Security and Privacy

A half-dozen computer users and designers devoted two complete sessions of the Spring Joint Computer Conference in April to their attempts to protect sensitive information in multiple-access computers. Concern over this type of information developed in Congress just a year ago when the Budget Bureau proposed a Na-~ional Data Center for the consolidation of govermnent statistical work. During a session on security and privacy , a consensus was developed by the speakers that this information, whether of a personal or a classified nature, can be protected in the computer, but once it begins travelling along communication lines to switehing centers or to remote terminals, it is vulnerable to intrusion. The speakers said the central processor and the files can be protected against invasion by a series of countermeasures, including use of a monitor that guards the entire software; memory protect and privileged instructions; placement of the computer in a secure location; clearances for operating personnel; logging of sig-niticant events; access management; and various processing restrictions, such as a ban on copying of complete files. The speakers seemed confident that these measures are within their grasp, although some are still to be implemented. The protection of communications lines, however, seems to be far from solution. It is too simple to tap these lines. In a joint paper, Harold E. Petersen and Rein Turn, of the Rand Corporation, said that you can penetrate communications lines with a $100 tape recorder and a code conversion table. They also said that digital transmission of information provides no more privacy than Morse code, for example. "Nevertheless," they said, "some users seem willing to entrust to digital systems vaIuable information that they would not communicate over a telephone." According to Petersen and Turn, information can be picked off communications lines by wiretapping, electremag-netic pickup, or the use of special terminals that can intercept information between the user and the processor, modify it, or replace it with other information. Shielding of the lines would help, of course, but this is so expensive that it would be feasible in only a few cases, such as for lines carrying highly classi-fled information. Since communications lines are the principal user-processor links, the authors suggested a complex series of protective measures, including terminal and user identification, the use of passwords, disposal of carbon papers and typewriter ribbons, physical security of the terminal, and privacy transformations, which are techniques for coding data. …