultimately selected by NIST." Letter from
Michael S. Conn to Mitch Ratcliffe, Oct. 31, 1991. By its own admission,
NSA not only urged the adoption of the DSS -- it actually "provided" the
standard to NIST.
The development of the DSS is the first real test of the effectiveness
of the Computer Security Act. If, as appears to be the case, NSA was able
to develop the standard without regard to recommendations of NIST, then
the intent of the Act has clearly been undermined.
Congress' intent that the standard-setting process be open to public
scrutiny has also been frustrated. Given the role of NSA in developing the
DSS, and NIST's refusal to open the process to meaningful public scrutiny,
the public's ability to monitor the effectiveness of the Computer Security
Act has been called into question.
On a related point, we should note that the National Security Agency
also exercised its influence in the development of an important standard
for the digital cellular standards committee. NSA's influence was clear in
two areas. First, the NSA ensured that the privacy features of the
proposed standard would be kept secret. This effectively prevents public
review of the standard and is contrary to principles of scientific research.
The NSA was also responsible for promoting the development of a standard
that is less robust than other standards that might have been selected.
This is particularly problematic as our country becomes increasingly
dependent on cellular telephone services for routine business and personal
communication.
Considering the recent experience with the DSS and the digital cellular
standard, we can anticipate that future NSA involvement in the technical
standards field will produce two results: (1) diminished privacy
protection for users of new communications technologies, and (2)
restrictions on public access to information about the selection of
technical standards. The first result will have severe consequences for
the security of our advanced communications infrastructure. The second
result will restrict our ability to recognize this problem.
However, these problems were anticipated when Congress first
considered the possible impact of President Reagan's National Security
Decision Directive on computer security authority, and chose to develop
legislation to promote privacy and security and to reverse efforts to limit
public accountability.
National Security Directive 42
Congressional enactment of the Computer Security Act was a response
to President Reagan's issuance of National Security Decision Directive
("NSDD") 145 in September 1984. It was intended to reverse an executive
policy that enlarged classification authority and permitted the
intelligence community broad say over the development of technical
security standards for unclassified government and non-government
computer systems and networks. As noted in the committee report, the
original NSDD 145 gave the intelligence community new authority to set
technical standards in the private sector:
[u]nder this directive, the Department of Defense (DOD)
was given broad new powers to issue policies and
standards for the safeguarding of not only classified
information, but also other information in the civilian
agencies and private sector which DOD believed should be
protected. The National Security Agency (NSA), whose
primary mission is one of monitoring foreign
communications, was given the responsibility of
managing this program on a day-to-day basis.
H. Rep. No. 153 (Part 2), 100th Cong., 1st Sess. 6 (1987). The legislation
was specifically intended to override the Presidential directive and to
"greatly restrict these types of activities by the military intelligence
agencies ... while at the same time providing a statutory mandate for a
strong security program headed up by [NIST], a civilian agency." Id. at 7.
President Bush issued National Security Directive ("NSD") 42 on July 5,
1990. On July 10, 1990, Assistant Secretary of Defense Duane P. Andrews
testified before the House Subcommittee on Transportation, Aviation, and
Materials on the contents of the revised NSD. The Assistant Secretary
stated that the "the new policy is fully compliant with the Computer
Security Act of 1987 (and the Warner Amendment) and clearly delineates
the responsibilities within the Federal Government for national security
systems."
On August 27, 1990, CPSR wrote to the Directorate for Freedom of
Information of the Department of Defense and requested a copy of the
revised NSD, which had been described by an administration official at the
July hearing but had not actually been disclosed to the public. CPSR
subsequently sent a request to the National Security Council seeking the
same document. When both agencies failed to reply in a timely fashion,
CPSR filed suit seeking disclosure of the Directive. CPSR v. NSC, et al.,
Civil Action No. 91-0013-TPJ (D.D.C.).
The Directive, which purports to rescind NSDD 145, was recently
disclosed as a result of this litigation CPSR initiated against the National
Security Council.
The text of the Directive raises several questions concerning the
Administration's compliance with the Computer Security Act:
1. The new NSD 42 grants NSA broad authority over "national security
systems." This phrase is not defined in the Computer Security Act and
raises questions given the expansive interpretation of "national security"
historically employed by the military and intelligence agencies and the
broad scope that such a term might have when applied to computer
systems within the federal government.
If national security now includes international economic activity, as
several witnesses at your hearings suggested, does NSD 42 now grant NSA
computer security authority in the economic realm? Such a result would
clearly contravene congressional intent and eviscerate the distinction
between civilian and "national security" computer systems.
More critically, the term "national security systems" is used
throughout the document to provide the Director of the National Security
Agency with broad new authority to set technical standards. Section 7 of
NSD 42 states that the Director of the NSA, as "National Manager for
National Security Telecommunications and Information Systems Security,"
shall
* * *
c. Conduct, *approve*, or endorse research and
development of techniques and equipment to secure
national security systems.
d. Review and *approve* all standards, techniques,
systems, and equipment, related to the security of
national security systems.
* * *
h. Operate a central technical center to evaluate and
*certify* the security of national security
telecommunications and information systems.
(Emphasis added)
Given the recent concern about the role of the National Security Agency
in the development of the Digital Signature Standard, it is our belief that
any standard-setting authority created by NSD 42 should require the most
careful public review.
2. NSD 42 appears to grant the NSA new authority for information
security. This is a new area for the agency; NSA's role has historically
been limited to communications security. Section 4 of the directive
provides as follows:
The National Security Council/Policy Coordinating
Committee (PCC) for National Security Telecommuni-
cations, chaired by the Department of Defense, under the
authority of National Security Directives 1 and 10,
assumed the responsibility for the National Security
Telecommunications NSDD 97 Steering Group. By
authority of this directive, the PCC for National Security
Telecommunications is renamed the PCC for National
Security Telecommunications and Information Systems,
and shall expand its authority to include the
responsibilities to protect the government's national
security telecommunications and information systems.
(Emphasis added).
Thus, by its own terms, NSD 42 "expands" DOD's authority to include
"information systems." What is the significance of this new authority?
Will it result in military control of systems previously deemed to be
civilian?
3. NSD 42 appears to consolidate NSTISSC (The National Security
Telecommunications and Information Systems Security Committee)
authority for both computer security policy and computer security budget
determinations.
According to section 7 of the revised directive, the National Manager
for NSTISSC shall:
j. Review and assess annually the national security
telecommunications systems security programs and
budgets of Executive department and agencies of the U.S.
Government, and recommend alternatives, where
appropriate, for the Executive Agent.
NTISSC has never been given budget review authority for federal
agencies. This is a power, in the executive branch, that properly resides
in the Office of Management and Budget. There is an additional concern
that Congress's ability to monitor the activities of federal agencies may
be significantly curtailed if this NTISSC, an entity created by presidential
directive, is permitted to review agency budgets in the name of national
security.
4. NSD 42 appears to weaken the oversight mechanism established by
the Computer Security Act. Under the Act, a Computer Systems Security
and Privacy Advisory Board was established to identify emerging issues,
to inform the Secretary of Commerce, and to report findings to the
Congressional Oversight Committees. Sec. 3, 15 U.S.C. Sec. 278g-4(b).
However, according to NSD 42, NSTISSC is established "to consider
technical matters and develop operating policies, procedures, guidelines,
instructions, and standards as necessary to implement provisions of this
Directive." What is the impact of NSTISSC authority under NSD 42 on the
review authority of the Computer Systems Security and Privacy Advisory
Board created by the Computer Security Act?
Conclusion
Five years after passage of the Computer Security Act, questions
remain about the extent of military involvement in civilian and private
sector computer security. The acknowledged role of the National Security
Agency in the development of the proposed Digital Signature Standard
appears to violate the congressional intent that NIST, and not NSA, be
responsible for developing security standards for civilian agencies. The
DSS experience suggests that one of the costs of permitting technical
standard setting by the Department of Defense is a reduction in
communications privacy for the public. The recently released NSD 42
appears to expands DOD's security authority in direct contravention of the
intent of the Computer Security Act, again raising questions as to the role
of the military in the nation's communications network.
There are also questions that should be pursued regarding the National
Security Agency's compliance with the Freedom of Information Act. Given
the NSA's increasing presence in the civilian computing world, it is simply
unacceptable that it should continue to hide its activities behind a veil of
secrecy. As an agency of the federal government, the NSA remains
accountable to the public for its activities.
We commend you for opening a public discussion of these important
issues and look forward to additional hearings that might address the
questions we have raised.
Sincerely,
Marc Rotenberg,
Director
CPSR Washington Office
=======================================================
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
