NII Security Issue Forum Cross-cutting Meeting of the IITF February 18, 1994, 2:00 pm Room 180, OEOB Attendees: Sally Katzen, OMB (Chair) Bruce McConnell, OMB Jon Cannon, EPA Melvyn Ciment, NSF Thomas Kalil, NEC Raymond Mislock, NSC Bob Marquette, NCS Michael Nelson, OSTP Scott Charney, DOJ John Podesta, WH Tom Wasilewski, NTIA Jim Burrows, NIST John Nagengast, NSA Kaz Kazenske, PTO Dennis Steinauer, NIST Stephen Wolff, NSF Rahman Khan, OSTP David Lytel, OSTP Elizabeth Schneirov, CEA Mike Keplinger, PTO R.J. "Jerry" Linn, NIST Judy Stork, LC Stephen L. Squires, ARPA Lynn McNulty, NIST Barbara Valeri, DOD Martin Ferris, Treasury Arnold Donahue, OMB Paul Wohlleben, EPA Jeff Sutton, NASA Rick Carr, NASA Rioss Stapleton, DCI/CMS Vic Bowser, NCS Neil J. Stillman, HHS Gayle Gordon, DOI Chuck Chamberlain, USPS David Morman, DOL Robert Pepper, FCC Virginia Huth, OMB Ed Springer, OMB Rob Veeder, OMB I. Opening Remarks - Sally Katzen, OMB Ms. Katzen, Chair of the Information Policy Committee of the Information Infrastructure Task Force (IITF), welcomed the participants to the first cross-cutting meeting in the Federal Government concerning "Security and the National Information Infrastructure (NII)." Following introductions, Ms. Katzen stated that the topic of the meeting was to explore the Government's role in the area of security and the NII. Government is just a small part of the NII, but can play a big role by being a model user of information technology, creating a legal and policy framework that encourages private sector development, and funding research and development in advanced technologies. The Government must work with the private sector and cooperate with what it is developing. The Government has an obligation to set legal and policy ground rules for security in the NII. To begin this process, we within Government should share our concerns and actions. Security in the NII is defined in terms of the confidentiality, integrity, and availability of information. Today we will examine the legal, management, and technical aspects of this area. II. Legal and Policy Issues A. Federal Criminal Statutes Presentation: Scott Charney, Department of Justice Mr. Charney summarized relevant Federal criminal statutes and discussed some of their weaknesses. The Electronic Communications Privacy Act is broad in scope. It states that it is illegal to intercept or disclose wire, oral, or electronic communications. It is strictly a bar on interception. It applies to electronic communications and computer data in communications. Several legal problems need to be addressed. First, some security needs to be provided for electronic mail when it is stored. Outsiders need to be denied unauthorized access to the system. Also, Government needs to be able to gain access to communications for law enforcement purposes, when required and duly authorized. Although there are rules limiting Government access to e-mail and rules restricting the disclosure of e-mail by entities providing electronic communication services to the public, private E-mail providers are not subject to these rules. Legislation pertaining to the regulation of electronic monitoring of employees is pending in the form of HR 1900 and S 984. Mr. Charney then discussed the Computer Fraud and Abuse Act, 18 USC 1030, which consists of three felony and three misdemeanor charges. 18 USC 1030(a)(3) makes it illegal to trespass in federal computer systems. 18 USC 1030(a)(4) deals with the use of federal computers to defraud. 18 USC 1030(a)(5) states that it is illegal to access without authority a computer system used in interstate commerce, to alter or destroy records. However, this statute only applies to those without authority; thus, insiders are not covered. Perpetrators do not need to intend to cause damage, but must only intend to enter without authority. The current Senate crime bill has a section addressing the issue of "intent," which nevertheless remains difficult to prove. It decriminalizes conduct now illegal by stating that the instigator must intend to launch the code and must intend to do damage for the offense to be illegal. A hacker's plea of "I didn't mean to do it" could be sufficient to get around the law. 18 USC 1030 also has room for improvement. Currently, sentencing is covered under guideline 2f1.1, which includes a table which determines the amount of time to be served according to the loss in dollars. However, many computer crimes are non-fraud cases that cannot be costed in dollars, such as access to credit reports. The solution is to focus on non-economic harm such as violations of privacy. Problems also exist in Federal coverage of trade secrets. Currently, crimes are charged under other statutes. However, the Interstate Stolen Property Act does not cover electronic "property". Also, it is difficult to determine where intangible property resides. Although industry and corporations have expressed interest in this legislation, many of these interests desire legislation that only covers foreign companies. Other statutes also