TUCoPS :: Crypto :: crypto_1.txt

CPSR letter on cryptography policy


  CPSR Letter on Crypto Policy

The following is the text of a letter Computer Professionals for Social
Responsibility (CPSR) recently sent to Rep. Jack Brooks, chairman of the House
Judiciary Committee.  The letter raises several issues concerning computer
security and cryptography policy.  For additional information on CPSR's
activities in this area, contact banisar@washofc.cpsr.org.   For information
concerning CPSR generally (including membership information), contact
cpsr@csli.stanford.edu.

====================================================

August 11, 1992

Representative Jack Brooks Chairman House Judiciary Committee 2138 Rayburn
House Office Bldg. Washington, DC 20515-6216

Dear Mr. Chairman:

     Earlier this year, you held hearings before the Subcommittee on Economic
and Commercial Law on the threat of foreign economic espionage to U.S.
corporations.  Among the issues raised during the hearings were the future of
computer security authority and the efforts of government agencies to restrict
the use of new technologies, such as cryptography.

     As a national organization of computer professionals interested in the
policies surrounding civil liberties and privacy, including computer security
and cryptography, CPSR supports your efforts to encourage public dialogue of
these matters.  Particularly as the United States becomes more dependent on
advanced network technologies, such as cellular communications, the long-term
impact of proposed restrictions on privacy-enhancing techniques should be
carefully explored in a public forum.

     When we had the opportunity to testify before the Subcommittee on
Legislation and National Security in May 1989 on the enforcement of the
Computer Security Act of 1987, we raised a number of these issues.  We write to
you now to provide new information about the role of the National Security
Agency in the development of the Digital Signature Standard and the recent
National Security Directive on computer security authority. The information
that we have gathered suggests that further hearings are necessary to assess
the activities of the National Security Agency since passage of the Computer
Security Act of 1987.

The National Security Agency and the Digital Signature Standard

     Through the Freedom of Information Act, CPSR has recently learned that the
NSA was the driving force behind the selection and development of the Digital
Signature Standard (DSS).  We believe that the NSA's actions contravene the
Computer Security Act of 1987.  We have also determined that the National
Institute of Standards and Technology (NIST) attempted to shield the NSA's role
in the development of the DSS from public scrutiny.

     The Digital Signature Standard will be used for the authentication of
computer messages that travel across the public computer network.  Its
development was closely watched in the computer science community. Questions
about the factors leading to the selection of the standard were raised by a
Federal Register notice, 56 Fed. Reg. 42, (Aug 30, 1991), in which NIST
indicated that it had considered the impact of the proposed standard on
"national security and law enforcement," though there was no apparent reason
why these factors might be considered in the development of a technical
standard for communications security.

     In August 1991, CPSR filed a FOIA request with the National Institute of
Standards and Technology seeking all documentation relating to the development
of the DSS.  NIST denied our request in its entirety.  The agency did not
indicate that they had responsive documents from the National Security Agency
in their files, as they were required to do under their own regulations.  15 C.
F.R. Sec. 4.6(a)(4) (1992).  In October 1991, we filed a similar request for
documents concerning the development of the DSS with the Department of Defense.
The Department replied that they were forwarding the request to the NSA, from
whom we never received even an acknowledgement of our request.

     In April 1992, CPSR filed suit against NIST to force disclosure of the
documents.  CPSR v. NIST, et al., Civil Action No. 92-0972-RCL (D.D.C.).  As

a result of that lawsuit, NIST released 140 out of a total of 142 pages. Among
those documents is a memo from Roy Saltman to Lynn McNulty which suggests that
there were better algorithms available than the one NIST eventually recommended
for adoption. If that is so, why did NIST recommend a standard that its own
expert believed was inferior?

     Further, NIST was required under Section 2 of the Computer Security Act to
develop standards and guidelines to "assure the cost-effective security and
privacy of sensitive information in federal systems." However, the algorithm
selected by NIST as the DSS was purposely designed to minimize privacy
protection: its use is limited to message authentication.  Other algorithms
that were considered by NIST included both the ability to authenticate messages
and the capability to incorporate privacy-enhancing features.  Was NSA's
interest in communication surveillance one of the factors that lead to the NIST
decision to select an algorithm that was useful for authentication, but not for
communications privacy?

     Most significantly, NIST also disclosed that 1,138 pages on the DSS that
were created by the NSA were in their files and were being sent back to the NSA
for processing.  Note that only 142 pages of material were identified as
originating with NIST.  In addition, it appears that the patent for the DSS is
filed in the name of an NSA contractor.

