*NG[R

z__c 14.15/,2.  ‘
1§BRA§’

[L13 g  L!‘ 7 Waghiﬁgiﬁﬁ iginiﬁéfﬁiﬁi

‘*3 Ci

 

Issue Brief wAsHg%moN

S. —; v, v: .( 1» *“ ,5" “E. '\’':‘''f‘.’'.‘\’ 
E “ ~ ..  .~ ‘..«. ‘raw .-~
1 .   ~;,» :._,1xa ~x-J A
".~s~' 1 - "'
/ V.‘ ,1-1 

 
 

CONGRESSIONAL
RESEARCH
SERVICE

LIBRARY OF
CONGRESS

 

COMPUTER CRIME AND SECURITY

ISSUE BRIEF NUMBER IB80047

AUTHOR:
Becker, Lou ise

Science Policy Research Division

THE LIBRARY OF CONGRESS
CONGRESSIONAL REEARCH SERVICE

‘MAJOR ISSUES SYSTEM

DATE ORIGINATED ggglgggg
DATE UPDATED ggglgggg

FOR ADDITIONAL INFORMATION CALL 287-5700

0519

CRS- 1 IBBOOH7 UPDATE-05/16/80

l§§Q§-D§ZlﬂL2LQE

The expanded use and increased dependence of all sectors of the economy on
computers and data communication technologies, have triggered consideration
and development of protective safeguards. This Issue Brief focuses on
computer-related criminal activity and on some of the security safeguards
which protect computer equipment, services, and products. Recognizing the
value and sensitivity of certain types of computer data, Congress has
proposed and enacted legislation strengthening protection of computer and
information resources. Congress’ attention to these issues has in part
encouraged Federal, State, and private groups to examine the area of computer
crime and security.

EAQKEBQQND AE2.2QLlQZ-§!AL 5l§

COMPUTER CRIME AND OTHER THREATS

The wide diversity of computer system threats may include modification,
destruction, unauthorized access, and denial of use or services. Dangers to
automated systems may be intentional or unintentional and often involve both
technical and nontechnical aspects. The causes of computer abuse and misuse
1 , the range from‘ deliberate criminal intent to human error. Indeed,
computer abuse is sometimes perceived as "man triumphing over machine."
Media accounts, on occasion, highlight unusual circumstances, such as the
case of the man shooting a computer for sending the wrong bill or the fired
computer programmer who»gets revenge by instructing the computer to wipe out
all payroll accounts.

Nonetheless, computer abuse contributes to part of the estimated annual
$40 billion loss resulting from economic, business, and white-collar crimes.
Computer crime, a distinct but not exclusive form of computer abuse and
misuse, includes fraud, embezzlement, theft, extortion, larceny, espionage,
and sabotage.

other threats to computer equipment, services, and products include
possible damage from fire, water, and cther natural disasters as well as from
energy shortages (e.g., power outages and brownouts) and other technical
changes.

The diversity of computer crime methods complicates the issue.
Computer-related criminal methods may be complex and often carry exotic
names, such as: d_a_j_:_g__digc_i_;_i1_1g (changing data before or during input to a
c puter); t;gjgn_hg;§g (converting placement of computer instructions in the
ctmputer program so that the computer performs unauthorized functions while
allowing the program tc>perform its intended function); salami technique
(taking small slices githggt ngtiggablyjreducing the whole, as illustrated in
a financial system in which small fractions of money (round offs) may be
deducted without immediate notice); ggpggzgppigg (unauthorized use of a
specialized computer program that by—passes all controls so that information
within the computer may be modified or disclosed; trap doors )(computer

CRS- 2 IE-800'-L7 UPDA.'l'E—05,/16,/80

program instructions which are designed to allow entry by side-steppj"1
certain requirements or weaknesses in design, logic, or electron :
circuitry); ;ggig_b9mb§ (an "unauthorized" computer programming instruction
which is triggered and executed at a certain time and performs an undesired
function); sggyggging (obtaining information that may be left in or around a
computer facility): and.9;gg1QQg§iQg_§gg_impggggngtign (unauthorized physical
or electronic access to a computer or facility). It is also possible to
giggtap and intercept data communications in a manner similar to telephone
wiretapping, thereby permitting another type of unauthorized access to
information and services. In addition, manual or automated data_ leakages
(unauthorized access to»data) also permit unwarranted disclosures and illegal
access to data and services.