need to change. Rule 41 dealing with investigations requires that a warrant be issued where the property is sought. In electronic cases, the location of the server may mean that warrants are issued in the wrong jurisdiction. We should all realize that the NII is really an "III," an International Information Infrastructure, and there are international aspects to these legal problems. Under the principle of dual criminality, the policies and solutions must be agreed upon by both countries concerned. Many of these problems are too new to have reached international agreement and consensus. There are also procedural problems in dealing with multi-national questions. International channels for obtaining law enforcement assistance need to be streamlined to become less inefficient and time-consuming. Discussion: Questions were then taken from the meeting's participants. Q: Do you have a sense of the number of illegal or unauthorized entries into systems which go undetected? Are they increasing? A: Easy accessibility means many more people will be using the NII. As the network is linked to more systems, the numbers will be exponentially larger. Since e-mail is stored, more hackers are entering systems to look for e-mail about themselves. Digital telephony and encoding will be a limiting factor in the future, but for now, the immediate risk of hacking is on the rise. Q: Has the question of traffic analysis penetrations been raised? A: This is mainly a question of information about transactions vs. content. Frankly, content security is our bigger concern, although system interactions provide new opportunities for abuse. B. Civil Perspective Discussion: Ms. Katzen noted that there is an absence of information on the extent to which the threat of civil liability acts to deter security breaches or encourage protections. Mr. Charney noted that it is often not cost effective to pursue individual violations. A brief discussion then ensured concerning examples of civil cases. A trend was noted in private companies to sell software with "time bombs" within them which will crash the program if payment for the software is not made. It was observed that the Electronic Mail Association is spending substantial time on litigation by employees against employers who examine their mail. Ms. Katzen asked about the responsibilities of owners of systems to provide security. Duty, breach of duty, and damages are standard concerns in civil cases. The Departments of Justice and Treasury volunteered to follow up by analyzing the sufficiencies of current law on the civil side. III. Emerging User Requirements Representatives from Committees and Working Groups of the IITF presented the issue of security from the perspective of the users they represent. A. Telecommunications Policy Committee Presentation: Tom Wasilewski, NTIA Mr. Wasilewski discussed the Committee's consensus: When dealing with the question of user requirements, we need to determine about whom we are talking. End users usually do not think too much about security, although this concern will increase. At Congressional hearings, security concerns are usually raised by the Government. Security costs should also be a concern. There are issues around who will pay for the widely varying levels of security needed by different users. Although we recognize that security is important, law enforcement access to the NII is also a concern. Finally, we also need to be concerned with the reliability of the system in case of a national emergency such as the recent earthquake in southern California. The Telecommunications Policy Committee has established a Network Reliability and Survivability Working Group to address this issue. B. Information Policy Committee, Intellectual Property Rights Working Group Presentation: Kaz Kazenske, PTO Mr. Kazenske described his Committee's security concerns. This working group is concerned with the issues of intellectual property affecting interests such as film, publishing, multi- media, authors, and users of the NII. It deals with questions of provider security more than user security. Currently, the publishing sector is concerned about copyright protection on the NII. Library associations have already brought up the question of fair use vs. copyright. Defining "copy" is a major issue. It is believed that encryption as well as changes in intellectual property laws will help in the future. International aspects to the issue of intellectual property also arise. Defining "import" and "export" is difficult in the borderless environment of electronic markets. Such concerns have been raised by publishers, broadcasters, and the movie industry, among others. These users are concerned with distribution and entry on the NII. C. Information Policy Committee, Privacy Working Group Presentation: Robert Veeder, OMB Mr. Veeder stated that privacy concerns involve how data about individuals is gathered and used, while security is the confidentiality, availability and integrity of that information. As such, it is a tool to protect privacy within the context