IP: CSPP Security Report available on web

[Dave Farber <farber () central cis upenn edu>]

From: JimIsaak <isaak () ljo dec com>


The CSPP Security report "Perspectives on Security in the Information 
Age" is available.  You will find a copy on the CSPP WEB.


http://www.podesta.com/cspp/reports/report1-96.html


FYI, Jim




Executive Summary


The Information Age promises an explosion in economic growth, technological
innovation and educational opportunities that could improve the standard of
living and the quality
of life around the world. To achieve this promise, the private sector, with
the encouragement of government, is building the Global Information
Infrastructure (GII), the
electronic pathways that will carry vast quantities of valuable commercial,
scientific, and educational information between individuals, companies and
customers, doctors and
patients, students and teachers.


While the GII offers unprecedented access to and exchange of information, it
also exposes users to breaches of confidentiality, disruption of their
operations, destruction of
intellectual property and outright theft. These are serious concerns because
electronic data in digital form -- or cyberproperty -- is emerging as the
most valuable currency of the
Information Age. Users of the GII have the need, right, and responsibility
to protect the access to, and the confidentiality of, their information.
They also have the right and
responsibility to determine the appropriate type and strength of protection
for their cyberproperty.


Consider the case of U.S. companies, which currently lead the global
information technology market. U.S. export control policies severely limit
their ability to provide
customers global security solutions, based on encryption, that are
seamlessly integrated into their computer systems. If U.S. companies are
prohibited from meeting this growing
demand for secure electronic commerce, non-U.S. competitors are ready,
willing and able to do so. In fact, many already are exporting security
solutions stronger than those
U.S. firms can export.


The advantage that competitors will derive from their ability to meet the
growing demand for secure, integrated global solutions will result in loss
of market share for U.S.
computer systems manufacturers, not only in the encryption market, but also
in the general computer systems market. Emerging Security Needs and U.S.
Competitiveness:
Impact of Export Controls on Cryptographic Technology, a CSPP study released
in December 1995, estimates that the potential exposure to the U.S.
information industry's
annual revenues could range from $30 to $60 billion by the year 2000.


While individuals and industry have a compelling interest in protecting
their cyberproperty, the government has an interest in gathering
intelligence and enforcing the law. In
addition to lawful wiretaps and searches, the government meets its security
objectives by clandestinely intercepting information traveling on the GII
among criminals and
terrorists. The government is concerned that the spread of global security
solutions may adversely affect its law enforcement and international
intelligence gathering
responsibilities. But strong security solutions are already available in the
international marketplace to legitimate users and terrorist and criminal
elements alike. Given this reality,
the government efforts to prevent the global spread of security technology
are doomed to fail.


Governments and the private sector must reach a consensus on broad
principles that can serve as the foundation for a rational export control
policy. CSPP has developed a set
of security principles that offer a framework for agreement on a reasonable
and achievable national policy. CSPP has also drafted specific
recommendations for action that can
satisfy the U.S. computer industry's immediate export needs while a
comprehensive policy solution is designed. How effectively individual users,
the private sector, and
governments work together to define a security policy that fairly balances
competing economic and security interests, will determine the scope and
growth rate of the GII.


CSPP believes existing and proposed U.S. policies controlling cryptography
should be based on the following security principles: 


   1.Users have the need, right, and responsibility to determine the type
and strength of security required; 
   2.Governments should not impose unilateral controls on trade in
commercial security technology; 
   3.Multilateral controls must cover all major sources of commercial
security solutions world-wide; 
   4.Commercial security solutions should be treated as commercial products
under the Department of Commerce export controls; 
   5.The availability of cryptography should not be regulated according to
technology levels; 
   6.No regulatory distinctions should be made between hardware and software
security solutions; 
   7.Industry should be responsible for developing standards for commercial
security solutions; 
   8.Actions permitted under the existing U.S. law should be exhausted
before creating new laws to address issues of government access; 
   9.There should continue to be no controls on domestic use of
cryptography; and 
  10.Export controls should not be used to impose controls indirectly on
domestic availability of cryptographic products.


Given the present market realities and government needs, CSPP recommends the
following first steps to promote the legitimate use of security by
individuals and companies
and to address the U.S. government's intelligence gathering and law
enforcement interests: 


   1.Link the decontrol of U.S. commercial cryptographic products to the
availability of competitive products in the international marketplace; 
   2.Permit the export of stronger U.S. commercial cryptographic products,
withouttechnology restrictions, to legitimate, commercial end users; 
   3.Discuss the export of stronger U.S. commercial cryptographic products
that meet reasonable government access needs; and 
   4.Embargo U.S. commercial cryptographic products in terrorist countries.