Detecting and assessing computer crime is frequently difficult. In many
instances, a crime is discovered accidentally, and the process used to commit
the crime may remain obscure. The reporting of a computer crime may have
additional penalties beyomd the initial loss. For example, certain
organizations may be unwilling to report computer crimes because such action
may lower public trust and confidence in those institutions. In addition to
adverse publicity, revelations of specific internal procedures and the
possible danger to associated information systems often discourages reporting
of such crimes- Thus, it is‘ understandable that many institutions and
organizations, both public and private} do not relish this type of publicity.
This reluctance to report computer-related crime prevents detection and
limits prosecution of computer criminals. »

COMPUTER SECURITY
Computer security measures have been developed to deal with the vast array

of real, potential, and imagined threats. These measures include a broad
range of techniques and tools designed to safeguard equipment (hardware),

‘ computer programs (software), computer/communication networks, data in the

systems, and associated information products as well as services. Certain
inherent features of computers provide some protection of data and services,
for example, the complexities of operation limits access to knowledgeable
users. The high cost of computer systems and the value of the data in the
systems have encouraged the development of risk assessment programs and
contingency planning efforts to protect information technologies from abuse
or misuse.

Computer security measures are aimed at controls associated with,

- identification of individuals who may have access

- authorization functions, that is which individuals have
access to what data or services

- monitoring and surveillance of computer operations - checking
transactions and processes

- systems integrity - assuring performance and reliability
of the system

Some of the tools and techniques currently used to safeguard data

processing include:

11L_§hy§ig§l_§§gg;ity_§ga§u;g§ are generally associated with protecting the
facility, equipment, and data from damage that may be the result of

CBS- 3 IBBOOQ7 UPDATE-05/16/80

i'truders, natural disasters such as fires and floods, and other physical
t. eats. ‘These measures usually include traditional "lock and key" elements
aimed at limiting and controlling access to the computer facility and
associated areas. In addition, preventing fires and other hazards from
affecting computer operations also is part of physical security.

(gL_Tgghnigg;_§ga§ggg§ are designed to prevent illegal electronic access,
data modification, destructive use, and interception of computer products and
services. Often they include techniques such as passggggg (which limit
access to authorized system users who are provided with a set or series of
terms, numbers, or actions); data_gng;yptigg (the transformation of data to a
code form readable only by the intended recipient); and mgnitggg or
surveillance (devices that assess computer performance and may be used as an
external check on the correct operation of the system). Recently,
experimental innovations such as ggggaliggd §egu;§_Qp§;§ting_§y§tgm§ (KSOS),
a mechanism to protect a computer's operating system from unauthorized access
or disclosure, have received attention. Technical software and hardware
safeguards are being developed continually and included in new products and
services. The inherent complexities and technical aspects of computers and
automated information network systems also may serve as a protective

amechanism against certain unauthorized users.

1§L_Admini§§§gtiy§_§ga§g;g§ include a broad range of activities associated
w‘th specific management and operating policies and practices. Establishment
o specific procedures, guidelines, and standards directed at providing a
secure environment fall.within this category, as do pg;§gnngl_ gggegnings of
individuals who plan, design, handle, or operate the computer systems and the
associated data and information. In addition, techniques such as ggmpgtg;
s1sssss_ audits and gist- assessment are generally associated with
administrative functions, but also may employ physical and technical
measures.