of the NII. Technology is driving use of the NII to the individual level. Yet the NII must be perceived as trustworthy and secure, or people will not participate. The key players in the privacy equation are the individual users or data providers, the data carriers, the data collectors, and the subsequent data users. Individual participants in the NII must assume more responsibility. They cannot be passive and must think before providing information. The participants must also be more responsible for data integrity, that is, providing correct data. Greater emphasis needs to be placed on the data provider, not the collector. The issue of carrier responsibility must also be addressed. The data collector should be responsible for notification of the way in which the data is used. Mr. Veeder raised the question, "Will people use the system if they don't trust it?" Using the example of health care, people may not release information if the system is not secure. Discussion: Participants pointed out the need for user authentication, or the need to know the identity of the user. Mr. Veeder observed that we need to consider the dangers of too much versus too little security, or setting security levels which are unadaptable. We need a system that can change over time. Currently the public-at-large does not have strong security concerns. Two factors about which industry has expressed concern regarding security and the NII are (1) standards development in certain areas and (2) privacy/security of trade secret information. The public is more apt to use the NII if it feels it provides some form of additional value. The Department of Labor discovered, in its public information kiosks program, that if information was provided one-way, public use declined. However, where kiosks provided services such as issuing drivers' or fishing licenses, public use increased. The public will accept a higher level of security risk only if it receives a higher level of benefit. D. Committee on Applications and Technology Presentation: Cita Furlani, NIST Ms. Furlani stated that this Committee is concerned with the use of the NII from the point of view of users of advanced applications. Privacy is important or vital for all functions of the NII, whether health care, manufacturing, environmental monitoring, government services, education, or libraries. Ms. Katzen stated that the representatives from the IITF Committees should go back to their users, whether publishers, hospitals, schools, artists, or others, and get a clear statement of their security concerns and needs. We should not make policy based on what we know today, but must determine what these groups will want tomorrow. Opportunities for the public to address their security concerns will be critical to this process. IV. Technical Issues A. National Institute of Standards and Technology Presentation: Jim Burrows, NIST Mr. Burrows stated that security requires new ways to identify users. Methods include time stamp, encryption, key exchange, and digital signatures. People will use these systems if they are cost effective, available, and can be installed on current hardware. Certificates for signatures and key exchanges are important considerations in the larger infrastructure which we are moving towards. The concept of a single system for the entire infrastructure is a dream and will not work. We need to determine our long term needs, because a lot of technology is already available. Encryption technology is already well documented in the literature. Encryption can not be controlled. For enough money, any controls can be circumvented. The issue of security technology raises two questions: (1) Who will sponsor these new systems? and (2) Who do we trust with the information? These questions are more political than technical. Mr. Lynn McNulty of NIST noted that his organization, in conjunction with seven other federal sponsoring agencies, will soon have the final draft of a document that analyzes the Federal Government's public key infrastructure requirements. This document will be put on the internet for comments. Mr. Burrows continued that there is a perceived international trend toward controlling encryption. Among the forerunners are France and China. These efforts will affect the International Information Infrastructure. The French law requires that the government be given the source code to all encryption. However, most other countries have minimal laws concerning security or issue them on an ad hoc basis. B. National Security Telecommunications and Information Security Systems Security Committee (NSTISSC) Presentation: John Nagengast, National Security Agency Mr. Nagengast noted that NSTISSC deals with classified or sensitive information policy within DOD only. It has extensive dealings within the defense community. Its work has supported a DII (Defense Information Infrastructure), that can now be seen as becoming part of Government Information Infrastructure and a National Information Infrastructure. The Defense Message System (DMS) will consolidate various