|
 |
|
|||||
 |
November 18, 2002
TO: PCIPB
FROM: The Center for Democracy and Technology
We are pleased to submit these comments in response to the National Strategy to Secure Cyberspace, issued for comment on September 18, 2002 ("the National Strategy").
The National Strategy sets out five "Guiding Policy Principles:"
We believe that these principles provide the correct framework for cybersecurity. The National Strategy is right on target in recognizing the importance of private sector expertise and innovation and in rejecting government mandates. In this respect, the report is a welcome contrast to earlier federal government pronouncements on cybersecurity. In the past, the government has tried intrusive approaches that sought to control technology design and/or placed surveillance ahead of meaningful cybersecurity. Thus, in the past, the Executive Branch sought to control the spread of strong encryption, favoring insecure systems that the government could break, even though strong encryption widely used would improve computer security. In the debate over implementation of the Communications Assistance for Law Enforcement Act (CALEA), which imposed design requirements, the FBI and the FCC brushed aside network security concerns and focused instead on processing of surveillance requests. Similarly, some European governments have adopted or are considering imposing data retention requirements - and there has in the past been concern that US officials were interested in data retention requirements - even though data retention does not improve security, but mainly is useful only to investigate break-ins after they occur.
Therefore, we commend the Administration for choosing a path that emphasizes the primacy of private sector initiatives. We urge the Administration to adhere to this strategy, and to resist calls that may come from some for government mandates. From both privacy and security standpoints, government mandates are likely to do more harm than good. Instead, cybersecurity of the critical infrastructures needs to take advantage of the Internet's inherent strengths: decentralized, user-controlled, flexible, and innovative.
There is only one respect in which mandates are desirable and that is within the federal government itself. The government needs to get it own house in order - it needs to force agencies to do the right things. In this regard, we believe that the National Strategy is not strong enough. We urge the Administration to strengthen the power of the office of management and Budget to mandate government -wide adherence to security standards.
The Strategy's treatment of privacy starts with a very good statement: "The interests of security and personal privacy need not be antithetical to one another." (p. 8) In this post 9/11 era, when many discussions of security start from the premise that civil liberties must be curtailed to improve security, this is a refreshing statement.
The report goes on to state: "Indeed, to a large degree, by securing the integrity of communications over the Internet, the measures advocated in this Strategy seek to protect individual privacy and, thus, complement those interests. Nevertheless, in crafting measures to increase the nation's security, one must exercise caution to avoid undermining those fundamental values and characteristics of free society that the nation is seeking to protect in the first place. Accordingly, care must be taken to respect privacy interests and other civil liberties. Consumers and operators must have confidence that information will be handled accurately, confidentially, and reliably." (p. 8; see also p. 43)
We are pleased with the privacy language in the report. We read the report as endorsing the principle that privacy has to be considered horizontally across all cybersecurity sectors and issues and not vertically at the end of a shopping list.
There are several specific recommendations that raise questions or concerns.
"R4-39 ISPs, hardware and software vendors, IT security-related companies, computer emergency response teams, and the ISACs, together, should consider establishing a Cyberspace Network Operations Center (Cyberspace NOC), physical or virtual, to share information and ensure coordination to support the health and reliability of Internet operations in the Untied States. Although it would not be a governmental entity and would be managed by a private board, the Federal government should explore the ways in which it could cooperate with the Cyberspace NOC."
We have some concern with the language recommending consideration of a "Network Operations Center." We understand that what was intended was a means by which existing NOCs and other intrusion detection efforts could share information in near-real-time, which the ISACs do not do. If so, then "NOC" is a misleading term.
"R4-40 The Federal government should complete the installation of the Cyber Warning Information Network (CWIN) to key government and nongovernment cybersecurity-related network operation centers, to disseminate analysis and warning information and perform crisis coordination."
We assume that recommendation R4-40 refers to the reincarnation of FidNet, the intrusion detection monitoring system now being managed by GSA, which poses privacy concerns to the extent that it monitors citizen communications with the government.
The report includes several discussions of authentication and attribution questions. It includes a discussion of the role of authentication in identifying users of non-public systems to ensure that they are authorized to use the system. (e.g., pp. 24, 25) Other parts of the report seem to refer to identifying or tracking users more generally. In particular, on the question of attribution, there is one recommendation and one issue for discussion:
"R4-45 The United States should continue to improve its ability to quickly attribute the source of threatening attacks or actions, seeking to develop that capability to suppress threats before attacks occur."
"D4-27 Because cyber attacks can be launched from anywhere in the world, it is important to develop capabilities to rapidly determine the origin of an attack or exploit in order to respond effectively. This capability, commonly referred to as "attribution," is central to determining if an attack is sponsored by a foreign power. How can government and industry analysts enhance attribution capabilities in order to more rapidly identify the source of an attack?"
Attribution and authentication raise privacy concerns. We understand that the document meant better use of existing information in the investigative process, not the collection of new data. There are ways to improve authentication on networks that does not involve collection of personally identifiable information. The Center for Democracy and Technology is currently engaged in a consultation with Internet industry leaders to develop a set of privacy principles for authentication. We will publish the results and bring them to the attention of the PCIPB.
The Strategy starts with the home user and small businesses and notes the creation of the StaySafeOnline site, http://www.StaySafeOnline.info.
CDT and the Internet Education Foundation have extensive experience working with coalitions to create easy-to-use web resources for users. See, e.g., http://www.GetNetWise.org. IEF is now working on a Privacy Toolbox. http://www.privacytoolbox.org/ We are working to expand the Toolbox to address security issues from a user perspective, and in that regard are eager to cooperate with the FTC, the Administration, and the Internet industry.
We appreciate that there are several paths the Administration might take with the National Strategy. It could continue to refine and expand the document released on September 18; it could distill the document to a higher level that could be embodied in an executive order or OMB guidance; or it pursue a series of initiatives to implement (or further refine) specific recommendations.
The Administration has repeatedly expressed its commitment to consultation, and we believe the Administration is genuinely well-intentioned in that regard. However, consultation is a two-way street. One of the frustrations we faced in being asked for our views before the draft was issued was that the Administration asked what interested parties thought the report should say about protecting privacy, which was laudable, but the Administration did not release any information about what it was planning to propose that could impact on privacy. Consequently, it was impossible for the private sector to respond concretely; we were limited to the abstract.
To ensure more informed interactions in the future and to create a better security strategy in later iterations, we urge the Administration to engage in ongoing consultation, with greater disclosure by the government of its of plans and proposals.
Respectfully submitted,
James X. Dempsey
Deputy Director
Center for Democracy & Technology
|
The Center For Democracy & Technology 1634 Eye Street NW, Suite 1100 Washington, DC 20006 (v) 202.637.9800 (f) 202.637.0968 Contact CDT Copyright © 2005 by Center for Democracy and Technology. |