Skip banner
HomeHow Do I?Site MapHelp
Return To Search FormFOCUS
Search Terms: personal w/5 information w/5 privacy, House or Senate or Joint

Document ListExpanded ListKWICFULL format currently displayed

Previous Document Document 165 of 261. Next Document

More Like This
Copyright 1999 Federal Document Clearing House, Inc.  
Federal Document Clearing House Congressional Testimony

September 30, 1999

SECTION: CAPITOL HILL HEARING TESTIMONY

LENGTH: 2707 words

HEADLINE: TESTIMONY September 30, 1999 GEORGE B. TRUBOW HOUSE SCIENCE TECHNOLOGY COMPUTER SECURITY AND ELECTRONIC SIGNATURE

BODY:
SUBCOMMITTEE ON TECHNOLOGY, THE COMMITTEE ON SCIENCE, U.S. HOUSE OF REPRESENTATIVES HEARINGS ON H.R. 2413 COMPUTER SYSTEMS SECURITY AND PRIVACY ADVISORY BOARD STATEMENT OF GEORGE B. TRUBOW September 30, 1999 The Subcommittee has invited me to testify on H.R. 2413, entitled "The Computer Security Enhancement Act 0f 1999," which would amend the Computer Security Act of 1987 (CSA, PL 100-235). I am here as a member of the Computer Systems Security and Privacy Advisory Board (hereafter, the Board), established by the CSA. The Board is composed of 12 members and a chairman; I was appointed to the Board September 10, 1997, as one of the four non- government, non-industry members. I am a professor at the John Marshall Law School of Chicago, and director of its Center for Information Technology and Privacy Law. As might be expected, my principal concern regarding the Board s mandate is with the matter of privacy. The Board s chairman, Dr. Willis H. Ware, is out of the country and thus unable to be at this hearing, though I did have a brief exchange of e-mail with him before he departed. He previously testified before the Subcommittee on Technology on May 3, 1994, giving a detailed statement on the background and operations of the Board, and again on June 19, 1997, in connection with a proposal at that time for amendments to the CSA, which were not enacted. When the Board had its quarterly meeting earlier this month, H.R. 2413 was not on the table, so the Board has not considered the bill. Consequently, my statement today will be brief and for the most part reflects my own views. The CSA charges the Board "to identify emerging managerial, technical, administrative and physical safeguard issues relative to computer system security and privacy, to advise the Bureau of Standards (sic, now the National Institute of Standards and Technology, hereafter "NIST") and the Secretary of Commerce on such matters, and to report its findings to the Secretary of Commerce, Director of OMB, Director of NSA, and appropriate committees of Congress." Let me first address H.R. 2413 as it directly affects the Board. As indicated, H.R. 2413 amends the CSA, and Section 6 of the bill amends also the National Institute of Standards and Technology Act , by enlarging the role and functions of the Board, as follows: The Institute shall solicit the recommendations of the Computer Systems Security and Privacy Advisory Board. . .regarding standards and guidelines that are being considered for submittal to the Secretary. . .. No standards or guidelines shall be submitted to the Secretary prior to the receipt by the Institute of the Board s written recommendations. (emph. supp.) The recommendations of the Board shall accompany standards and guidelines submitted to the Secretary. I believe the sentence in italics should be deleted from the bill. The Board meets only quarterly and has never had the authority to manage, approve or interfere with the work of NIST, nor does it seek such authority. We are named as an advisory board and should remain so, and I believe we have been effective in that role. I know that others on the Board share this view, and I take the liberty of quoting the chairman in an e-mail message of September 22, 1999, in the exchange I referred to earlier: "One thing you should be against is putting CSSPAB in the loop for approval of anything. We move too slowly to be in such a position. We can give advice and wisdom, but we should never be asked to consent." As stated, I share that opinion. It is appropriate for the Board to be asked for its advice and wisdom, as provided in the first sentence of the language of H.R. 2413, quoted above. But, it should be for the Board to determine whether it has any advice or wisdom to offer regarding a proposed standard or guideline, and if it does then it is also appropriate that any recommendation be submitted to the Secretary. Accordingly, I would urge that the second sentence above be deleted, and that the word "the" which begins the third sentence, be changed to "any". Section 6 of H.R. 2413 also contains a provision to authorize an appropriation to the Secretary of Commerce of $1,000,000 in FY 2000, and $1,030,00 in FY 2001, "to enable the (Board) to identify emerging issues related to computer security, privacy and cryptography and to convene public meetings on those subjects, receive presentations, and publish reports, digests, and summaries for public distribution on those subjects." These resources would provide the Board with an expanded means of access to the information and evidence upon which to formulate its findings and recommendations as charged by the CSA and to disseminate the results of important studies and research within its purview. As a result, the Board s function and voice would be enhanced by the new resources and I believe that is a good result. I believe it is especially important to give the Board the resources to enlarge its role and voice in the midst of our information age, which I often refer to as the "information revolution." The Board s role in monitoring