systems and has approximately 2 million e-mail users from the Department of Defense. Phase I of the DMS contains approximately 80% unclassified electronic information, with the remainder made up of sensitive but unclassified materials. DMS will be extended out to other Federal agencies so that they will be able to interact with the Department of Defense through this forum. Security for this system is proposed to be a MOSAIC-TESSERA multi-purpose security system with a smart card. This equates to an eventual lower cost of approximately $50-100 per work station. The main security concerns with the system include privacy, confidentiality, integrity, and availability. There have been between 800-1000 known attempts to hack into Department of Defense systems. 40-60% have come through unauthorized calls on the Department's 800 telephone numbers. Two main issues still need to be addressed. The first is the need for standards concerning security transactions such as a digital signature standard. Second, the Government needs a common infrastructure. In this area, we still have a long way to go. C. National Communications System (NCS) Presentation: Major General Robert Marquette (Retired) Gen. Marquette stated that NCS draws together 23 Federal Departments and agencies to coordinate planning for national security and emergency preparedness communications. NCS supports the communications industry through the President's NSTAC (National Security Telecommunications Advisory Committee). NCS has started a test program with six agencies to demonstrate how NS/EP (National Security and Emergency Preparedness) information can be protected. Meetings have been held with industry to determine possible security countermeasures. Industry has been very concerned regarding the security of their networks. NCS also keeps abreast of industry's countermeasures, and this has proven to be a valuable forum for information exchange. In meetings, the agencies describe in detail how their systems are penetrated. A policy of non-disclosure allows these representatives to openly deal with their problems and learn from each other. As concerns increase, more money will be put into security by both industry and Government. NCS is also concerned about standards. It is working with the Defense Intelligence Agency and drafting a document on hostile threats. Industry is interested in working with Government. Privacy will be a harder issue than security. Discussion: A question was asked concerning the importance of additional R&D funding. Should the Government jointly fund security R&D which would serve both Government and industry? It was stated that industry probably won't ask for more R&D concerning security. Industry wants Government to get a handle on security problems by legislating in the U.S. The view is that we are getting better. Citibank is leading an industry consortium concerning security R&D. It was suggested we hold one or more public forums in which we ask industry leaders and other members of the public to provide their views on these issues. D. Forum of Incident Response & Security Teams (FIRST) Presentation: Dennis Steinauer, NIST Mr. Steinauer stated that we need to remind the public that the NII is here now. Internet is a preview, and we need to learn lessons from it. We a need new security controls or constant problems will arise. We must be able to detect problems quickly so that we can solve them quickly. For example, in the Internet worm incident of 1988, we were lucky to discover and handle it quickly. We can't rely on luck in the future. A Computer Emergency Response Team has been established under Steve Squires to enable us to deal with one constituency, the Internet. Other constituencies such as NASA, the Department of Energy, and others have also set up their own teams. Each organization has its own way of responding, yet the need for interaction and cooperation among them exists. FIRST is a voluntary organization of over 30 of these emergency response teams from all over the world. Each response team has a defined constituency and can send alerts to others in a "trusted environment". The teams know each other well, and entry into the organization is defined by rules. FIRST is made up of these Federal Government and non-government organizations. We need to encourage the exchange of such information. This is necessary in the semi-controlled environment of the NII. The mechanisms are in place, but the policy of sharing information needs to be built into the structure of the NII. It should be noted that FIRST is not a FEMA (Federal Emergency Management Agency) and does not deal with disaster recovery, etc. It is more like the "911" for networked information systems. Participation in this organization is not universal. Outsiders eventually obtain access to information second-hand. Discussion: A question was asked concerning which FIRST activities could be used Government-wide. By building on these trusted relationships, the ability to respond to security incidents can be broadened. E. Working Group