CONGRESSIONAL INITIATIVES

The effective management of computer and information resources continues
to be an important issue for the Congress. Oversight of sensitive Federal
ADP systems has highlighted the need for appropriate security measures to
safeguard valuable resources. Concern with protecting personal privacy and
safeguarding other sensitive information has encouraged developmenti of
programs to cope with the problem. Congress, in enacting the Brooks Act
(P.L. 89-306), provided for the efficient and economical management of
Federal ADP resources. An important factor in stimulating computer security
measures has been a grtning appreciation of the value and sensitivity of
Federal ADP programs and services. The Privacy Act of 1974 (P.L. 93-567) has
also contributed to broader implementation of computer security measures.
The Act specifies the protection of Federal personnel data systems and
requires the security of personal data systems. Since many Federal
i ”ormation systems are automated, this Act has led to increased emphasis on
tn.» use of computer security measures.

Federal privacy legislation also has been directed at protecting private
sector and State data. Laws protecting the confidentiality and privacy of
criminal justice records, financial, and educational data have fostered new
policies and practices. The Crime Control Act of 1973, which amended the
Omnibus Crime Control and Safe Streets Act of 1968, specifically concerns the

CRS- H 6 IBBOOH7 UPDATE-O5/16/80

privacy and security of federally supported criminal arrest records, most of
which are part of State government criminal.justice systems. [See Priva
Issue Brief 1374105.]

Protection of Federal Government ADP resources also has been aided by the
establishment of additional internal investigative functions. Legislation
enacted in the 94th and 95th Congresses provided for the creation of an

inspector general's office in the Department of Health, Education, and)

Welfare (HEW) (P.L. 94-505); P.L. 9H-452 established Offices of Inspector
General in 12 Federal departments and agencies; and P.L. 95-1, which created
the Department of Energy, establishes an office of inspector general to
combat fraud and abuse. (See Issue Brief 77o9u, Law Enforcement
Reorganization at the Federal Level.)

Besides its broader interests in computer management, the Congress is also
concerned specifically" with computer crime and security. The Senate
Committee on Governmental Affairs (formerly Committee on Government
Operations), chaired by Senator Ribicoff, has issued two studies on this
matter. The first of these studies, "Problems Associated with Computer
Technology in Federal Programs and Private Industry," reviews some of the
major issues and problems associated with computer abuse. Included in this

Senate document are three studies by the General Accounting Office,-

indicating the extent of computer crime in Federal systems, a CRS-prepared
overview of computer and information security efforts in the Federal
Government, and a compendium of reading on crime and related subjects. The
follow—up 1977 report by the Senate staff, "Computer Security in Federal
Programs", includes recommendations that the Office of Management and Budg
(OMB) direct Federal agencies to put into effect appropriate computer
security precautions and safeguards. In addition, the committee report urged
Federal agencies to improve coordination of computer resource protection
efforts, develop additional computer security standards, and establish
personnel security policies. In keeping with these recommendations and the
statutory requirements of the Privacy Act of 1974, the OMB has initiated a
computer security program, discussed below.

Based on the investigations and findings of the Senate Committee on
Government Operations, Senator Ribicoff introduced S. 1766, The Federal
Computer Systems Protection Act of 1977, in the 95th Congress. [An identical
bill (H.R. 8421) was introduced in the House by Representative Rose.) 5.
1766 was the subject of hearings before the Senate Committee on the
Judiciary, Subcommittee on Criminal Laws and Procedures. The Senate and
House computer crime bills received no further action in the 95th Congress.

At the beginning of the 96th Congress, the Federal Computer Systems
Protection Act of 1979 (S. 240) was introduced by Senator Ribicoff with some
minor changes. [An identical bill (H.R. 6196) was introduced in the House by
Representative Nelson.j] S. 240 would make it a Federal crime to misuse
Federal computer systems, systems of certain financial institutions, and
computer systems which use intestate facilities. Four distinct areas of
computer crime are addressed by the bill: fraudulent records or data;
unauthorized utilization of data; alteration or destruction of data; a ‘
stealing of products, services, or data associated with‘ computers L;
information systems. In brief, S. 240 makes it a crime to use or attempt to
use a computer with intent to defraud or obtain property falsely and to
embezzle or steal property. On Nov. 6, 1979, the Senate Judiciary
Subcommittee on Criminal Laws and Procedures referred an amended version of
the bill to the full committee for consideration.

