The Honorable F.J. Sensenbrenner, Jr. Dear Representative Sensenbrenner: The Institute of Electrical and Electronics Engineers - United States of America (IEEE-USA) appreciates the opportunity to comment on the provisions contained in the 105th Congress version of HR 1903, The Computer Security Enhancement Act, to promote the use of encryption. IEEE-USA supports the intentions of the bill and recognition of the need for US leadership in this area. The Computer Security Enhancement bill properly connects the problems of ensuring secure federal computers, protecting citizen privacy, and cryptography. This bill addresses the problems of inadequate security in the information infrastructure. Secure federal computing is critical to information security. Limits on encryption export have succeeded in preventing ubiquitous cryptography. At some point, the price of insecure networks will be greater in human risk and monetary harm than the risks suggested by law enforcement. The Computer Security Enhancement bill may delay the arrival of that day. The Computer Security Enhancement bill wisely delineates between security and privacy. Privacy requires security, because without the ability to control access and distribution of information, privacy cannot be protected. But security is not privacy. Information is secure if the owner of information can control that information. Information is private if the subject of that information can control distribution and access. The authors of the act should be complimented for understanding the distinctions and interactions between security and privacy. The issue of key escrow will be critical in public key infrastructures. This bill should be clear that a federal public key infrastructure for use within the United States need not use key escrow. It is possible for an escrow agent with a public key to create perfect digital evidence for which the key holder cannot reasonably deny. Construction of a public key infrastructure with escrow is unwise. If such a system cannot be constructed without escrow, it is questionable that should exist at all given the potential for misuse. The bill provides for a National Research Council study of the issue of national key infrastructures. The National Research Council is well suited to complete such a task and such a study would be timely. The National Research Council may accept the responsibility for examining the issue of key escrow for the federal key management infrastructure if Congress does not agree on the issue. The bill would require that NIST perform evaluations and tests of security technologies. We submit that NIST should be allowed to seek support for technical evaluations from more than the National Security Agency. Within the government, the Department of Energy Laboratories has strength in this area. Security evaluations are a subject of active research; thus, research institutions should be allowed to take part in evaluations. For example, Professor Philip Felton at Princeton University has consistently done the best work in security evaluations of World Wide Web browsers. DARPA and NSF have competitive research procedures to allow the Federal Government to select researchers to provide security evaluations under contract in a timely manner. We compliment the authors of the bill both for including the training initiatives and the proposals for computer security fellowships. We suggest that fellowships for students should include mathematics and electrical engineering, as well as computer science and computer engineering since these disciplines provide training critical for computer security. We do not mean to exclude any specific discipline by not listing it; however, these four should certainly be included. The most important element to promoting encryption is the removal of the unnecessarily restrictive controls on the export of US encryption technology. An ideal bill would address this topic as well. In closing, we compliment the House Science Committee and sponsors of the Computer Security Enhancement Act. We offer recommendations in terms of the possibility for outside assistance in security evaluations and the breadth of fellowship availability. Our most critical recommendation is to ensure that the federal key management infrastructure is not built with an escrow for signature keys. The authors of the Computer Security Enhancement bill have seen a critical need with respect to the protection of the information infrastructure, particularly the Federal networks. IEEE is the world's largest technical professional association with approximately 334,000 members worldwide. IEEE-USA promotes the career and technology-policy interests of the nearly 225,000 electrical, electronics and computer engineers who are U.S. members of the IEEE. The IEEE-USA Committee on Communications Policy addresses issues of telecommunications and information technology. If you have any questions about these issues or would like to talk with our committee members about additional issues, please contact Deborah Rudolph at IEEE-USA, 202-785-0017 x 318. Again, our thanks for the opportunity to provide these comments. Sincerely, Paul K. Kostek The Institute of
Electrical and Electronics Engineers - United States of America | Top of Page | Policy Log | Public Policy Forum | IEEE-USA | Last Update: March. 16, 1999 Permission to copy IEEE-USA policy communications is granted for non-commercial uses with appropriate attribution, unless otherwise indicated. |
