Section 2.5. Computer Security Mandates and Legislation

2.5. Computer Security Mandates and Legislation

Throughout history, new advances in the availability, processing, and transmission of information have inevitably been followed by new security methods, federal laws, and procedural controls. These are typically aimed at protecting information that's considered to be essential to national security or other national interests.

In the 1970s and into the 1980s, national concerns about the Soviet interception of domestic communications intensified. Since the 1990s, that threat has diminished, but other nations, primarily those in the Middle East, but certainly Communist China and North Korea as well, have become threats. All this has led to a large number of security-related pieces of legislation, Presidential directives, and national policy statements. These fall into several categories:

Protection of classified or sensitive information: Legislation mandating computer security practices by federal agencies and contractors. The idea of this legislation is that organizations that process classified or sensitive unclassified government information must be careful to protect that information from unauthorized access.
Computer crime: Legislation defining computer crime as an offense and extending other regulations to cover thefts and other abuses carried out by computers and other new techniques. In addition to federal policies, virtually all U.S. states have enacted their own legislation prohibiting computer crime and abuse.
Privacy: Legislation protecting the privacy of information maintained about individuals (e.g., health and financial records). Another consideration for computer privacy is the practice of merging records from multiple, seemingly benign databases into profiles that may reveal devastating amounts of information about an individual.

2.5.1. The Balancing Act

Although it may be a mischaracterization, much of the concern about computer security centers on the government. Data needs to be classified to avoid exposing sensitive information and the means used to collect it, or protected to avoid allowing unfriendly investigators to compile data and expose national weaknesses. In addition, the communications of terrorists and criminals can be a rich source of information to prevent or solve crime, but access to that information by law enforcement or military agencies can constitute an infringement of personal liberty (which is one of the principles upon which this country was founded). Thus government is both the protector and the cause of concern, and untying the hands of enforcement agencies that protect us while keeping their agents from scrounging secrets out of our trash is one of the enduring concerns of national computer policy.

National Security Decision Directive 145 (NSDD 145), entitled the National Policy on Telecommunications and Automated Information Systems Security, signed by President Reagan on September 17, 1984, had far-reaching significance in the world of computer security. NSDD 145 mandated the protection of both classified and unclassified sensitive information. It also gave NSA the obligation to "encourage, advise, and if appropriate, assist" the private sector. Because it gave NSA jurisdiction in the private sector, NSDD 145 was a controversial directive.

NSDD 145 required systems that handle classified information to be secured as necessary to prevent access by unauthorized individuals. It also required that systems protect sensitive information, whether it originated in the government or outside it, in proportion to the potential damage that disclosure, alteration, or loss posed to national security. Examples of sensitive information include productivity statistics; information that might relate to the disruption of public services (e.g., air traffic control information); and virtually all information collected by such organizations as the Social Security Administration, the Federal Bureau of Investigation, the Internal Revenue Service, and the Census Bureau (e.g., individual health and financial records). These provisions rankled private enterprise, which used such data for planning purposes. Post 9/11 concerns have caused the pendulum to swing in favor of guarding such information.

In an effort to clarify the meaning of sensitive information and better interpret the requirements for its protection, the National Telecommunications and Information Systems Security Publication 2 (NTISSP 2), "National Policy on Protection of Sensitive but Unclassified Information in Federal Government Telecommunications and Automated Systems," was published on October 29, 1986.

NTISSP 2 defined sensitive information as follows:

Sensitive, but unclassified information is information the disclosure, loss, misuse, alteration, or destruction of which could adversely affect national security or other federal government interests. National security interests are those unclassified matters that relate to the national defense or the foreign relations of the U.S. government. Other government interests are those related, but not limited to the wide range of government or government-derived economic, human, financial, industrial, agricultural, technology, and law enforcement information, as well as the privacy or confidentiality of personal or commercial proprietary information provided to the U.S. government by its citizens.

NTISSP 2 applied to all government agencies and contractors. It described the general categories of information that might relate to national security, foreign relations, or other government interests. It instructed the heads of departments and agencies to determine what information is sensitive but unclassified and to provide system protection for that information when it is electronically communicated, transferred, processed, or stored.

