[Congressional Record Volume 140, Number 134 (Thursday, September 22, 1994)]
[Senate]
[Page S]
From the Congressional Record Online through the Government Printing Office [www.gpo.gov]


[Congressional Record: September 22, 1994]
From the Congressional Record Online via GPO Access [wais.access.gpo.gov]

 
         INFORMATION SECURITY AND PRIVACY ON COMPUTER NETWORKS

 Mr. ROTH. Mr. President, our society is rapidly becoming a 
world of instant communications, with huge amounts of information being 
passed from computer to computer and available in countless data banks. 
Telecommunications now reach far beyond the telephone. Governments at 
all levels, corporate America, many American families, and academia 
rely on computer networks to conduct their business.
  Every day, more entities are linked to one another via computer 
networks. The world's largest data network is the Internet, which is 
funded by the Federal Government and connects virtually every 
commercial computer network used by Americans at home and work. The 
Office of Technology Assessment estimates that as many as 30 million 
people can use the Internet.
  The Internet has truly become the backbone of the business community, 
and access to it is considered vital. It increases productivity by 
allowing researchers, scientists, and engineers to collaborate. 
Projects can be completed faster and with fewer people simply because 
the same information can be shared electronically across States and 
continents. Vendors can provide their customers with a higher level of 
service and support because problems can now be solved electronically, 
over the Internet.
  Time and money can be saved by choosing from the thousands of free 
software packages. Small American companies are able to sell products 
overseas at a fraction of the cost of hiring a sales staff and sending 
it overseas.
  Last fall, the New York Times and the Wall Street Journal reported a 
major incident--a broad scale electronic break-in of these databanks 
and the companies that rely on them.
  An organization, named Panix, that provides access to the Internet 
for many New York companies put out the following message:

     * * * a security incident of very large proportion has 
     occurred * * *. If your site appears on this list, you should 
     be particularly worried.

  Panix provided a list of over 100 companies affected. Soon after 
these reports, it became clear that the University of Delaware was 
affected. Last February, the Washington Post reported that a rash of 
break-ins was underway. Corporate secrets, confidential personal data, 
academic research, and financial information were at risk.
  As the Internet has grown, so too have the problems of information 
security and privacy, increasing 50 percent per year. The teenage 
hacker who tested the system for fun in the 1980's has grown up. Now, a 
hacker is called a cracker and FBI agents believe that a typical 
cracker is in it for monetary gain. Today, I am releasing a report by 
the Office of Technology Assessment that evaluates this situation and 
makes recommendations for action by the Congress and administration.
  There is a fine line between Government's place in encouraging and 
providing a fertile environment and the need to actively control the 
flow of personal and corporate information. There are some obvious 
areas of Government involvement. For example, the Internal Revenue 
Service is among those agencies who rely increasingly on computer 
networks for such things as filing tax returns. This report points out 
that anyone who pays Federal taxes has to wonder about who is browsing 
through their financial data.
  Our Nation's economic competitiveness and American jobs rely on how 
well technical data can be protected. Laws and enforcement were 
uncomplicated when trade secrets were kept on paper. In the age of 
computers, trade secrets can be stolen without the knowledge of any 
other than those who benefit. As the report points out, such acts 
affect the jobs, well-being, and livelihood of millions of Americans.
  We need to recognize the potential danger and act accordingly. Last 
year, I asked the Office of Technology Assessment to look at such 
problems and recommend changes. Its report notes that the Government is 
not doing a good job here. The report warns that:

     * * * without careful planning, understanding security 
     concerns, and adequate training, the prospect of plagiarism, 
     fraud, corruption or loss of data, and improper use of 
     networked information could affect the privacy, well-being, 
     and livelihoods of millions of people.

  The Office of Technology Advancement report that I am releasing today 
underscores the fact that much work remains to be done in the area of 
information security. First, Mr. President, I am very concerned over 
how the administration is developing and deploying to industry the 
technology to safeguard information. Instead of being on the forefront 
of this rapidly developing field, the administration has chosen a path 
independent of industry. The report finds the administration's approach 
to be laden with bureaucratic infighting and lacking direction.
  It has haphazardly promulgated a technology which the Office of 
Technology Assessment questions will even work, is unpopular with 
industry, and will ultimately retard other technologies.
  Second, the situation is no better within the Federal Government. The 
Computer Security Act of 1987 required that the National Institute for 
Standards and Technology develop information security standards. 
Instead, multiple bureaucracies have been fighting over proposed 
standards. The report found little evidence that any real progress is 
being made toward safeguarding information within the Federal 
Government, as required by the Computer Security Act.
  Third, there are major policy issues that the Congress must address. 
Perhaps the most important issue is whether Government should have 
access to private encrypted data? The Government should not be using a 
computer chip to become Big Brother. If agencies need access to network 
data for a criminal investigation, they should go to court as they do 
today. In addition, the report notes that there is a real question as 
to whether technologies exist that can really make networks secure. I 
believe that this is a technology question that the marketplace should 
answer, not the Government.
  Mr. President, the Office of Technology Assessment report underscores 
the fact that much more work must be done. I encourage my colleagues to 
read this important report. It provides necessary knowledge that 
Congress must have if it is to make laws and undertake other actions 
needed to take government into the 21st century. I intend to pursue 
hearings on the report early next year. On the basis of those hearings, 
I intend to develop amendments to the Computer Security Act.

                          ____________________