CRS- 5 IBBQOQ7 UPDATE-05/16/80

GENERAL ACCOUNTING OFFICE

Over the years the General Accounting Office (GAO) has expressed concern
regarding ineffective management of Federal ADP systems. Specifically, GAO
has commented on the lack of a comprehensive computer security program for
Federal agencies, the limited employment of risk assessemnt techniques, the
low utilization of available technical guidance, and the infrequent use of
internal audits to improve ADP security. The GAO, as noted earlier, also has
focused on the problem of computer crime in Federal programs. In reviewing
specific Federal ADP systems, GAO has continued to express concern regarding
the adequacy of computer security safeguards. In testimony given Apr. 23,
1979, before the House Committee on Armed Services, Subcommittee on Research
and Development, the GAO recommended a coordinated Federal computer security
effort. Specifically the GAO suggested that the Secretary of Defense
establish within the Department of Defense (DOD) an office with authority and
responsibility for computer security. GAO envisioned that this office would
control all computer security research and development and also review and
control all DOD computer security specifications. This office, in GAO's
view, should review and approve computer security plans for the DOD World
Wide Military Command and Control Systems (WWMCC) computers. Stimulated in
part by these recommendations, DOD has established a computer security
initiative, described below.

FEDERAL GOVERNMENT

Many of the early pioneering efforts to protect data in the Federal
Government were confined to senstitive or classified data systems related to
national security. While the defense agencies continue to make progress in
securing systems, civilian agencies also have begun to apply computer
security measures to protect their sensitive information systems. These
Federal computer security efforts have stemmed in part from the previously
cited provisions of the Privacy Act of 197a. Since ADP management is a
shared responsibility of individual agencies and those Federal agencies with
overall management responsibilities (sometimes referred to as "central
agencies"), such as theroffice of Management and Budget (OMB) and the General
Services Administration (GSA), implementation of computer security measures
has received considerable attention at various levels in the Federal
Government.

In 1978 the Federal Data Processing (ADP) Reorganization Study Group (part
of the President's Reorgnaization Project) completed a series of studies on
improvements to be made in Federal ADP acquisition, management, and use.
Computer security was specifically addressed as one of the problems
associated with operational management and national security. Some of the
ADP reorganization teams‘ recommendaticns are reflected to an extent in the
OMB policy described below.

The OMB, in consultation with the Senate Committee on Governmental
A”airs, has established a Federal computer security program. Specific
gt-delines (OMB Circular A-71, Transmittal Memorandum No. 1, July 1978:
"Security of Federal Automated Information Systems.“) have been issued to
assist agencies in the control and auditing of sensitive computer
applications. The OMB policy directs agencies to designate a security
official for each computer installation and to screen all personnel working
on the design and operation of sensitive systems. Federal agencies are
encouraged to conduct periodic audits and risk analyses and to develop

CRS- 6 IBBOOH7 UPDBTE’05/16/80

contingency plans to reduce the effect of computer breakdowns, fires, 'r
other mishaps. Under the program, the National Bureau of Standards (NBS) ,
assigned responsibility to develop and issue computer security standards and
associated guidelines. The formulation of policies and regulations for
physical security of computer installations is the responsibility of the GSA.
The GSA's review of ADP'acguisitions (procurements) will include a check of
appropriate security safeguards. The Oﬁfice of Personnel Management (CPU) is
responsible for personnel security guidelines.

The establishment of an inspector general's office in HEW, now the
Department of Health and Human Services (HHS), has resulted in increased
efforts to protect computer-based systems. The HHS inspector general's staff
includes a computer adviser who has focused on the problems associated with
computer crime and security. Early initiatives undertaken by the HHS
included computer-matching programs such as Project Match- These matching
programs attempt to ferret out ineligible individuals, who are receiving
Federal funds or support and to limit other errors and abuses, such as
incorrect payments and unverified entries. some of these matching programs
have met with considerable opposition. For example, the proposed National
Recipient System (NRS), which would have assisted States in reducing fraud,
abuse, and error in the Social Security administration's (SSA) Aid to
Families and Dependent Children (AFDC), was terminated after a GAO review
(GAO letter report, May 29, 1979, HRD-79-105074) questioned the effectiveness
of the program's plan and expressed specific concerns regarding the
possibility of invasion of personal privacy.. At issue is the concern for
protecting personal data and limiting information disclosures. SSA ‘*
currently developing a work plan to assess State-Federal informatit
exchanges.

The Secretary of Health, Education, and Welfare in late 1978 held a 2-day
meeting, "National Conference on Fraud, Abuse, and Error: Protecting the
Taxpayer's Dollar." This conference included a special session on computer
technology which involwed discussions on the detection and prevention of
fraud and abuse in automated information systems.

Computer security and risk management initiatives also have been
undertaken by other Federal agencies. Thee National Bureau of Standards!
(NBS) Computer Security and Risk Management Standards Program focuses on the
Federal information processing standards mandated by the Congress and the
executive branch. The program is aimed at improving Federal data processing,
protecting personal data, and safeguarding valuable data and assets.
Specifically, the NBS program addresses computer security standards including
physical security, access controls, and data encryption. Contingency
planning methods and standards related to the techniques associated with risk
analysis and security audits also are being developed by NBS.

NBS was instrumental.in the development of the Federal Data Encryption
Standard. This standard is a means of protecting information by transforming
or disguising data so that only selected users can discern its meaning. The
standard specifies an encryption algorithm (mathematically-based cipher or
coding system) which is to be used in protecting information in ADP syste
and networks. While the standard has been developed for use by Federal
Government agencies, some private sector organizations, such as financial
institutions, are considering using this encryption algorithm.

The Department of Defense, which handles large amounts of sensitive data,
continues to make progress in the development and use of computer security
technologies. In June 1978, the DOD Computer Security Initiative Program was

CBS- 7 IBBOOH7 UPDATE-OS/16/80

e"*ablished partially as a response to GAO recommendations to integrate the
D computer security effort. The program, administered by the Office of the
Under Secretary of Defense for Research and Engineering, is directed to "(1)
coordinate ongoing DOD computer security research activities; (2) serve as
the technical focus for approval of secure systems within the DOD; and (3)
foster the development of secure computer system" [by computer
manufacturers]. The primary thrust of the DOD program is to promote the
development of "trusted" computer systems, Athat is, systems that have
significant integrity so that they may be used in a shared environment in
which data security levels vary. (For example, an ideal "trusted" computer
system containing unclassified, secret, top secret, and other security
categories safely could handle these several levels of secure data as well as
users when different levels of security clearances having access without
compromising the information contained at any level in the system.)

The DOD program is designed to promote technological developments and
encourage the transfer of certain computer security innovations to nondefense
agencies and the private sector. Predicated on the theory that, if a
sufficient computer security market can be identified, commercial development
of "trusted systems" will be stimulated; and DOD, in conjunction with NBS,
held two conferences in late 1979 and early 1980 to promote the exchange of
information on this subject.

Criminal justice agencies have expressed continued concern for effective
security of their critical systems. Specific measures have heen instituted
to protect privacy of criminal arrest records. The Crime Control Act of 1973
( ,L. 93-83) has provided a framework for the privacy and security of both
Federal and federally supported criminal justice systems. Subsequent Federal
regulations (40 Federa1.Register 22214, amended by Q1 Federal Register 11714)
have been issued to assist criminal justice agencies in protecting criminal
justice information systems. Criminal justice agencies have also been
concerned with preventing computer crime. Both at the Federal and local
levels, appropriate training programs have been developed to assist criminal
justice officials in dealing with computer crime. The FBI Academy has
developed a special computer crime course to assist investigators in
understanding technical and legal aspects of computer crime. The Law
Enforcement Assistance Administration's‘National Criminal Justice Information
and Statistics Service (NCJSS) has conducted studies on computer crime
countermeasures and reviewed State privacy and security statutes.

STATE GOVERNMENT

States have demonstrated their concerns with protecting automated
information systems. Both State and privacy legislation and ADP management
practices are designed to prevent unwanted disclosure or compromise. The
sensitivity of financial data, inventories, criminal justice arrest records,
medical information, and educational data are a few of the types of State ADP
applications that have merited additional security precautions. While
protection of personal data has been a major concern, States have also begun
t consider preventing computer crime. several States have enacted computer
crime legislation, including Arizona, California, Colorado, Florida,
Illinois, Hichigan, New Mexico, North Carolina, Tennessee, and Utah. some of
this legislation defines types of computer crime and includes specific
penalties. Computer Business Equipment Manufactures Association (CBEMA)
reported that over 15 other States have bills pending before their
legislatures on this subject.

CB.S- 8 IBBOOLE7 UPD..-..."0 5/16/80

PRIVATE SECTOR

Over the years, the private sector (especially computer hardware and
software vendors) has encouraged development of computer security standards
and protective measures. Commercial vendors contributed toward the
development of secure computer systems.. More effective computer memory
management techniques exemplified by Kernel Secure Operating Systems (KSOS),
which provides an always active access check, and improved encryption
standards represent some of the key developments in protecting computers and
information systems. In addition, developments such as virtual memory and
intelligent terminals in which computer capabilities are enhanced, may also
contribute to increasing security of systems. Innovative techniques and
tools have provided more reliable and dependable systems. The computer and
information industries have promoted the development of risk assessment
management techniques and improved computer security methods. one
substantial contribution by the computer industry has been to provide
information and to educate users about computer security and computer crime.

FUTURE CONS IDER ATIONS

p More beneficial and efficient use of computer technology requires that ADP
systems be adequately protected. While computers have certain inherent
features that protect data, appropriate management techniques must be
instituted to assure the security of data. The possibility that computer.
may be used in criminal.activity increases the need to improve security an
risk assessment management. Modern technological advances, such as
electronic message systems, electronic funds transfers, and personal
computers, will apparently place additiona1.demands on the computer safeguard
capabilities. i

mThe protection of data, programs, and computer facilities from abuse and

misuse often requires innovative approaches. Congress has established a role’

in supporting technological and administrative innovations to cope with this
problem. Among the options currently considered and discussed are programs
which would singly or in combination:

-- provide more comprehensive risk assessment planning;

-- develop a.national research program to stimulate
computer security developments including both hardware
and software innovations;

—-encourage intensive evaluation of computer safeguards
and audit techniques; \

-- require that Federal agencies address computer security
issues in the context of overall operation as well
as in design, procurement, and implementation
stages of systems development;

-- develop stringent standards to ensure reliability
of computers and computer-related products, such as
programs and documentation;

- encourageeagencies to audit and analyze information
systems, especially thosersystems containing
sensitive data;

-- require the use of computer security impact statements

in Federal systems; and
-- promote an extensive study by an interagency group to

CBS- 9 IBBOOQ7 UPDATEEOS/16/80

evaluate innovative techniques to cope with computer
crime and abuse .

L§§l§LA$lQE
S. 2&0 (Ribicoff et al.)/ H.R. 6192 (Nelson et al.)

Federal Computer Systems Protection Act of 1979. Amends Title 18, U.S.
Code making it a crime to use Federal computers, financial institution
computers, and those affecting interstate commerce for fraudulent or illegal
purposes. Senate bill was introduced Jan. 25, 1979; referred to Committee on
Judiciary. Committee held hearings Feb. 28, 1980. House bill was introduced
Dec. 19, 1979; referred to Subcommittee on Civil and Constitutional Rights of
the Committee on the Judiciary.