2.5.2. Computer Fraud and Abuse Act

Issued in 1986, the Computer Fraud and Abuse Act (18 U.S. Code 1030, now called Public Law 99-474) prohibits unauthorized or fraudulent access to government computers and establishes penalties for such access. Anyone convicted under this act faces a fine of $5,000 or twice the value of anything obtained via unauthorized access, plus up to five years in jail (one year for first offenders). The act prohibits access with the intent to defraud, as well as intentional trespassing. For example, posting passwords to federal computers on pirate electronic bulletin boards is a misdemeanor under this act. Robert T. Morris, author of the infamous Internet worm, was the first person convicted under the Computer Fraud and Abuse Act (Section 1030 (a)(5)), setting a precedent for future cases.

There are complaints about the wording of the Computer Fraud and Abuse Act on both sides of the issue.

The frustration of the Justice Department in prosecuting espionage cases in which classified information has been obtained by computer has led the Department to try to change the wording of the Computer Fraud and Abuse Act. The current law says it's a felony for anyone knowingly to gain unauthorized access to a computer and obtain classified information "with the intent or reason to believe that such information so obtained is to be used to the injury of the United States or to the advantage of any foreign nation." The Justice Department wants to drop that clause. The revised law would simply require proof that the intruder obtained certain information, not that the information was delivered or transmitted to anyone else.

Amendments to the Computer Fraud and Abuse Act have been proposed in Congress to expand the act's current government and banking focus to any systems used in interstate commerce or communications. The amendments would also change the orientation of the act from simple unauthorized access to the use of a computer system in performing other crimes.

On the other side of the issue, there have been complaints that the language of the Computer Fraud and Abuse Act is too general and can apply to anyone who writes or teaches about computer security. There have also been suggestions that the act should explicitly treat different types of offenses in different ways. At present, there is no clear distinction between people who use computers for hacking, for computer crime, or for terrorism.

As yet, no changes have been made to the language of the Computer Fraud and Abuse Act.

2.5.3. Computer Security Act

An important outgrowth of NSDD 145 was the development of the Computer Security Act of 1987 (H.R. 145), which later became Public Law 100-235. This act has expanded the definition of computer security protection and has increased awareness of computer security as an issue. It's the closest thing the United States has to a federal data protection policy. The Computer Security Act, which went into effect in September 1988, requires every U.S. government computer system that processes sensitive information to have a customized computer security plan for the system's management and use. In this, it mirrors the Common Criteria used in Europe. It also requires that all U.S. government employees, contractors, and others who directly affect federal programs undergo ongoing periodic training in computer security. All users of systems containing sensitive data must also receive computer security training corresponding to the sensitivity of the data to which they have access.

The Computer Security Act further defines sensitive information as information whose "loss, misuse, unauthorized access to, or modification of could adversely affect the national interest, or the conduct of federal programs, or the privacy to which individuals are entitled under . . . the Privacy Act" (described in the section "Privacy Considerations" later in this chapter).

This act gave NIST new responsibility for federal computer security management. It assigned to the ICST within NIST responsibility for assessing the vulnerability of federal computer systems, for developing standards, and for providing technical assistance, as well as for developing guidelines for the training of federal personnel in computer security-related areas. NSA was assigned a role as advisor to NIST regarding technical safeguards.

The Computer Security Act does not affect the protection of classified information. It also allows requirements to be waived if they disrupt or slow down the implementation of what's considered to be an important federal agency mission.

2.5.4. Searching for a Balance

Following the adoption of the Computer Security Act, concerns were voiced by Congress, industry, professional groups, and the general public about the potential for abuse. These concerns focused on NSA's role in the private sectorin particular, relating to the control of unclassified information. Banks and other data-intensive industries feared that the act would impose disruptive restrictions on their operations. Civil libertarians were concerned about infringements on personal privacy. These concerns culminated in a series of Congressional hearings during 1987. During these hearings, NTISSP 2 was rescinded (March of 1987), and a review of NSDD 145 was ordered. Debate continues about the appropriate role of government in protecting and mandating the protection of information (see the sidebar "Hackers' Rights").

