Interesting People mailing list archives
IP: CSPP Security Report available on web
From: Dave Farber <farber () central cis upenn edu>
Date: Mon, 29 Jan 1996 16:13:59 -0500
From: JimIsaak <isaak () ljo dec com> The CSPP Security report "Perspectives on Security in the Information Age" is available. You will find a copy on the CSPP WEB. http://www.podesta.com/cspp/reports/report1-96.html FYI, Jim Executive Summary The Information Age promises an explosion in economic growth, technological innovation and educational opportunities that could improve the standard of living and the quality of life around the world. To achieve this promise, the private sector, with the encouragement of government, is building the Global Information Infrastructure (GII), the electronic pathways that will carry vast quantities of valuable commercial, scientific, and educational information between individuals, companies and customers, doctors and patients, students and teachers. While the GII offers unprecedented access to and exchange of information, it also exposes users to breaches of confidentiality, disruption of their operations, destruction of intellectual property and outright theft. These are serious concerns because electronic data in digital form -- or cyberproperty -- is emerging as the most valuable currency of the Information Age. Users of the GII have the need, right, and responsibility to protect the access to, and the confidentiality of, their information. They also have the right and responsibility to determine the appropriate type and strength of protection for their cyberproperty. Consider the case of U.S. companies, which currently lead the global information technology market. U.S. export control policies severely limit their ability to provide customers global security solutions, based on encryption, that are seamlessly integrated into their computer systems. If U.S. companies are prohibited from meeting this growing demand for secure electronic commerce, non-U.S. competitors are ready, willing and able to do so. In fact, many already are exporting security solutions stronger than those U.S. firms can export. The advantage that competitors will derive from their ability to meet the growing demand for secure, integrated global solutions will result in loss of market share for U.S. computer systems manufacturers, not only in the encryption market, but also in the general computer systems market. Emerging Security Needs and U.S. Competitiveness: Impact of Export Controls on Cryptographic Technology, a CSPP study released in December 1995, estimates that the potential exposure to the U.S. information industry's annual revenues could range from $30 to $60 billion by the year 2000. While individuals and industry have a compelling interest in protecting their cyberproperty, the government has an interest in gathering intelligence and enforcing the law. In addition to lawful wiretaps and searches, the government meets its security objectives by clandestinely intercepting information traveling on the GII among criminals and terrorists. The government is concerned that the spread of global security solutions may adversely affect its law enforcement and international intelligence gathering responsibilities. But strong security solutions are already available in the international marketplace to legitimate users and terrorist and criminal elements alike. Given this reality, the government efforts to prevent the global spread of security technology are doomed to fail. Governments and the private sector must reach a consensus on broad principles that can serve as the foundation for a rational export control policy. CSPP has developed a set of security principles that offer a framework for agreement on a reasonable and achievable national policy. CSPP has also drafted specific recommendations for action that can satisfy the U.S. computer industry's immediate export needs while a comprehensive policy solution is designed. How effectively individual users, the private sector, and governments work together to define a security policy that fairly balances competing economic and security interests, will determine the scope and growth rate of the GII. CSPP believes existing and proposed U.S. policies controlling cryptography should be based on the following security principles: 1.Users have the need, right, and responsibility to determine the type and strength of security required; 2.Governments should not impose unilateral controls on trade in commercial security technology; 3.Multilateral controls must cover all major sources of commercial security solutions world-wide; 4.Commercial security solutions should be treated as commercial products under the Department of Commerce export controls; 5.The availability of cryptography should not be regulated according to technology levels; 6.No regulatory distinctions should be made between hardware and software security solutions; 7.Industry should be responsible for developing standards for commercial security solutions; 8.Actions permitted under the existing U.S. law should be exhausted before creating new laws to address issues of government access; 9.There should continue to be no controls on domestic use of cryptography; and 10.Export controls should not be used to impose controls indirectly on domestic availability of cryptographic products. Given the present market realities and government needs, CSPP recommends the following first steps to promote the legitimate use of security by individuals and companies and to address the U.S. government's intelligence gathering and law enforcement interests: 1.Link the decontrol of U.S. commercial cryptographic products to the availability of competitive products in the international marketplace; 2.Permit the export of stronger U.S. commercial cryptographic products, withouttechnology restrictions, to legitimate, commercial end users; 3.Discuss the export of stronger U.S. commercial cryptographic products that meet reasonable government access needs; and 4.Embargo U.S. commercial cryptographic products in terrorist countries.
Current thread:
- IP: CSPP Security Report available on web Dave Farber (Jan 29)