Copyright 1999 Federal Document Clearing House, Inc.
Federal Document Clearing House Congressional Testimony
September 30, 1999
SECTION: CAPITOL HILL HEARING TESTIMONY
LENGTH: 2707 words
HEADLINE:
TESTIMONY September 30, 1999 GEORGE B. TRUBOW HOUSE SCIENCE
TECHNOLOGY COMPUTER SECURITY AND ELECTRONIC SIGNATURE
BODY:
SUBCOMMITTEE ON TECHNOLOGY, THE COMMITTEE ON
SCIENCE, U.S. HOUSE OF REPRESENTATIVES HEARINGS ON H.R. 2413 COMPUTER SYSTEMS
SECURITY AND PRIVACY ADVISORY BOARD STATEMENT OF GEORGE B. TRUBOW September 30,
1999 The Subcommittee has invited me to testify on H.R. 2413, entitled "The
Computer Security Enhancement Act 0f 1999," which would amend the Computer
Security Act of 1987 (CSA, PL 100-235). I am here as a member of the Computer
Systems Security and Privacy Advisory Board (hereafter, the Board), established
by the CSA. The Board is composed of 12 members and a chairman; I was appointed
to the Board September 10, 1997, as one of the four non- government,
non-industry members. I am a professor at the John Marshall Law School of
Chicago, and director of its Center for Information Technology and Privacy Law.
As might be expected, my principal concern regarding the Board s mandate is with
the matter of privacy. The Board s chairman, Dr. Willis H. Ware, is out of the
country and thus unable to be at this hearing, though I did have a brief
exchange of e-mail with him before he departed. He previously testified before
the Subcommittee on Technology on May 3, 1994, giving a detailed statement on
the background and operations of the Board, and again on June 19, 1997, in
connection with a proposal at that time for amendments to the CSA, which were
not enacted. When the Board had its quarterly meeting earlier this month, H.R.
2413 was not on the table, so the Board has not considered the bill.
Consequently, my statement today will be brief and for the most part reflects my
own views. The CSA charges the Board "to identify emerging managerial,
technical, administrative and physical safeguard issues relative to computer
system security and privacy, to advise the Bureau of Standards (sic, now the
National Institute of Standards and Technology, hereafter "NIST") and the
Secretary of Commerce on such matters, and to report its findings to the
Secretary of Commerce, Director of OMB, Director of NSA, and appropriate
committees of Congress." Let me first address H.R. 2413 as it directly affects
the Board. As indicated, H.R. 2413 amends the CSA, and Section 6 of the bill
amends also the National Institute of Standards and Technology Act , by
enlarging the role and functions of the Board, as follows: The Institute shall
solicit the recommendations of the Computer Systems Security and Privacy
Advisory Board. . .regarding standards and guidelines that are being considered
for submittal to the Secretary. . .. No standards or guidelines shall be
submitted to the Secretary prior to the receipt by the Institute of the Board s
written recommendations. (emph. supp.) The recommendations of the Board shall
accompany standards and guidelines submitted to the Secretary. I believe the
sentence in italics should be deleted from the bill. The Board meets only
quarterly and has never had the authority to manage, approve or interfere with
the work of NIST, nor does it seek such authority. We are named as an advisory
board and should remain so, and I believe we have been effective in that role. I
know that others on the Board share this view, and I take the liberty of quoting
the chairman in an e-mail message of September 22, 1999, in the exchange I
referred to earlier: "One thing you should be against is putting CSSPAB in the
loop for approval of anything. We move too slowly to be in such a position. We
can give advice and wisdom, but we should never be asked to consent." As stated,
I share that opinion. It is appropriate for the Board to be asked for its advice
and wisdom, as provided in the first sentence of the language of H.R. 2413,
quoted above. But, it should be for the Board to determine whether it has any
advice or wisdom to offer regarding a proposed standard or guideline, and if it
does then it is also appropriate that any recommendation be submitted to the
Secretary. Accordingly, I would urge that the second sentence above be deleted,
and that the word "the" which begins the third sentence, be changed to "any".