Hackers' Rights

Computer hackers have come under increasing scrutiny, to the point that it may be technically illegal to perform many legitimate research activities. Legislation did not leave too many holes for small independent researchers, and large firms and universities do not want to risk a technical violation of the law. As a result, current activity by hackers takes place in an underground movement.

This is actually a return to conditions that existed about a decade ago. In the wake of early 1990s law enforcement sweeps such as Operation Sun Devil, which seized 42 computers and 23,000 floppy disks in 14 cities, shut down several bulletin board systems, and made four arrests in the spring of 1990 (some resulting from publication of information about the BellSouth 911 emergency telephone service and other "hacker tutorials"), a group was formed to provide legal aid to those it said had been victimized.

Mitch Kapor (of Lotus and ON Technology fame) and John Barlow (author and Grateful Dead songwriter) banded together, in conjunction with some well-known New York and Boston law firms, to form a defense team known as the Electronic Frontier Foundation, which seeks to protect the civil liberties of legitimate computer users. It was the EFF that successfully cracked the DES encryption algorithm using a specialized hardware device even as government witnesses were testifying in committees and before Congress that DES would take centuries and millennia to crack, even with a fast computer. Obviously, a great debt is owed these pioneers. Without them, trust in DES would have been misplaced, and private information compromised.

Members of the team charged that in trying to protect the government, industry, and individuals from cracker attacks, government agents violated constitutional rights. They also warned that the intimidation of today could thwart the technology of tomorrow. Senator Patrick Leahy, Democrat from Vermont, insisted that lawbreakers should be punished, but commented, "We cannot unduly inhibit the inquisitive 13-year-old who, if left to experiment today, may tomorrow develop telecommunications or computer technology to lead the United States into the 21st century. He represents our future and our best hope to remain a technologically competitive nation."

His plea went unheard. Harsh prison sentences seem to rule now, as public anger has started to rise against spam and other invasions of privacy. In one recent case, an attacker sent spam to hundreds of thousands of people using the return addresses of certain reporters at some Philadelphia newspapers. The attacker wanted to rant about how his favorite sports team was getting a raw deal. Unfortunately, when thousands of users who received the email logged on to protest, and when the out-of-date addresses on the attacker's list started bouncing back as returned to sender, the newspaper workers whose email addresses had been spoofed started getting deluged with mail, none of which was rightfully theirs. The attacker was eventually caught and sentenced to numerous consecutive sentences, 471 years in total. Manslaughter can carry a sentence as light as 5 to 10 years. Obviously the sentencing structure is currently out of whack.

In 1990, NSDD 145 was revised and reissued as National Security Directive 42 (NSD 42). The new directive narrowed the original scope of NSDD 145 to primarily defense-related information.

2.5.5. Recent Government Security Initiatives

NSA, NIST, and DoD have all played an important part in developing computer security standards and in carrying out security programs. The exact balance of responsibility has not always been clear, and the boundaries continue to shift. Typically, NSA has had responsibility for the protection of classified military and intelligence information via computer security techniques, while NIST has been responsible for developing standards and for developing computer security training programs. At times, both NSA and NIST have claimed responsibility for safeguarding unclassified, sensitive information, though most recently this type of information has been in NIST's bailiwick. Although standards for the evaluation of secure systems came about under NIST's auspices, actual evaluations are performed by the National Computer Security Center, a part of NSA. Different pieces of legislation seem to shift the balance one way or the other.

As a consequence of NSDD 145, the balance of responsibility seemed to shift to NSA (only to shift back again to NIST with the Computer Security Act and the revision of NSDD 145). NIST's Computer Security Program now encompasses a wide range of security activities, including developing and publishing computer security standards (in conjunction with organizations such as ANSI, ISO, and IEEE, described later in this chapter); conducting research in areas of security testing and solutions; and providing computer security training and support to other government agencies.

NSA and NIST have signed a memorandum of understanding about how they will cooperate on issues affecting the protection of sensitive unclassified information, mainly focusing on the implementation of the Computer Security Act. Their agreement is still subject to interpretation, and the balance continues to be a fragile one.

