6.2. Cohesive Legislation

A national legislative conference called for the purpose of considering the adoption of uniform legislative policies, definitions, requirements and penalties would represent a significant contribution to assuring the effective implementation of laws that are enacted.

Specifically needed are definitions of the rights to be accorded to individuals in the collection, use, and dissemination of personal data and the disclosure of information to the individual for purposes of verification. The recommendations of the HEW Advisory Committee could serve as a point of departure for such a conference (see Appendix A). An expected outcome of the conference would be model Federal, State, and local legislation for addressing the privacy problem. A number of such models are in existence. These could be considered and either recommended or modified as required.

In formulating model legislation or specific proposals, it is essential that the legislative branch at all levels of government have the advice of the technological community to assess the technical feasibility and impact of proposals designed to protect data confidentiality. In addition to the expertise of the appropriate government technical organizations, the computer technical societies, such as the Association for Computing Machinery and the Computer Society of IEEE, should make their resources available to interested legislative committees.

6.3. Uniform Management and Operating Procedures

Cooperative efforts among government agencies, professional societies, computer industry and private sector groups, such as the American Banking Association and the American National Standards Institute, can result in the early agreement, documentation, and widespread distribution and implementation of useful management and operating procedures.

In particular, efforts should be directed toward determining levels of data confidentiality required for the protection of privacy rights and their impact upon technological support requirements. Since these levels can be expected to vary among special user communities, such as health, law enforcement or credit services, initiatives can be exercised by these communities in cooperation with the computer and information technologies.

Of broader and more common application are techniques for such activities as assessing risks, determining threats and threat sources, evaluating alternative security measures, auditing and physical security. Some of these techniques already exist and could be readily documented for wide dissemination and use. As an example, the National Bureau of Standards is developing physical security guidelines which will be made available through public distribution channels. Other organizations with documented techniques could offer them for use elsewhere or, working jointly, could speed up development of techniques which are not now available.

Models of computer system and data protection measures that could be used against various threats would be extremely helpful in providing management with ready-made designs for the operation of secure automated data systems that could be adapted to meet local needs.

6.4. Research and Development

Interaction among government agencies, other user communities, and industry groups can lead to general agreement on significant needs and problems which cannot be satisfied by existing science and technology. Research and development efforts to fill these gaps could proceed on a coordinated but independent basis.

This Conference has initially identified several such needs. Among these is a need for self-protected computer systems. While techniques for controlled accessibility exist for systems which are not programmed by their users, little is being done to generate self-protected systems as a base for resource-shared systems which are secure against threats by producers (where programming access is provided to some or all users). The focus of ongoing efforts is to develop secure advanced time-sharing systems supporting on-line programming, extensive programsharing facilities and the like (such as the Air Force project to develop a certifiably secure system and a multi-mini computer system, such as that being developed at the University of California, Berkeley.)

In addition to this important work, there is a need to develop self-protected systems on other suitable equipment. In order to accomplish this, it is necessary to define uniform self-protection requirements and to develop models of controlled accessibility that are based on other modes of computing, such as multiprogrammed use of systems with data file sharing in production environments.

Secure operating systems are those with access authorization mechanisms which use the system's self-protection mechanisms to enforce the access limitations of a programming user (producer). In such a system both the self-protection and access-authorization mechanisms must be self-contained and certifiable. One expression of these concepts is found in the Air Force Computer Security Technology Planning Study. It postulates systems in which all references of any program to any other program, data, or peripheral device are validated during execution against a list of authorized types of reference based on user and/or program function. This idea is called a reference monitor concept and is to be realized in a combination of hardware and software called a reference validation mechanism.

It is the efficiency consequences of the requirement for validating each reference of an executing program that leads to a search for hardware techniques to perform this function. For this reason, descriptors or address mapping tables that include reference-type checking appear attractive for developing secure systems.

The software components of a reference validation mechanism include the processing of authorized references for each user/program function to set values in the tables/descriptors used in reference checking, software that provides for the administration of the authorizations for individual users, and software that deals with attempted violations of authorized access.

Another need for further research and development relates to network security. The outstanding needs of network security are not generally understood by either users or the technical community at large. Not only is the security of information processing systems connected via a network at stake; but the network, itself, becomes an object of security interest. A coordinated research program to provide secure network models which can be used to measure and evaluate costs, protection, and service would help designers to decide where to allocate any security-related functions to the network and, if so, which ones (e.g., user identification, authorization checks).

Finally, the inability to positively and uniquely identify individuals who are authorized to gain access to computer systems and data remains a basic obstacle to computer security. Further research and development of identification techniques, together with network security and self-protected systems, represents an initial set of requirements around which, by common consensus, a coordinated program can be pursued.

6.5. Innovative Applications of Technology

Innovative applications of existing technology can produce improvements in the capability of currently available systems to protect data. Cooperative efforts among users, user communities and the computer industry to develop and stimulate new ideas and to publicize successful experiences can make a positive near-term impact upon security effectiveness.

Two such possiblities were identified at this Conference. The first relates to the retrofitting of existing systems to satisfy new security requirements.

On most systems, for example, it would be fairly easy to validate a program's authority for initial access (e.g., OPEN) to a given file or a user's authority to call for the execution of a given program. Because these validation functions would occur only once per job, they are not too costly to consider using and would provide at least a first level of controlled accessibility for a system. It would be possible but more difficult to provide validation of authority to access specific records of a file since it would require a representation of the access privileges accorded to the use of a file (e.g., records could be individually tagged for reading only) or to each record by a label which shows in some meaningful way the kinds of restrictions on its use.

Where the individual making the access is a consumer only, record access validation can be still relatively simple. However, the complexity increases if record access validation is applied to producers who can generally request any processing action on a record (e.g., read, write, delete) and whose authority to access a record has to be determined in the specific context of the request.

While centralized authorization mechanisms will not solve all possible controlled accessibility problems for any particular system, they will provide greater data security on systems than is presently available and in many cases will be adequate in the short run.

A second possibility for the innovative application of existing technology involves the use of cryptographic devices and data encryption techniques. The National Bureau of Standards is currently engaged in making available encryption algorithms to provide a way for civilian agencies of government to protect the contents of data during storage and transmission. Related to the use of these techniques is the need for low-cost effective cryptographic devices that can be used to protect data confidentiality and integrity in systems using telecommunications. With the availability of self-protected systems, programmed encryption techniques become viable as a means of protecting data on physical storage media or between devices with computational capability. However, such techniques impose additional burdens of key management that need cost-effective resolution. Therefore, development of techniques for efficient key management are also needed.

6.6. Cost Allocations

A study of the costs of data confidentiality and security in automated systems is essential in creating an understanding for making public choices about the privacy needs of individuals and for allocating the costs among the suppliers, the user communities, the public and the government. Costs must be identified and acceptable concepts developed for cost allocations schemes. Since these will undoubtedly vary among such service activities as government, banking, credit and medicine, appropriate studies might logically be organized on this basis and participated in by management, economists, and technologists.