130 Defining Adequate Security The question of "adequacy" is central to the establishment of standards. What measures constitute adequate protection? In this study, adequate security is defined as: security safeguards which have the capability of defending successfully against the maximum threat (either accidental or intentional) against the system; or security safeguards which force the burden of attempted penetration to be equal to or greater than the value of successful penetration. This definition requires that "maximum threat" itself be defined, and that the values and burdens of penetration or accident be compared or even quantified. These requirements are not easily met. Yet the development of standards cannot be made without attempting to meet them. Threats or penetrations against a recordkeeping system are of four separate types: disclosure -the act of making confidential information public, either intentionally or by inadvertent release; destruction - the act of either physically or magnetically destroying information which might impair enforcement, administration, or regulatory activities, or which might require recollection from the respondents either intentionally or by accident; diversion the act of copying or accessing confidential information in order to realize some private benefit other than public disclosure; and alteration the act of changing confidential information, intentionally, to realize some benefit or avoid some penalty, or, by accident, introducing errors which may affect certain benefits, penalties, or statistical findings. By evaluating the history of attempted and actual incursions and accidents, and by investigating the potential threat, security measures which protect against each of these four types of actions can be designed and implemented. This report makes no attempt to chronicle the history of record-related crimes, natural disasters, or accidents which have resulted in disclosure, destruction, diversion, or alteration. The literature on this topic is extensive, and the threats and incursions against these systems have been well documented.2 While most security studies have emphasized the more "glamorous" antics of clever computer criminals, the important threats may lie elsewhere, especially in nonfinancial systems. 2 See U.S. General Accounting Office, Computer-Related Crimes in Federal The types and degrees of threats to the security of confidential information vary with the types of information being protected. Perhaps the most important factor in assessing the risk of confidentiality violations is an understanding of the value of the protected information, stated in terms of the damage to be caused by disclosure, destruction, diversion, or alteration. Damage should also be determined by evaluating the impact of accidental versus intentional acts, damage to the agency, and to the violated parties. Most security safeguards currently in vogue emphasize destruction and alteration. Spectacular fires and bombings of computer centers have contributed to emphasis on the former; preoccupation with financial and personnel data has accounted for emphasis on the latter.3 Even within this context, the documented losses have been substantial. The General Accounting Office, for example, has reported 69 crimes or other incidents resulting in losses of over $2 million in Federal programs alone.4 Potential Results of Unauthorized Disclosure Records made public could do serious damage to both the respondent and to the agency's program. Data on individuals such as in medical or investigatory files could have harmful effects on privacy, reputation, benefits, and penalties. Confidential sources of information may also be compromised. Disclosure of trade or financial data might impair the competitive position of a particular firm or institution or its financial standings. For the agency, intentional disclosure by an employee, or accidental disclosure, could reduce confidence in the agency by the respondents. In addition, respondents could react unfavorably when information collected for one purpose was used for another because of de facto disclosure. Proper confidentiality guarantees and appropriate security safeguards contribute to a positive environment for a high level of voluntary cooperation. If people lose confidence in a program "because it fails to act in a fashion that inspires confidence, nothing can protect it from attack, and, indeed, nothing should."5 In the case of data gathered in confidence for regulatory purposes, unauthorized disclosure could impair the ability of the agency to gather accurate information or damage the regulatory process itself by jeopardizing the relative stability of certain firms or institutions. Records on bank examinations, for example, if disclosed, could provoke a "run" on a particular institution, thereby worsening its condition. Destruction of Records Accidental destruction of records through erasure, fire, flood, etc., can be extremely costly to an agency. The Military Personnel 3 E.g., Thomas Alexander, "Waiting for the Great Computer Rip-off," Fortune, (July 1974), pp. 143-148. 4U.S. General Accounting Office, Computer-Related Crimes, n. 2, supra. 5 President's Commission on Federal Statistics, Federal Statistics Vol. 1, p. 215 (Washington, D.C.; Government Printing Office, 1971). 131 132 Records Center in St. Louis, Missouri, experienced a devastating fire in July 1973: The records center has been the repository for about 52 million records on military personnel actions since 1912. The sixth floor, where the fire started, contained about 22 million military personnel files or jackets. About 16.8 million of these records were lost. . . . Painstaking work is necessary to reconstruct the lost records and some may never be replaced." An agency may find its ability to carry out its mission severely curtailed by widespread destruction of its records. The paperwork burden in recollecting the information may be immense and respondents may not be able to resubmit certain historical information. Further, if the agency must accept the new information on faith, without any external validation or audit, organizations or individuals may falsify the information upon recollection. Diversion of Records Similar to disclosure, damage due to diversion may be nearly unrecoverable. In some ways, however, the damage from diversion may be even greater, if only because of the delays or difficulties in detecting the loss. When records are destroyed, discovery is usually immediate, or, when altered, occasionally discovered by audit. If information is secretly diverted, however, or