2.5.6. Modern Standards for Computer Security

In late 1990, NSA and NIST announced they were embarking on a joint venture that might result in new computer security criteria for computer procurements by federal agencies. The joint venture was also expected to take into consideration the European Community's Information Technology Security Evaluation Criteria (ITSEC), requirements that are under consideration as an international security standard. The result of this collaboration is known as the Common Criteria, and it is the foundation of computer protection documents today.

Under funding by DARPA, the National Research Council published a report, entitled Computers at Risk, that expressed concern about the state of computer security in the United States, and made recommendations about the need for a more coordinated security structure The committee's report also suggested the publication of a comprehensive set of what are known as Generally Accepted System Security Principles (GASSP), which would clearly define necessary security features and requirements.

2.5.7. GASSP and GAISP Overview

Creation of the GASSP began in response to Recommendation #1 of the Computers at Risk report. Originally carried by the International Information Security Foundation (IISF), the GASSP has drawn from an array of existing guidelines, such as those created by the Organization for Economic Cooperation and Development (OECD) and the United Kingdom Department of Trade and Industry. As a global initiative, participation and support have been gained from respected groups such as the International Information Systems Security Certification Consortium (ISC)², the International Standards Organization (ISO), the Institute of Internal Auditors (IIA) and the international Common Criteria effort.

The Information Systems Security Association (ISSA) decided, with the concurring support of the IISF, to take on the leadership needed to finalize and promote this important body of work as the Generally Accepted Information Security Principles (GAISP).

In the wake of the attacks of 9/11, the security industry has seen a dramatic increase in awareness and participation from the U.S. federal government, with new initiatives such as the Department of Homeland Security and the Partnership for Critical Infrastructure Security. Security professionals have an opportunity to work with these efforts and establish self-regulations rather than permit government-mandated security policies and regulations to fill the perceived void.

The GAISP is a comprehensive guidance hierarchy that provides a globally consistent, practical framework for information security. The final body of the GAISP will provide three levels of guiding principles to address security professionals at all levels of technical and managerial responsibility:

Pervasive Principles: Targeting governance and executive-level management, the Pervasive Principles outline high-level guidance to help organizations solidify an effective information security strategy.
Broad Functional Principles: Broad Functional Principles are the building blocks of the Pervasive Principles and more precisely define recommended tactics from a management perspective.
Detailed Principles: Written for information security professionals, the Detailed Principles provide specific, comprehensive guidance for consideration in day-to-day information risk management activity.

2.5.8. Privacy Considerations

The ability to collect and manage information doesn't necessarily confer the right to save, analyze, and publicize that information, but several recent attacks suggest that this is occurring. In one high profile case, an airline was approached and asked to turn over the records of millions of passengers who had purchased tickets for trips on the airline. Apparently the purpose was to combine the flight plans of customers with other data available commercially, such as reports from credit bureaus, and determine which fliers may fit the profile of a terrorist. This is feasible only if you can rapidly combine information from several different databases, and that, in the view of many, represents a massive invasion of privacy.

The concern that the compilation of more benign databases could provide potentially harmful information began at about the time commercial use of computers first accelerated. During the 1960s, the increasing availability of large-scale computers made possible for the first time the development and use of centralized, computerized databases. In 1965, recommendations were made for the establishment of a National Data Bank to serve as a central repository of all personal information gathered by federal agencies about U.S. citizens. This proposal awakened concerns about the computer's potential for invading individual privacy. Extended and heated testimony was heard before the U.S. House of Representatives Subcommittee on the Computer and Invasion of Privacy. There was considerable national discussion about the potential for abuse of centralized databases and about the need for legal action to protect society against such abuses.

Since the dawn of the computer age, there has been tension between, on the one hand, the technologies that enable huge amounts of information to be stored and accessed with accuracy and efficiency, and, on the other hand, the right to personal privacy. In the case of the airline issue, the defense agency that requested the data even used a private company to merge the lists and perform the analysis. This circumvented laws prohibiting the government from forming such databases. Private industry, even as a contractor to government, faces fewer such restrictions. This issue is explored forcefully in Database Nation, by Simson Garfinkel (O'Reilly).