Section 6 of H.R. 2413 also contains a provision to authorize an appropriation
to the Secretary of Commerce of $1,000,000 in FY 2000, and $1,030,00 in FY 2001,
"to enable the (Board) to identify emerging issues related to computer security,
privacy and cryptography and to convene public meetings on those subjects,
receive presentations, and publish reports, digests, and summaries for public
distribution on those subjects." These resources would provide the Board with an
expanded means of access to the information and evidence upon which to formulate
its findings and recommendations as charged by the CSA and to disseminate the
results of important studies and research within its purview. As a result, the
Board s function and voice would be enhanced by the new resources and I believe
that is a good result. I believe it is especially important to give the Board
the resources to enlarge its role and voice in the midst of our information age,
which I often refer to as the "information revolution." The Board s role in
monitoring and encouraging security system development supports a national goal
of protecting sensitive government information from unauthorized access,
alteration, loss or dissemination. By enlarging the Board s voice the benefits
of its recommendations and the results of studies and research that it collects
will be more readily shared with the private sector, which is certainly
consistent with the bill s provisions generally authorizing and encouraging NIST
s cooperation with the private sector. For instance, Section 12 charges the
Department of Commerce to (1) promote widespread use of information
technologies, (2) establish a clearinghouse to collect and disseminate
information about information security threats, and (3) promote the commercial
and private uses of encryption technologies. Let me now address H.R. 2413 in
another respect. It s title, "Computer Security Enhancement Act," signals its
objective to enlarge NIST s activities in security system development.
Historically, as between security and privacy, security has been first in line
for NIST s resources, and a continued emphasis on security is certainly
warranted, especially when risk to information security, both in the public and
private sectors, is as widespread as it is today. Assaults on government and
private sector information systems, whether by mischievous hackers or
cyberterrorists, threaten the continued development and operation of the nation
s information infrastructure. Accordingly, I certainly support the goal of H.R.
2413 to expand NIST s activities in developing and promoting the use of
information system security technologies. Attention to privacy, however, must
not be overlooked. There is plenty of evidence of the constantly increasing
collection and use of personal information in government and private sector
information systems and data banks. What s more, personal information is
collected in such fine detail that it provides dossiers and behavioral profiles
of individuals in every segment of this nation s population. My view is that
each of us has electronic clones --virtual personalities -- residing in those
data banks and those clones are used to affect the real persons involved. The
clones may be "processed" or manipulated for such activities as
target-marketing, awarding or denying job opportunities or benefits of some
kind, defaming the individual involved, committing credit card fraud, or
engaging in the ultimate invasion of privacy, theft of identity. Whatever the
context, the use of personal information confronts the right to
privacy, and that right is basic to our fundamental right to
freedom. Security technologies protect privacy by guarding the access to and use
of these information clones through policies and procedures that give
individuals the ability to select and define the range of permissible
"processing" of their clones. Thus, security and privacy are certainly
intertwined, but there can be no privacy without the policies and procedures to
guide the application of information system security measures. Therefore, I turn
to the subject of privacy as addressed in H.R. 2413. In short, privacy is not
addressed. As I indicated earlier, NIST has focused on security, nor has the
matter of privacy been a priority for the Board s attention, either. As the
Board s chairman stated in his June, 1997, Congressional testimony, "In
discharging its duties, the Board has interpreted its mission broadly, although
to date, it has concentrated on security issues to the exclusion of personal
privacy ones." That statement remains largely true today. But, though I support
a continued priority for security concern, privacy must not be ignored, as it is
in the current draft of H.R. 2413. I urge the Committee to remedy this oversight
by making it clear that attention to privacy must be an integral part of
security system development. I note here that at its last meeting, the Board
itself moved to address privacy by establishing a task group to recommend a
privacy agenda for the Board. Finally, I address two other provisions of H.R.
2413. Section 10 authorizes an important new program, Computer Security
Fellowships. The authorization of $250,000 for FY 2000 and $500,000 for FY 2001,
could be regarded as minimal sums for something so important as educating
specialists in the complex subject of computer and information system security.
Even if all the funds were appropriated and used for fellowships, without
diversion to administrative costs, it could be a long time before any
appreciable growth in the supply of security specialists would be realized. At
$10,000 per fellowship, not an unreasonable sum, only 25 students throughout the
nation would benefit in the first year and 50 more in the second. I believe
there is a serious shortage of security specialists; the security education
programs are already here and we must enlarge access to them. Section 14 of the
bill authorizes $3 million in FY 2000 and $4 million in FY 2001 to supplement
the NIST budget. I expect that testimony from NIST will discuss how much of the
expanded program envisioned by H.R. 2413 could be accomplished with that
addition appropriation, but I suspect not much of it. That concludes my prepared
testimony. I ll be pleased to answer questions to the best of my knowledge.
LOAD-DATE: October 4, 1999