on Encryption and Telecommunications Presentation: Mike Nelson, OSTP Dr. Nelson stated that this working group is only a few weeks old. It consists of representatives from the Department of Justice, NSC, State Department, Treasury, OMB, the Department of Commerce (NIST and the Bureau of Export Controls), FBI, and NSA and originally was brought together on an ad hoc basis. It is examining the Government's response to the fast growth of inexpensive encryption devices which can prevent wiretaps. It is looking for alternatives that balance law enforcement's need for access with the need for strong security. The goal is a cheap, exportable, and standard form of protection. Among topics being discussed are key escrow chip hardware, encryption software, and the development of new technologies like higher speed encryption. The most well-known of these devices is the clipper chip, also known as the key escrow chip. This chip, an alternative to other encryption devices available, would give U.S. information systems better security and privacy, while allowing law enforcement access to information. NIST and the Department of the Treasury will hold the keys to the chips and will promote their export. The chip has been widely criticized by privacy groups and by industry. The Administration is reviewing the impact of digital telephony on law enforcement. This is a matter of balancing the needs of privacy, law enforcement, and industry. Secure digital telephony is being discussed with industry. It would allow law enforcement to continue to work as it now does. The Administration is attempting to maintain the "status quo" in telephony and encryption, not to increase the range of law enforcement. The Administration is also currently negotiating with industry to work on a digital signature standard. This system would be free for all to use and is a necessary element for electronic banking and commerce. V. Next Steps Ms. Katzen stated that we should all realize that there is enormous public interest and concern in the issue of security in the NII. This meeting has been organizational, to share information on what is available and what the issues are, to task federal agencies to gather additional information, and to determine a plan for moving forward. We recognize that we do not have all the answers and that we must work with the public to develop solutions. The Working Groups are cooperating with the Information Infrastructure Task Force and the National Information Infrastructure Advisory Council on this issue. Our participation in NII Advisory Council meetings must be organized. A Federal representative should be present to explain the security issue. The second meeting of this Group on Security and the National Information Infrastructure will be in April. Between now and then, we need to develop ways to engage the public more in this discussion. At this point, specific next steps were discussed. (See attachment.) Security and the National Information Infrastructure Next Steps Ms. Katzen asked various participants to initiate certain actions prior to the next meeting in early April. Marty Ferris of the Treasury Department will coordinate a public forum involving the public-at-large, industry, and state and local governments in discussions of the issue of security in the NII. Such a forum should be set-up within 60 days, if possible. Scott Charney of the Department of Justice will assess the sufficiency of the current criminal statutory regime; notify the group of movement on relevant legislation; report on developments in civil case law relevant to computer security; and consider the need for amendment to statutes or new laws to address emerging crimes. The Committees of the IITF will identify the security needs of various user sectors affiliated with the NII. Committees should solicit input and initiate dialogue with these users. The Groups need to nail down their definition of security needs for the network and determine what tools and policies are needed to support this. NIST will propose and encourage the Computer Security and Privacy Advisory Board (CSPAB) to assist NIST in the assessment of security tools and techniques in use outside of the Federal Government and assess where research and development on security technology would be useful for the NII. NIST will promote Federal security products and techniques that will be useful in the NII (e.g. recent EDI security guidance). NIST will propose and encourage the CSPAB to work with FIRST to assess how private entities conduct emergency response and how the efforts of Government can be coordinated with them to ensure "911" capability for the NII. NCS, in coordination with the industry's National Security Telecommunications Advisory Committee (NSTAC), will work with the Telecommunications Policy Committee to ensure that an NS/EP (National Security and Emergency Preparedness) capability is built into the NII. NSTISSC will evaluate useful security tools and techniques in the national security community that are applicable to general users of the NII.