ACM Washington Update, Vol. 9.10 (October 31, 2005)

By David
November 1, 2005


[1] Newsletter Highlights
[2] USACM Chair Warns Against Underfunding Cybersecurity Research
[3] USACM and Others Criticize DoD Export Proposal
[4] Data Security Legislation Moving Forward in Congress
[5] U.S. Passports to Get RFID Chips
[6] U.S. Resisting U.N. Pressure on Internet Governance
[7] Events in November
[8] About USACM

[An archive of all previous editions of Washington Update is available here.]


Below are highlights of the top stories for October; there’s more detail on each below, as well as on our weblog at

* USACM Chair Eugene Spafford, testifying before a House Armed Services Committee hearing on cybersecurity issues, calls for more cybersecurity research funding and for a new approach to DoD cybersecurity, including less reliance on commercial-off-the-shelf products.

* USACM says that a Department of Defense proposal to increase restrictions on foreign researchers would burden research, unfairly views foreign researchers as an automatic security risk, and doesn’t account for other equally restrictive government proposals.

* Two data security bills advance in committees in both chambers, while senators strive to integrate the four major pending bills on the subject into legislation that can be addressed before the Thanksgiving break.

* The State Department announces its plans and timetable for introducing RFID chip technology into U.S. passports.

* Several members of Congress voice their strong opposition to granting the United Nations a larger role in Internet governance, an area currently under U.S. (and ICANN) control.


Last week the House Armed Services Committee convened a hearing entitled “The Asymmetric and Unconventional Threats” to discuss issues related to cybersecurity, information assurance, and information superiority. Among the witnesses was Dr. Eugene Spafford — USACM Chair, Purdue University computer science professor, and director of Purdue’s Center for Education and Research in Information Assurance and Security (CERIAS). Spafford was joined on the panel by David Grawrock (Principal Engineer and Security Architect at Intel) and Paul Kurtz (Executive Director of the Cyber Security Industry Alliance).

In his oral comments, Spafford stressed several points:

* The interconnectedness of systems today, meaning that a vulnerability or attack in one system can lead to problems for other systems;

* The fuzzy line now between civilian and military infrastructure (e.g., many military bases rely on civilian power grids, civilian networks, etc.);

* The danger in underfunding and shortening the horizon for cybersecurity research; and

* The need for more well-trained cybersecurity professionals.

Spafford also discussed the danger he sees in continuing to patch and upgrade existing software and systems, especially with respect to the many pieces of commercial off the shelf (COTS) products employed by DoD — in his view this is an ineffective approach to cybersecurity. Spafford urged a different approach involving a shift away from COTS and away from systems and software with extraneous functionality — an approach that he admitted would be more expensive, but one that would be best from a cybersecurity standpoint.

Spafford’s written testimony is available here

In addition, an audio archive of the hearing will be available shortly from the committee’s web site at


USACM, the Computing Research Association (CRA), and more than 100 other respondents recently filed comments with the Department of Defense criticizing its proposed changes to the Defense Federal Acquisition Regulation Supplement (DFARS). Among other things, the proposal mandates that all DOD contracts include a clause requiring contractors to

1. Create and maintain unique badges for foreign nationals and foreign persons employed by the entity;

2. Build segregated work areas for these persons; and,

3. Prevent these individuals from gaining any access to export-controlled technology without first obtaining a specific license, authorization or exemption, even if these individuals may be working under the longstanding fundamental research exemption.

USACM’s comments express its concern that the proposal, among other things, would place a costly new burden on research, discriminate against foreign researchers, and jeopardize the fundamental research exemption that has long promoted an open and fertile research environment.

USACM is also worried that DOD, in issuing this proposal, has not given enough consideration to a similar advanced notice of proposed rulemaking issued recently by the Department of Commerce’s Bureau of Industry and Security (BIS). USACM and others were critical of BIS’s proposal, as well.

USACM’s full statement on the DOD proposal and other relevant items mentioned here are available at

CRA’s official comments on the proposal are available at


Recently, we reported on the weblog that the Senate Judiciary Committee — a major player in the effort to enact federal data security legislation — approved Senator Jeff Sessions’ (R-AL) legislation (S. 1326) intended to protect private electronic information. Since that time, we’ve seen reports (e.g., in National Journal) which suggest that key Senators will merge at least three bills into one and try to pass the package before the Senate leaves for Thanksgiving. Such an effort would require merging the products and priorities of three different committees – Judiciary, Senate Commerce, and Senate Banking — and then getting floor time.

The bills that would likely be merged are Senator Arlen Specter’s legislation (S. 1332), Senator Sessions’ legislation, Senator Gordon Smith’s (R-WA) legislation (S. 1408), and Senator Richard Shelby’s (R-AL) legislation (S. 1461). A side-by-side comparison of these bills is available here

It is difficult to predict what parts will end up in the final bill. Our sense would be some new regulatory structure for all businesses modeled after the Gramm-Leach-Bliley Act, which partly governs the financial industry’s use of private data, with much of the specific detail left to the Federal Trade Commission to work out. It will probably also include some data breach notification requirements and increased protection of information in government’s hands.

