Develop Systems and Mechanisms to Ensure Privacy and Security Business Relies on Secure Communications Imagine this: A businesswoman walks into a post office, presents a picture ID, and is given a "public key." Using this key card, she electronically signs a federal contract and transmits it over the National Information Infrastructure to a contracting agency. The transaction is valid, secure, and paperless. Automated teller machines (ATMs) are one of the most successful examples of using information technology to improve service. Viewed with skepticism at their introduction, they are now the principal means used to conduct routine banking transactions.Fundamental to their success is public confidence in the trustworthiness of the electronic banking system. Indeed, people's chief anxiety about using ATMs is the fear of being robbed while making a withdrawal. A new type of crime is the "high-tech mugging," in which ATM access information is stolen and used to make unauthorized withdrawals. In a recent Brooklyn, N.Y., case, crooks used a hidden video camera to look over the shoulders of people withdrawing money at ATMs. The camera recorded their personal identification numbers (PINs); later the thieves matched these with discarded receipts to withdraw money illegally. In another ATM caper, crooks placed a bogus ATM machine in a Connecticut mall. The bogus machine not only recorded hundreds of PINs, but also read the private account information stored on each ATM card. The bogus ATM machine returned cards to the unsuspecting owner and displayed a message indicating that the transaction could not be completed. These criminals later used the information to withdraw money. In both of these crimes, the crooks succeeded in stealing over $100,000. These cases illustrate real money loss by exploiting system security vulnerabilities. However, they also illustrate the real potential for a loss of public confidence in electronic government.[1] Unless the information systems and electronic services delivery systems protect the information being processed and the privacy of the individuals using them, electronic government will not work. Government is beginning to use the recent advances in information technology to lower costs; increase efficiency and productivity; and collect, use, and analyze far more information, much of it personal. As government use of electronic services and information systems grows more extensive and widespread, government and citizens will demand continued confidentiality and integrity in the information processed. Also, as government, businesses, and other organizations rely more on electronic records and information, they will also demand more access to diverse, interconnected databases. Information technology can provide tremendous benefits in improved service and, used properly, enhanced privacy and security. But without proper attention, it can also permit inappropriate, unauthorized, or illegal access to information. Furthermore, new electronic government applications--particularly those focused on service-to-the-citizen programs--present nontraditional challenges and vulnerabilities regarding accuracy, authentication, privacy, and security. These challenges and vulnerabilities are both technical and policy-related.[2] Although overcoming the technical challenges is straightforward, a tradeoff must be made between cost and risk. Information technology- based solutions and prototypes (cryptography, digital signatures, security protocols) for protecting distributed internetworked systems will soon be available. The implementation of these solutions should be weighed against all identifiable risks. Overcoming the political and policy challenges, however, is not straightforward. Prominent among these today is the appropriate role of the federal government in privacy and security. Examples of particularly challenging policy issues include balancing national security interests with private sector business interests, and maintaining a balance between individual privacy and governmental efficiency. The American people want trustworthy, readily available information, and computer systems that are user-friendly, secure, and protective of individual privacy. These systems must: ---safeguard information, facilities, information systems, and networks against illegal or unauthorized access, modification, or disclosure; ---balance access to agency information and records with appropriate privacy controls; ---respect private ownership of information and be subject to policies and disclosure procedures for government use of individual information; and ---incorporate privacy and security safeguards early in the design of the system. Finally, as the nation develops information highways and expands the national information infrastructure, systems should be designed and used within a framework that ---protects national security interests, ---permits legitimate law enforcement activities, ---enhances global competitiveness and productivity for U.S. business and industry, and ---ensures the privacy and civil liberties of all citizens. Need for Change Public acceptance and reliance on electronic information and data requires ---striking the proper balance between an individual's personal privacy and the government's need for information, ---providing a high degree of security against unauthorized access or use, and ---maintaining the accuracy of the information stored or processed. Need for Privacy. Americans are becoming increasingly concerned about threats to their personal privacy resulting from wider use of information technology to collect, maintain, and manipulate personal information. A poll conducted in 1970 showed that only 33 percent of respondents were concerned about personal privacy.[3] By 1990 polls, that proportion had risen to 79 percent.