crytpo again (I hear it will soon heat up a lot)

[Dave Farber <farber () central cis upenn edu>]

from EPIC Alert


=======================================================================
[3] Security Policy Board Criticized.
=======================================================================


The National Security Council's proposal to merge protection of
civilian and military computer systems under the control of the
Security Policy Board came under increasing criticism from civilian
government computer security experts this week. Two different
government panels released statements opposing the proposal.


The Computer Systems Security and Privacy Advisory Board, a board
created by the Computer Security Act 1987. Res. 95-3, March 24, 1995
called on the SPB to stop its activities.


   The board is concerned about the Security Policy Board (SPB)
   proposal of November 27, 1994, to "...have authority over all
   classified and unclassified but sensitive systems." Therefore, the
   board recommends that the SPB not proceed with this plan to control
   unclassified but sensitive systems until broader input of issues is
   gathered. To that end, the board would like to have the opportunity
   to be fully involved in working on these issues."


In a letter written January 11 and released March 23, the Steering
Committee of the Federal Computer Security Program Manager's Forum
strongly criticized the Security Policy Board's proposal. The Forum is
made up of senior computer security managers for civilian agencies
including the Justice Department, HHS, and Department of
Transportation.


The letter states that classified and unclassified systems should be
kept separate because of the different needs for each:


   We believe that it is inappropriate for the national security and
   intelligence communities to participate in selecting security
   measures for civilian agencies. Their expertise in protecting
   national security systems is not readily transferable to civilian
   agency requirements.


The Forum asked the OMB to limit the SPB's authority to only
classified systems. The letter states that SPB's review conflicts with
the Computer Security Act of 1987 and PDD-29 and will increase public
concerns about previous government initiatives such as NSDD-145 and
the Clipper Chip.


On March 9, EPIC filed suit against the National Security Council,
asking for documentation on the SPB and Presidential Decision
Directive 29, which created the board. The EPIC suit is now in federal
district court. Senator William Roth (R-DE), chair of the Senate
Governmental Affairs Subcommittee on Investigations also expressed
concern with the role of the SPB.


[Security Manager's Letter to OMB]


FEDERAL COMPUTER SECURITY PROGRAM MANAGERS' FORUM


January 11, 1995


The Honorable Sally Katzen
Office of Management and Budget
Office of Information and Regulatory Affairs
Old Executive Office Building,
Room 350
17th Street and Pennsylvania Ave, NW
Washington, DC 20503


Dear Ms. Katzen


On behalf of the Steering Committee of the Federal Computer Security
Program manager's Forum, I am writing you to inform you of our
unanimous disagreement with the Security Policy Board's (SPB)
proposal to establish a new federal computer security organization
with jurisdiction over both unclassified and classified programs. The
Steering Committee urges you to take appropriate action to restrict
implementation of the SPB report to only classified systems for the
following reason.


1. The establishment of a national security community dominated
Information System Security Committee having jurisdiction for both
classified and unclassified systems is contrary to the Computer
Security Act. Furthermore, it is not consistent with the authority of
PDD-29 which requires coordination of national security policy


2. This initiative also undercuts a stated Administration goal for an
"open government" in which the free flow of information is facilitated
by removing government restrictions and regulations. For example, the
SPB document states that a priority project for the new committee will
be to craft a broad new definition for "national security related
information." This will be viewed by many as an attempt to impose new
restrictions on access to government information.


3. The SPB proposal may serve to increase concerns over the
government's intentions in the field of information security. We know
from observing the public debate over NSDD-145 and the Clipper Chip
that the private sector deeply mistrusts the intentions of the
government to use information security policy as a lever to further
goals and objectives viewed as contrary to the interests of the
business community. Congress passed the Computer Security Act of 1987
in response to expressions of displeasure from the private sector
regarding the unwelcome overtures by the national security community
towards "assisting" the private sector under the auspices of national
security. This was perceived as having a significant adverse impact
upon personal privacy, competitiveness and potential trade markets.


4. We believe that it is inappropriate for the national security and
intelligence communities to participate in selecting security measures
for unclassified systems at civilian agencies. Their expertise in
protecting national security systems is not readily transferable to
civil agency requirements. The primary focus of security in the
classified arena is directed towards protecting the confidentiality of
information with little concern for cost effectiveness. Unclassified
systems, however, which constitute over 90% of the governments IT
assets, have significantly fewer requirements for confidentiality
vis-a-vis the need for integrity and availability. In these times of
diminishing resources, cost-effectiveness is of paramount concern in
the unclassified arena.


The Steering Committee is most concerned that the report is being
misrepresented as Administration policy. Indicative of this is that
"transition teams" are being formed to implement the report.


Please consider these facts and take action to restrict the SPB report
implementation to only classified systems. Thank you for your
thoughtful consideration of this request..


Sincerely,


Lynn McNulty
Forum Chair
National Institute of Standards and Technology


Sadie Pitcher
Forum Co-chair
Department of Commerce


=======================================================================
[5] Commerce Dept. to Recommend Relaxing Crypto Export Control
=======================================================================


The Bureau of National Affairs reports that the Department of Commerce
will recommend that the United States relax export controls on
cryptography. The recommendations will be presented to the President
in early July. The National Security Agency is expected to release a
report on the availability of foreign encryption software which will
be presented to the President at the same time.


The Commerce Department has also filed a request with the Office of
Management and Budget to collect information on the damage to US
businesses resulting from current export controls.


The Software Publishers Association, in a December survey of
encryption software currently available, identified 407 foreign
encryption products, 120 of which used the Data Encryption Standard
(DES). The SPA found 480 domestic encryption products.