Meanwhile in the House, the Energy and Commerce Committee is set this week to markup Rep. Cliff Stearns’ “Data Accountability and Trust Act” (H.R. 4127), which looks to be an updated version of the committee discussion draft that circulated earlier this year. Among other things, Stearns’ bill calls for the creation of data security programs for organizations (including special requirements for data brokers), security breach notification, and preemption of similar state laws. The bill would leave many of the details up to (and would be enforced by) the Federal Trade Commission. Interestingly, this bill includes an exemption from security breach notification for breaches involving encrypted data and goes so far as to reference National Institute of Standards and Technology (NIST) encryption standards. Complete information about H.R. 4127 is available at

Any comprehensive regulatory bill will almost certainly contain provisions to preempt state law. Interestingly, the National Journal story mentioned above notes that pressure on Congress to act isn’t coming from the public clamoring for protection of their private information; rather, it is coming from the business community who fear having to comply with 50 different state laws. This improves the chances for a new federal law, because while the onslaught of data breach stories has slowed, the pressure inside the Beltway for preemption of state laws from business groups isn’t likely to stop.


The U.S. Department of State issued regulations recently regarding the inclusion of radio frequency identification (RFID) computer chips in U.S. passports. The new 64-kilobyte passive RFID chip will contain a machine-readable version of such information as the passport holder’s name, nationality, gender, date and place of birth, and digitized photograph.

The department made a number of changes to the plan following a public comment period earlier this year which generated more than 2000 sets of comments (only 1% of which were supportive of the plan as published). The changes include the addition of “anti-skimming” material (i.e., material that would prevent an attacker’s gaining access to an RFID chip’s contents surreptitiously without the owner’s knowledge) in the front cover and spine of the electronic passport and the implementation of Basic Access Control (BAC), which uses “a form of Personal Identification Number (PIN) that must be physically read in order to unlock the data on the chip.”

Critics of the passport plan argue, among other things, that despite the changes to the plan personal information contained on the chips is still at risk from skimming. Some in the technical community are also concerned about the security of the encryption keys used with BAC.

The new passports will start coming out at the end of this month and the department is targeting October 2006 for all passports to be electronic. The actual State Department rule is available online at

Also, for more perspective on the passports, see Declan McCullagh’s recent article at


Tension continues to mount between the United States and the United Nations regarding the U.S. role in Internet governance in the remaining days before a significant international gathering that is expected to address the issue. As many readers will know, the U.S. Department of Commerce has authority over the administration of the Internet’s basic structure (i.e., the domain name system or DNS) through an agreement with ICANN, the Internet Corporation for Assigned Names and Numbers. However, pressure has been building in recent months within the U.N., the E.U., and several other countries for the U.S. to relinquish its dominant role in the administration of the Internet to a more international body within the U.N.

The U.S. government recently reasserted and reaffirmed its role in the administration of the Internet and announced that it has no intention to hand over that role. See

More recently, several members of Congress and two major U.S. newspapers (i.e., the New York Times and the Wall Street Journal) have made strong statements insisting that the U.S. not allow the U.N. to assume a more prominent role in Internet control. Senator Norm Coleman (R-Minn.), for example, introduced a resolution in the Senate to “protect the U.S.’s historic role in overseeing the operations of the Internet.” More information about the resolution is available from the senator’s web page at

A similar resolution (H.Con.Res. 268) has also been introduced in the House by Representatives Doolittle (R-Calif.), Goodlatte (R-Va.), and Boucher (D-Va.); see

In addition, the four co-chairs of the Congressional Internet Caucus also recently sent President Bush a letter in support of the administration’s position on preserving the U.S. role in Internet governance; see

Clearly, given the level and range of support among U.S. policymakers for maintaining the current U.S. role in Internet governance, major changes in this area are unlikely anytime soon. In any event, the issue is expected to be a matter of significant debate at next month’s U.N. World Summit on the Information Society (WSIS) in Tunis, Tunisia, where, among other things, participants will address the report of the Working Group on Internet Governance (WGIG), which we reported on in August at

The U.S. delegation to WSIS is being led by Ambassador David Gross, who is planning to hold an Internet chat on November 2 to discuss WSIS (see below for more information).


November 2: Internet chat Ambassador David Gross regarding the upcoming WSIS meeting.

November 3: House Energy and Commerce Committee markup of H.R. 4127, the Data Accountability and Trust Act.

November 3: House Judiciary Subcommittee on Courts, the Internet, and Intellectual Property hearing on “Content Protection in the Digital Age: The Broadcast Flag, High-Definition Radio, and the Analog Hole.”

November 7: Workshop on Privacy in the Electronic Society, Alexandria, Va. (organized in conjunction with ACM CCS 2005, described below).

November 7-11: ACM Conference on Computer and Communications Security (ACM CCS 2005), Alexandria, Va.

November 16-18: World Summit on the Information Society (WSIS), Tunis, Tunisia.

November 30-December 4: ICANN meeting, Vancouver, Canada.


USACM is the U.S. Public Policy Committee of the Association for Computing Machinery (ACM). ACM is widely recognized as the premier organization for computing professionals, delivering resources that advance the computing and IT disciplines, enable professional development, and promote policies and research that benefit society. ACM hosts the computing industry’s leading Digital Library and Guide to Computing Literature, and serves its 80,000 global members and the computing profession with journals and magazines, conferences, workshops, electronic forums, and its Career Resource Centre and Professional Development Centre. For more information about USACM and ACM, see


For earlier editions of the ACM Washington Update, see


To subscribe to ACM’s Washington Update newsletter, send an e-mail to with “subscribe WASHINGTON-UPDATE ‘First Name’ ‘Last Name'” (no quotes) in the body of the message. To unsubscribe, simply include the “SIGNOFF WASHINGTON-UPDATE” command in an email to


Should you have questions, comments, or suggestions regarding this newsletter, public policy issues, or USACM activities, please contact the ACM’s Washington, D.C., Office of Public Policy.