and encouraging security system development supports a national goal of protecting sensitive government information from unauthorized access, alteration, loss or dissemination. By enlarging the Board s voice the benefits of its recommendations and the results of studies and research that it collects will be more readily shared with the private sector, which is certainly consistent with the bill s provisions generally authorizing and encouraging NIST s cooperation with the private sector. For instance, Section 12 charges the Department of Commerce to (1) promote widespread use of information technologies, (2) establish a clearinghouse to collect and disseminate information about information security threats, and (3) promote the commercial and private uses of encryption technologies. Let me now address H.R. 2413 in another respect. It s title, "Computer Security Enhancement Act," signals its objective to enlarge NIST s activities in security system development. Historically, as between security and privacy, security has been first in line for NIST s resources, and a continued emphasis on security is certainly warranted, especially when risk to information security, both in the public and private sectors, is as widespread as it is today. Assaults on government and private sector information systems, whether by mischievous hackers or cyberterrorists, threaten the continued development and operation of the nation s information infrastructure. Accordingly, I certainly support the goal of H.R. 2413 to expand NIST s activities in developing and promoting the use of information system security technologies. Attention to privacy, however, must not be overlooked. There is plenty of evidence of the constantly increasing collection and use of personal information in government and private sector information systems and data banks. What s more, personal information is collected in such fine detail that it provides dossiers and behavioral profiles of individuals in every segment of this nation s population. My view is that each of us has electronic clones --virtual personalities -- residing in those data banks and those clones are used to affect the real persons involved. The clones may be "processed" or manipulated for such activities as target-marketing, awarding or denying job opportunities or benefits of some kind, defaming the individual involved, committing credit card fraud, or engaging in the ultimate invasion of privacy, theft of identity. Whatever the context, the use of personal information confronts the right to privacy, and that right is basic to our fundamental right to freedom. Security technologies protect privacy by guarding the access to and use of these information clones through policies and procedures that give individuals the ability to select and define the range of permissible "processing" of their clones. Thus, security and privacy are certainly intertwined, but there can be no privacy without the policies and procedures to guide the application of information system security measures. Therefore, I turn to the subject of privacy as addressed in H.R. 2413. In short, privacy is not addressed. As I indicated earlier, NIST has focused on security, nor has the matter of privacy been a priority for the Board s attention, either. As the Board s chairman stated in his June, 1997, Congressional testimony, "In discharging its duties, the Board has interpreted its mission broadly, although to date, it has concentrated on security issues to the exclusion of personal privacy ones." That statement remains largely true today. But, though I support a continued priority for security concern, privacy must not be ignored, as it is in the current draft of H.R. 2413. I urge the Committee to remedy this oversight by making it clear that attention to privacy must be an integral part of security system development. I note here that at its last meeting, the Board itself moved to address privacy by establishing a task group to recommend a privacy agenda for the Board. Finally, I address two other provisions of H.R. 2413. Section 10 authorizes an important new program, Computer Security Fellowships. The authorization of $250,000 for FY 2000 and $500,000 for FY 2001, could be regarded as minimal sums for something so important as educating specialists in the complex subject of computer and information system security. Even if all the funds were appropriated and used for fellowships, without diversion to administrative costs, it could be a long time before any appreciable growth in the supply of security specialists would be realized. At $10,000 per fellowship, not an unreasonable sum, only 25 students throughout the nation would benefit in the first year and 50 more in the second. I believe there is a serious shortage of security specialists; the security education programs are already here and we must enlarge access to them. Section 14 of the bill authorizes $3 million in FY 2000 and $4 million in FY 2001 to supplement the NIST budget. I expect that testimony from NIST will discuss how much of the expanded program envisioned by H.R. 2413 could be accomplished with that addition appropriation, but I suspect not much of it. That concludes my prepared testimony. I ll be pleased to answer questions to the best of my knowledge.

LOAD-DATE: October 4, 1999




Previous Document Document 165 of 261. Next Document


FOCUS

Search Terms: personal w/5 information w/5 privacy, House or Senate or Joint
To narrow your search, please enter a word or phrase:
   
About LEXIS-NEXIS® Congressional Universe Terms and Conditions Top of Page
Copyright © 2002, LEXIS-NEXIS®, a division of Reed Elsevier Inc. All Rights Reserved.