[4]. Although advancing technology can create new opportunities for misuse, the real problem lies in the lack of adequate management controls over those with access to personal records. For example, in a recent well-publicized case, the U.S. Attorneys announced the arrest of over two dozen individuals who engaged in schemes to buy and sell information from Social Security Administration (SSA) computer files.[5] Most of those arrested were current or former employees of the SSA or the Department of Health and Human Services' Office of Inspector General. This case brought to the public's attention the fact that SSA employees in over 1,300 offices all across the country have unrestricted access to over 130 million records on working Americans. In another case, HHS's Inspector General found social security number fraud: An SSA employee had used social security numbers taken from the SSA records to obtain and establish credit.[6] Giving increased attention to personal privacy policies and procedures would allow the federal government to better represent American business interests abroad, particularly in Europe, where privacy protection approaches differ from U.S. approaches.[7] Information, and the records associated with this information, is a global commodity, which readily flows across international borders. Trade conflicts and issues may arise for U.S. businesses when dealing with the privacy laws of other countries, such as the recent privacy laws advocated within the European Community for transborder flow of information. Need for Security. As society becomes more dependent on computers and computer communications systems for the conduct of business, government, and personal matters, it relies more on the availability, confidentiality, and integrity of the information these systems rocess. Information security has become especially important for applications such as electronic transactions where accuracy, authentication, or secrecy are essential. OMB estimates that by 2000 approximately 75 percent of public transactions will be processed electronically.[8] The private sector already uses electronic transactions widely. One trillion dollars in worldwide banking and financial transactions occur each day.[9] Yet the best security systems in use today lose money, credit and financial reports, and private and proprietary data due to electronically perpetrated theft and unauthorized browsing. For example, in the United States, computer crime losses alone total $15 billion per year.[10] These losses are minor when compared to potential losses from harmful and illegal acts such as service disruption, terrorism, and industrial espionage. The cost could be billions for a single debilitating disruption of service or criminal act. More than dollar losses are at stake. In distributed, electronically based information systems, if access controls and security concerns are not addressed as government proceeds with reinvention, vulnerabilities to U.S. national security may be inadvertently created by making information readily available to foreign governments, competitors, or criminals.[11] Finally, large-scale service disruptions could adversely affect recipients of federal benefits and information-based services of all kinds. A division between sensitive unclassified and classified information is statutorily mandated by the 1987 Computer Security Act. The following actions use existing privacy and security boards, councils, and groups. Exceptions are two near-term task forces to develop high priority, essential standards or generally acceptable principles needed for rapid progress in creating an electronic government. Endnotes 1. "On PINs and Needles Over ATMs, "Washington Post (May 21, 1993), pp. G1, G8, and "ATM Scams; High-Tech Caper Prompts Banks to Step Up Security," The Hartford Courant (July 11, 1993), p. D1. 2. U.S. Congress, Office of Technology Assessment (OTA), Federal Government Information Technology: Electronic Record Systems and Individual Privacy, OTA-CIT-296 (Washington, D.C.,June 1986); The Report of the Privacy Protection Study Commission, Personal Privacy in an Information Society (Washington, D.C.: U.S. Government Printing Office, July 1977); and U.S. Congress, Office of Technology Assessment, Defending Secrets, Sharing Data: New Locks and Keys for Electronic Information, OTA-CIT-310 (Washington, D.C., October 1987). 3. Piller, Charles, "Special Report: Workplace and Consumer Privacy Under Siege, "MacWorld (July 1993), pp. 1-14. 4. See Weston, Alan F., and Louis Harris and Associates, The Equifax Report on Consumers in the Information Age (Columbia University, 1990). 5. U.S. Congress, House, Committee on Ways and Means, Subcommittee on Social Security, "Illegal Disclosure of Social Security Earnings Information by Employees of the Social Security Administration and the Department of Health and Human Services" Office of Inspector General: Hearing," 102th Congress, 2nd Session, Serial 102-131, September 24, 1992. 6. Ibid. 7. Congressional Record-House, H755-757, January 29, 1991. 8. U.S. General Accounting Office, Comptroller General's 1989 Annual Report: Facing Facts (Washington, D.C.: U.S. General Accounting Office, 1990), p. 28. 9. Adam, John A., "Special Report: Data Security," IEEE Spectrum (August 1992), pp. 18-44. 10. Illustrative Risks to the Public in the Use of Computer Systems and Related Technology, vol. 18 (Menlo Park, CA: SRI International, undated). 11. See OTA, Defending Secrets, Sharing Data: New Locks and Keys for Electronic Information, and Department of Defense Security Institute, "Security Awareness News: A Compilation of News Articles on Counterintelligence and Security," Richmond, VA, May 1993, pp. 2, 23.
You can attach your comments to this document. If you enter your email address in the empty box below and click on the submit button, you will receive via email a form that allows you to link your views to the NPR hypertext.
Subscribe Unsubscribe No Action