EEA§lE§§

U.S. Congress. Senate. Committee on the Judiciary. Subcommittee
on Criminal Laws and Procedures. Federal Computer Systems
Protection Act. 95th Congress, 2d session. Hearings on
S. 1766. Washington, U.S. Govt. Print. Off., 1979. 213 p.

Hearings held June 21 and 22, 1978.

§l;QE$§_AE2-§QE§B§55IONAL D0CQ!EEI§

U.S. Congress. senate. Committee on Government Operations.
Computer security in Federal programs. Washington, U.S.
Govt. Print. Off., 1977. 298 p.

At head of title: 95th Congress, 1st session. Committee
Print.

———-— Problems associated with computer technology in Federal
programs and private industry: computer abuses. Washington,
U.S. Govt. Print. Off., 1976. H88 p.
At the head of title: 94th Congress, 2d session.
Committee Print.

U.S. Congress. Senate. Select Committee on Intelligence.
Unclassified summary: involvement of NSA in the development
of data encryption standard: staff report. Washington,
U.S. Govt. Print. Off., 1978 4 p.

At head of title: 95th Congress, 2d session. Committee
Print.

5221229!AL-BEEEB§§§E-§QE-Q§§

Becker, Louise B. Computer security architectures in the
80s- An examination of computer and risk assessment in
information handling environment presentation at POSPP
meeting. Jan. 1n-16, 1980. San Diego, Calif. 15 p.
(unpublished)

Krauss, L.I. Computer fraud and countermeasures. Engelwood
Cliffs, N.J. Prentice-Hall, 1979. 52H p.

CBS-1

I3

Parker, Donn B. Crime by computer. New York, Charles Scribner's
Sons, 1976. 308 p.

U.S. Department of Commerce. National Bureau of Standards.
An analysis of computer security safeguards for detecting
and preventing intentional computer misuse. NBS Special
Publication 500-25. Washington, U.S. Govt. Print. Off.,
1978. (various pagings)

---- Computer security guidelines for implementing the Privacy
Act of 1974. (FIPS Pub. 41) May 30, 1975. 20 p.

——-- Data encryption standard. Federal Information Processing
Standards Publication (FIPS Pub. 46) Jan. 15, 1977.
Washington, U.S. Govt. Print. Off., 1977, 18 p.

—---- Government looks at privacy and security in computer systems.
NBS Technical Note 809. Washington, U.S. Govt. Print. Off.,
1974. 37 p.

Guidelines for automatic data processing physical security
and risk management. (FIPS Pub. 31) June 1974. Washington,
U.S. Govt. Print. Off., 1974. 92 p.

U.s. Department of Justice. Law Enforcement Assistance
Administration. National Criminal Justice Information and
 Statistics Service. Coputer crime: criminal justice
resource manual. [Prepared by SRI International]
Washington, U.S. Govt. Print. Off., 1979. 392 p.

0.3. General Accounting Office. Automated systems security--Federal
agencies should strengthen safeguards over personal and other
sensitive data. Jan. 23, 1979. LCD-78-123. Washington,

U.S. General Accounting Office, 1979. 74 p.

---c Challenges of protecting personal information in an expanding
Federal computer network environment. Apr. 28, 1978.
LCD-76-102. Washington, 0.5. General Accounting Office, 1978.
47 p.

0.5. Library of Congress. Congressional Research Service.
Federal jurisdiction under the computer crime bill in light
of proposed amendments [by]

Raymond Natter, Legislative Attorney American Law Division.
Oct. 24, 1979.

[Washington], Library of Congress. Congressional Research
Service, 1979- 9 p.

U.S. Office of Management and Budget. Circular A—71, Responsibilities
for administration and management of automatic data processing
activities. Transmittal memorandum. Security of Federal
automated information systems. No. 1. July 27, 1978.

iﬂashingtpn. 2p.