Interesting People mailing list archives
crytpo again (I hear it will soon heat up a lot)
From: Dave Farber <farber () central cis upenn edu>
Date: Mon, 27 Mar 1995 12:45:52 -0500
from EPIC Alert ======================================================================= [3] Security Policy Board Criticized. ======================================================================= The National Security Council's proposal to merge protection of civilian and military computer systems under the control of the Security Policy Board came under increasing criticism from civilian government computer security experts this week. Two different government panels released statements opposing the proposal. The Computer Systems Security and Privacy Advisory Board, a board created by the Computer Security Act 1987. Res. 95-3, March 24, 1995 called on the SPB to stop its activities. The board is concerned about the Security Policy Board (SPB) proposal of November 27, 1994, to "...have authority over all classified and unclassified but sensitive systems." Therefore, the board recommends that the SPB not proceed with this plan to control unclassified but sensitive systems until broader input of issues is gathered. To that end, the board would like to have the opportunity to be fully involved in working on these issues." In a letter written January 11 and released March 23, the Steering Committee of the Federal Computer Security Program Manager's Forum strongly criticized the Security Policy Board's proposal. The Forum is made up of senior computer security managers for civilian agencies including the Justice Department, HHS, and Department of Transportation. The letter states that classified and unclassified systems should be kept separate because of the different needs for each: We believe that it is inappropriate for the national security and intelligence communities to participate in selecting security measures for civilian agencies. Their expertise in protecting national security systems is not readily transferable to civilian agency requirements. The Forum asked the OMB to limit the SPB's authority to only classified systems. The letter states that SPB's review conflicts with the Computer Security Act of 1987 and PDD-29 and will increase public concerns about previous government initiatives such as NSDD-145 and the Clipper Chip. On March 9, EPIC filed suit against the National Security Council, asking for documentation on the SPB and Presidential Decision Directive 29, which created the board. The EPIC suit is now in federal district court. Senator William Roth (R-DE), chair of the Senate Governmental Affairs Subcommittee on Investigations also expressed concern with the role of the SPB. [Security Manager's Letter to OMB] FEDERAL COMPUTER SECURITY PROGRAM MANAGERS' FORUM January 11, 1995 The Honorable Sally Katzen Office of Management and Budget Office of Information and Regulatory Affairs Old Executive Office Building, Room 350 17th Street and Pennsylvania Ave, NW Washington, DC 20503 Dear Ms. Katzen On behalf of the Steering Committee of the Federal Computer Security Program manager's Forum, I am writing you to inform you of our unanimous disagreement with the Security Policy Board's (SPB) proposal to establish a new federal computer security organization with jurisdiction over both unclassified and classified programs. The Steering Committee urges you to take appropriate action to restrict implementation of the SPB report to only classified systems for the following reason. 1. The establishment of a national security community dominated Information System Security Committee having jurisdiction for both classified and unclassified systems is contrary to the Computer Security Act. Furthermore, it is not consistent with the authority of PDD-29 which requires coordination of national security policy 2. This initiative also undercuts a stated Administration goal for an "open government" in which the free flow of information is facilitated by removing government restrictions and regulations. For example, the SPB document states that a priority project for the new committee will be to craft a broad new definition for "national security related information." This will be viewed by many as an attempt to impose new restrictions on access to government information. 3. The SPB proposal may serve to increase concerns over the government's intentions in the field of information security. We know from observing the public debate over NSDD-145 and the Clipper Chip that the private sector deeply mistrusts the intentions of the government to use information security policy as a lever to further goals and objectives viewed as contrary to the interests of the business community. Congress passed the Computer Security Act of 1987 in response to expressions of displeasure from the private sector regarding the unwelcome overtures by the national security community towards "assisting" the private sector under the auspices of national security. This was perceived as having a significant adverse impact upon personal privacy, competitiveness and potential trade markets. 4. We believe that it is inappropriate for the national security and intelligence communities to participate in selecting security measures for unclassified systems at civilian agencies. Their expertise in protecting national security systems is not readily transferable to civil agency requirements. The primary focus of security in the classified arena is directed towards protecting the confidentiality of information with little concern for cost effectiveness. Unclassified systems, however, which constitute over 90% of the governments IT assets, have significantly fewer requirements for confidentiality vis-a-vis the need for integrity and availability. In these times of diminishing resources, cost-effectiveness is of paramount concern in the unclassified arena. The Steering Committee is most concerned that the report is being misrepresented as Administration policy. Indicative of this is that "transition teams" are being formed to implement the report. Please consider these facts and take action to restrict the SPB report implementation to only classified systems. Thank you for your thoughtful consideration of this request.. Sincerely, Lynn McNulty Forum Chair National Institute of Standards and Technology Sadie Pitcher Forum Co-chair Department of Commerce ======================================================================= [5] Commerce Dept. to Recommend Relaxing Crypto Export Control ======================================================================= The Bureau of National Affairs reports that the Department of Commerce will recommend that the United States relax export controls on cryptography. The recommendations will be presented to the President in early July. The National Security Agency is expected to release a report on the availability of foreign encryption software which will be presented to the President at the same time. The Commerce Department has also filed a request with the Office of Management and Budget to collect information on the damage to US businesses resulting from current export controls. The Software Publishers Association, in a December survey of encryption software currently available, identified 407 foreign encryption products, 120 of which used the Data Encryption Standard (DES). The SPA found 480 domestic encryption products.
Current thread:
- crytpo again (I hear it will soon heat up a lot) Dave Farber (Mar 27)