     The events surrounding the development of the Digital Signature Standard
warrant further Congressional investigation.  When Congress passed the Computer
Security Act, it sought to return authority for technical standard-setting to
the civilian sector.  It explicitly rejected the proposition that NSA should
have authority for developing technical guidelines:

     Since work on technical standards represents virtually
     all of the research effort being done today, NSA would
     take over virtually the entire computer standards job
     from the [National Institute of Standards and
     Technology].  By putting the NSA in charge of developing
     technical security guidelines (software, hardware,
     communications), [NIST] would be left with the
     responsibility for only administrative and physical
     security measures -- which have generally been done
     years ago.  [NIST], in effect, would on the surface be
     given the responsibility for the computer standards
     program with little to say about the most important part
     of the program -- the technical guidelines developed by
     NSA.

Government Operation Committee Report at 25-26, reprinted in 1988 U.S. Code
Cong. and Admin. News at 3177-78.  See also Science Committee Report at 27,
reprinted in 1988 U.S.C.A.N. 3142.

     Despite the clear mandate of the Computer Security Act, NSA does, indeed,
appear to have assumed the lead role in the development of the DSS.  In a
letter to MacWeek magazine last fall, NSA's Chief of Information Policy
acknowledged that the Agency "evaluated and provided candidate algorithms
including the one ultimately selected by NIST."  Letter from Michael S. Conn to
Mitch Ratcliffe, Oct. 31, 1991.  By its own admission, NSA not only urged the
adoption of the DSS -- it actually "provided" the standard to NIST.

     The development of the DSS is the first real test of the effectiveness of
the Computer Security Act.  If, as appears to be the case, NSA was able to
develop the standard without regard to recommendations of NIST, then the intent
of the Act has clearly been undermined.

     Congress' intent that the standard-setting process be open to public
scrutiny has also been frustrated.  Given the role of NSA in developing the
DSS, and NIST's refusal to open the process to meaningful public scrutiny, the
public's ability to monitor the effectiveness of the Computer Security Act has
been called into question.

     On a related point, we should note that the National Security Agency also
exercised its influence in the development of an important standard for the
digital cellular standards committee.  NSA's influence was clear in two areas. 
First, the NSA ensured that the privacy features of the proposed standard would
be kept secret.  This effectively prevents public review of the standard and is
contrary to principles of scientific research.

The NSA was also responsible for promoting the development of a standard that
is less robust than other standards that might have been selected. This is
particularly problematic as our country becomes increasingly dependent on
cellular telephone services for routine business and personal communication.

     Considering the recent experience with the DSS and the digital cellular

standard, we can anticipate that future NSA involvement in the technical
standards field will produce two results: (1) diminished privacy protection for
users of new communications technologies, and (2) restrictions on public access
to information about the selection of technical standards.  The first result
will have severe consequences for the security of our advanced communications
infrastructure.  The second result will restrict our ability to recognize this
problem.

     However, these problems were anticipated when Congress first considered
the possible impact of President Reagan's National Security Decision Directive
on computer security authority, and chose to develop legislation to promote
privacy and security and to reverse efforts to limit public accountability.

National Security Directive 42

      Congressional enactment of the Computer Security Act was a response to
President Reagan's issuance of National Security Decision Directive ("NSDD")
145 in September 1984.  It was intended to reverse an executive policy that
enlarged classification authority and permitted the intelligence community
broad say over the development of technical security standards for unclassified
government and non-government computer systems and networks.  As noted in the
committee report, the original NSDD 145 gave the intelligence community new
authority to set technical standards in the private sector:

     [u]nder this directive, the Department of Defense (DOD)
     was given broad new powers to issue policies and
     standards for the safeguarding of not only classified
     information, but also other information in the civilian
     agencies and private sector which DOD believed should be
     protected.  The National Security Agency (NSA), whose
     primary mission is one of monitoring foreign
     communications, was given the responsibility of
     managing this program on a day-to-day basis.

H. Rep. No. 153 (Part 2), 100th Cong., 1st Sess. 6 (1987).  The legislation was
specifically intended to override the Presidential directive and to "greatly
restrict these types of activities by the military intelligence agencies ...
while at the same time providing a statutory mandate for a strong security
program headed up by [NIST], a civilian agency."  Id. at 7.

     President Bush issued National Security Directive ("NSD") 42 on July 5,

1990.  On July 10, 1990, Assistant Secretary of Defense Duane P. Andrews
testified before the House Subcommittee on Transportation, Aviation, and
Materials on the contents of the revised NSD.  The Assistant Secretary stated
that the "the new policy is fully compliant with the Computer Security Act of
1987 (and the Warner Amendment) and clearly delineates the responsibilities
within the Federal Government for national security systems."

     On August 27, 1990, CPSR wrote to the Directorate for Freedom of
Information of the Department of Defense and requested a copy of the revised
NSD, which had been described by an administration official at the July hearing
but had not actually been disclosed to the public.  CPSR subsequently sent a
request to the National Security Council seeking the same document.  When both
agencies failed to reply in a timely fashion, CPSR filed suit seeking
disclosure of the Directive. CPSR v. NSC, et al., Civil Action No. 91-0013-TPJ
(D.D.C.).

     The Directive, which purports to rescind NSDD 145, was recently disclosed
as a result of this litigation CPSR initiated against the National

Security Council.

