Computer Security Act of 1987
In 1987, the U.S. Congress, led by Rep. Jack Brooks, enacted a law reaffirming that the National Institute for Standards and Technology (NIST), a division of the Department of Commerce, was responsible for the security of unclassified, non-military government computer systems. Under the law, the role of the National Security Agency (NSA) was limited to providing technical assistance in the civilian security realm. Congress rightly felt that it was inappropriate for a military intelligence agency to have control over the dissemination of unclassified information.
The law was enacted after President Reagan issued the controversial National Security Decision Directive (NSDD) 145 in 1984. The Reagan directive gave NSA control over all government computer systems containing “sensitive but unclassified” information. This was followed by a second directive issued by National Security Advisor John Poindexter that extended NSA authority over non-government computer systems.
Since the enactment of the Computer Security Act, the NSA has sought to undercut NIST’s authority. In 1989, NSA signed a Memorandum of Understanding (MOU) which purported to transfer back to NSA the authority given to NIST. The MOU created a NIST/NSA technical working group that developed the controversial Clipper Chip and Digital Signature Standard. The NSA has also worked in other ways to weaken the mandate of the CSA. In 1994, President Clinton issued Presidential Decision Directive (PDD) 29. This directive created the Security Policy Board, which has recommended that all computer security functions for the government be merged under NSA control. In 2009, President Obama released the Administration’s Cyberspace Policy Review. The report placed civil liberties and privacy protections at the center of the Administration’s new approach to guarding the nation’s digital infrastructure. Recognizing that privacy and security are complementary values, President Obama stressed privacy protections in every aspect of the new initiative. The Administration created a new National Security Council cybersecurity team that includes a privacy and civil liberties officer.
- Public Law 100-235, The Computer Security Act of 1987.
- U.S. House of Representatives, Science, Space, and Technology Committee Report on the Computer Security Act.
- Memorandum from Clinton Brooks, Special Assistant to the Director, NSA, on NSDD-145 and the CSA (scanned image of document obtained by EPIC under FOIA) — “In 1984 NSA engineered a National Security Decision Directive, NSDD-145, through the Reagan Administration that gave responsibility for the security of all U.S. information systems to the Director of NSA, removing [the National Bureau of Standards, now NIST] from this.”
- Controversial 1989 Memorandum of Understanding between NSA and NIST that attempted to give NSA power over civilian computer security.
- Congressional testimony of EPIC Director Marc Rotenberg on implications of NSA/ NIST Memorandum of Understanding.
- Computer System Security and Privacy Board (CSSPB) Web site. Congress established the CSSPAB as a public advisory board in the Computer Security Act.
- Text of Presidential Decision Directive 29, creating the Security Policy Board (SPB). Scanned image of the first page of the directive obtained by EPIC.
- Internal memorandum detailing activities of the SPB, obtained by the Federation of American Scientists.
- Press release on EPIC’s lawsuit seeking information on the activities of the SPB.