copied, it may be nearly impossible to detect any wrongdoing. The information may have been copied only once, thereby reducing the risk of discovery. Audits will not uncover missing funds since no records need be altered. Confidential trade, commercial, or financial information is particularly vulnerable to this type of threat. Alteration of Records The threat of record alteration is usually associated with financial information, but security standards for confidential information must not overlook the ramifications of an accidental or intentional alteration which affects benefits or penalties. Accidental alterations are especially prevalent when computer systems are allowed to make decisions on individual cases. For example, one commentator has described the results of a GAO investigation of the Supplemental Security Income program; Almost one-quarter of the computer-generated checks sent to recipients of the Social Security Administration's (SSA) newest federal welfare program in the last half of 1975 were wrong, the agency's Quality Assurance Program has determined. The latest statistics for the SSA's two-year-old program for blind, aged and disabled adults showed a 23.7% error rate • U.S. General Accounting Office, Managers Need to Provide, n. 2., supra. 7,A record system may even be held hostage. In one case, employees threatened to destroy records if certain financial demands were not met. See Donn B. Parker, Computer Abuse Perpetrators and Vulnerabilities of Computer Systems p. 20. (Menlo Park, Cal.: Stanford Research Institute, 1975). in payments made to a sample of the 4.3 million people While this particular situation did not involve confidential informa- Privacy experts argue that abuse of records may occur under "authorized" conditions as well, when the legally authorized use of information is, in itself, invasive of privacy. The security problem, however, is concerned only with unauthorized violations or with accidents. Legal and administrative practices and policies must set limitations on authorized uses in order to prevent all such "abuses". Intentional alteration of confidential information is generally limited to records of a few individuals or organizations. These records may be deliberately altered to conceal potential penalties or to qualify fraudulently for certain benefits. A record may also occasionally be altered to deprive a person of a rightful benefit or to inflict a wrongful penalty. Current Federal Security Guidelines Although security is an essential factor in ensuring the confidentiality of information and, as such, should be a component of information management, there are no formal responsibilities for coordinating security standards and practices with other information management activities. Legislation establishing records management policy does not address the security of such records. Within the area of security, there are no Government-wide standards except, of course, for restrictions on physical access to Government buildings and centralized cost accounting and auditing procedures. 10 Each agency has been free to develop its own standards." Some Federal security guidelines have been developed but these are limited to computer systems. The three most influential agencies supervising computer security practices are the Office of Management and Budget (OMB), the General Services Administration (GSA), and the National Bureau of Standards (NBS). OMB has responsibility for setting policy and 8 Edith Holmes, "Error Rate for SSI Checks Hit 23.7%," Computerworld (10 May 1976), p. 1. • Federal Records Act, as amended by the Federal Records Management Amendments of 1976, 44 U.S.C. §2901 et seq., §3101 et seq. 10 GSA has a peripheral responsibility in its role protecting Federal buildings while other agencies, such as GAO, conduct auditing. "The Department of Defense has been particularly active in developing security practices for a number of years. See U.S. Department of Defense, Security Requirements for ADP Systems, D.O.D. Manual 5200.28M. See also, Department of Health, Education and Welfare, ADP Systems Security Required by the Privacy Act of 1974, ADP Systems Manual A5-10-3, 24 July 1975. Other agencies have also used the HEW guidelines. The Consumer Product Safety Commission, for example, has augmented them. 41 F.R. 36648-36650, Aug. 31, 1976. 133 134 exercising fiscal control over data processing operations throughout the Executive branch. GSA is responsible for computer hardware procurement and maintenance activities for Federal user agencies. NBS provides technical advisory services and develops data processing standards for Executive Branch agencies. This allocation of responsibility was established by the Brooks Act, 12 in 1965. More recently, the Privacy Act of 197413 required, for the first time, that all Executive branch agencies adopt security and confidentiality safeguards for those record systems containing induvidually identifiable information. Thus, subsection (e)(10) provides that each such agency shall: establish appropriate administrative, technical, and physical safeguards to insure the security and confidentiality of records, and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained Further, that Act, in section 6, directed OMB "to develop guidelines and regulations . . . and to provide continuing assistance to and oversight of the implementation of [the Act] by agencies". OMB has delegated part of this responsibility to GSA -the development of records management procedures and the evaluation of computer security requirements prior to the procurement of new hardware and software and part to NBS the development of computer security guidelines. The guidelines developed by NBS have been published in two documents: Guidelines for Automatic Data Processing: Physical Securi- Computer Security Guidelines for Implementing the Privacy Although agencies have been encouraged to adopt these guidelines The NBS guidelines and other handbooks and manuals developed by other Federal agencies make similar arguments and call for similar safeguards. In an investigation by the General Accounting Office, FIPS #31 was justifiably criticized for not directing sufficient attention to the day-to-day problems of maintaining an adequate security program and for failing to place management responsibility for the administration of the security plan. 15 The NBS guidelines are not as vulnerable on technical grounds, however. Some omissions 12 40 U.S.C. §759. 13 5 U.S.C. §552a. 14 Section III, notes 65-72 and accompanying text, supra. 15 U.S. General Accounting Office, Managers Need to Provide, n. 2, supra. |