     The text of the Directive raises several questions concerning the
Administration's compliance with the Computer Security Act:

     1. The new NSD 42 grants NSA broad authority over "national security
systems."  This phrase is not defined in the Computer Security Act and raises
questions given the expansive interpretation of "national security"
historically employed by the military and intelligence agencies and the broad
scope that such a term might have when applied to computer systems within the
federal government.

     If national security now includes international economic activity, as
several witnesses at your hearings suggested, does NSD 42 now grant NSA
computer security authority in the economic realm?  Such a result would clearly
contravene congressional intent and eviscerate the distinction between civilian
and "national security" computer systems.

     More critically, the term "national security systems" is used throughout
the document to provide the Director of the National Security Agency with broad
new authority to set technical standards.  Section 7 of NSD 42 states that the
Director of the NSA, as "National Manager for National Security
Telecommunications and Information Systems Security," shall

     * * *

     c. Conduct, *approve*, or endorse research and
     development of techniques and equipment to secure
     national security systems.

     d. Review and *approve* all standards, techniques,
     systems, and equipment, related to the security of
     national security systems.

     * * *

     h. Operate a central technical center to evaluate and
     *certify* the security of national security
     telecommunications and information systems.

(Emphasis added)

     Given the recent concern about the role of the National Security Agency

in the development of the Digital Signature Standard, it is our belief that any
standard-setting authority created by NSD 42 should require the most careful
public review.

     2. NSD 42 appears to grant the NSA new authority for  information
security.  This is a new area for the agency; NSA's role has historically been
limited to communications security.  Section 4 of the directive provides as
follows:

     The National Security Council/Policy Coordinating
     Committee (PCC) for National Security Telecommuni-
     cations, chaired by the Department of Defense, under the
     authority of National Security Directives 1 and 10,
     assumed the responsibility for the National Security
     Telecommunications NSDD 97 Steering Group.  By
     authority of this directive, the PCC for National Security
     Telecommunications is renamed the PCC for National
     Security Telecommunications and Information Systems,
     and shall expand its authority to include the
     responsibilities to protect the government's national
     security telecommunications and information systems.

(Emphasis added).

     Thus, by its own terms, NSD 42 "expands" DOD's authority to include
"information systems."  What is the significance of this new authority? Will it
result in military control of systems previously deemed to be civilian?

     3. NSD 42 appears to consolidate NSTISSC (The National Security
Telecommunications and Information Systems Security Committee) authority for
both computer security policy and computer security budget determinations.

     According to section 7 of the revised directive, the National Manager for
NSTISSC shall:

     j. Review and assess annually the national security
     telecommunications systems security programs and
     budgets of Executive department and agencies of the U.S.
     Government, and recommend alternatives, where
     appropriate, for the Executive Agent.

     NTISSC has never been given budget review authority for federal agencies. 
This is a power, in the executive branch, that properly resides in the Office
of Management and Budget.  There is an additional concern that Congress's
ability to monitor the activities of federal agencies may be significantly
curtailed if this NTISSC, an entity created by presidential

directive, is permitted to review agency budgets in the name of national
security.

     4. NSD 42 appears to weaken the oversight mechanism established by the
Computer Security Act.  Under the Act, a Computer Systems Security and Privacy
Advisory Board was established to identify emerging issues, to inform the
Secretary of Commerce, and to report findings to the Congressional Oversight
Committees.  Sec. 3, 15 U.S.C. Sec. 278g-4(b).

     However, according to NSD 42, NSTISSC is established "to consider
technical matters and develop operating policies, procedures, guidelines,
instructions, and standards as necessary to implement provisions of this
Directive."  What is the impact of NSTISSC authority under NSD 42 on the review
authority of the Computer Systems Security and Privacy Advisory Board created
by the Computer Security Act?

Conclusion

     Five years after passage of the Computer Security Act, questions remain
about the extent of military involvement in civilian and private sector
computer security.  The acknowledged role of the National Security Agency in
the development of the proposed Digital Signature Standard appears to violate
the congressional intent that NIST, and not NSA, be responsible for developing
security standards for civilian agencies.  The DSS experience suggests that one
of the costs of permitting technical standard setting by the Department of
Defense is a reduction in communications privacy for the public.  The recently
released NSD 42 appears to expands DOD's security authority in direct
contravention of the intent of the Computer Security Act, again raising
questions as to the role of the military in the nation's communications
network.

     There are also questions that should be pursued regarding the National
Security Agency's compliance with the Freedom of Information Act.  Given the
NSA's increasing presence in the civilian computing world, it is simply
unacceptable that it should continue to hide its activities behind a veil of

secrecy.  As an agency of the federal government, the NSA remains accountable
to the public for its activities.

     We commend you for opening a public discussion of these important issues
and look forward to additional hearings that might address the questions we
have raised.


                                                     Sincerely,



                                                     Marc Rotenberg, Director
                                                     CPSR Washington Office



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH