1991 Annual Report of the National Computer System Security and Privacy Advisory Board March 1992 TABLE OF CONTENTS Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i I. Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Board's Establishment and Mission. . . . . . . . . . . . . . . . . . . . . . 1 Board's Charter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Membership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 II. Major Issues Discussed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 NIST's Computer Security Program . . . . . . . . . . . . . . . . . . . . . . 3 OMB/NIST/NSA Computer Security Agency Visits . . . . . . . . . . . . . . . . 4 Digital Signature Standard . . . . . . . . . . . . . . . . . . . . . . . . . 5 Electronic Mail Privacy. . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Computer Emergency Response Capabilities . . . . . . . . . . . . . . . . . . 5 III. Advisory Board Correspondence . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Material Internal Control Weaknesses . . . . . . . . . . . . . . . . . . . . 6 Privacy of Electronic Mail Systems . . . . . . . . . . . . . . . . . . . . . 6 NIST's Information Security Program. . . . . . . . . . . . . . . . . . . . . 7 Exhibits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 IV. 1992 Advisory Board Workplan . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 APPROVED 1992 WORK ITEMS FOR CSSPAB. . . . . . . . . . . . . . . . . . . . . 39 Action Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Citizen Access to Government Electronic Records. . . . . . . . . . . . . . . 39 Data Encryption Standard (DES) Revalidation. . . . . . . . . . . . . . . . . 39 Public Key Cryptography. . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Computer Security Guidelines and Standards . . . . . . . . . . . . . . . . . 39 Security Evaluation Process. . . . . . . . . . . . . . . . . . . . . . . . . 40 Privacy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Changes in National Computer Security Policies . . . . . . . . . . . . . . . 40 Threat and Vulnerability Assessment. . . . . . . . . . . . . . . . . . . . . 40 Monitoring Activities. . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Security and Open Systems. . . . . . . . . . . . . . . . . . . . . . . . . . 41 Effective Use of Security Products and Features. . . . . . . . . . . . . . . 41 Computer Emergency Response Capabilities in Civil Agencies . . . . . . . . . 41 International Hacking. . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Local Area Network (LAN) Security. . . . . . . . . . . . . . . . . . . . . . 41 Information Security Foundation. . . . . . . . . . . . . . . . . . . . . . . 41 Implementation of the Computer Security Act. . . . . . . . . . . . . . . . . 42 Security and the Public Switched Network . . . . . . . . . . . . . . . . . . 42 Electronic Data Interchange (EDI) Security . . . . . . . . . . . . . . . . . 42 V. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Executive Summary This Annual Report documents the activities of the National Computer System Security and Privacy Advisory Board during 1991, its third year. The Board, which met four times during the year, was established by Congress through the Computer Security Act of 1987 to identify emerging computer security issues. Dr. Willis Ware of RAND has served as Chairman of the Board since July of 1989. The Board formally identified four areas of emerging concern this year and has issued letters containing the Board's positions and recommendations to appropriate Executive Branch officials. These issues were: - agency lack of compliance with the computer security requirements of OMB Circulars A-130 and A-123; - the need for users of federal electronic mail systems to be informed of the level of privacy to be accorded their messages; - specific program recommendations for improving NIST's Information Security Program; and - the lack of formalized computer emergency response capabilities at federal agencies. The Board also established a work plan for 1992 which identified candidate topics for in- depth examination. These include: - Data Encryption Standard (DES) Revalidation; - Public Key Cryptography; - Citizen Access to Government Electronic Records; - Local Area Network (LAN) Security; - Electronic Data Interchange (EDI) Security; - Security and Open Systems; - Threat and Vulnerability Assessment; - Effective Use of Security Products and Features; - Status of Computer Emergency Response Capabilities in Civil Agencies; and - International Hacking. The Board has expressed a desire to maintain a continuing interest in certain specific aspects of the NIST program or to receive periodic briefings on various critical issues, including: - Computer Security Guidelines and Standards; - Security Evaluation Process; - Privacy; - Changes in National Computer Security Policies; - Information Security Foundation; - Implementation of the Computer Security Act; and - Security and the Public Switched Network. With such a list of important topics to examine and reexamine, plus the ever growing number of relevant new issues and public policy questions, it is clear that much work lies ahead for the Board in 1992 and beyond. I. Introduction Board's Establishment and Mission The passage of the Computer Security Act of 1987 (P.L. 100-235, signed into law on January 8, 1988 by President Reagan) established the Computer System Security and Privacy Advisory Board. The Board was created by Congress as a federal public advisory committee in order to: identify emerging managerial, technical, administrative, and physical safeguard issues relative to computer systems security and privacy. Appendix A includes the text of the Computer Security Act of 1987, which includes specific provisions regarding the Board. The Act stipulates that the Board: - advises the National Institute of Standards and Technology (NIST) and the Secretary of Commerce on security and privacy issues pertaining to federal computer systems; and - reports its findings to the Secretary of Commerce, the Director of the Office of Management and Budget (OMB), the Director of the National Security Agency (NSA), and appropriate committees of Congress. Board's Charter The Board was first chartered on May 31, 1988 and was rechartered on May 30, 1990 by then U.S. Department of Commerce Assistant Secretary for Administration Thomas Collamore. (See Appendix B for the text of the current charter.) Consistent with the Computer Security Act of 1987, the Board's scope of authority extends only to those issues affecting the security and privacy of unclassified information in federal computer systems or those operated by contractors or state or local governments on behalf of the federal government. The Board's authority does not extend to private sector systems (except those operated to process information for the federal government) or systems which process classified information or Department of Defense unclassified systems related to military or intelligence missions as covered by the Warner Amendment (10 U.S.C. 2315). Membership The Board is composed of twelve computer security experts in addition to the Chairperson. The twelve members are, by statute, drawn from three separate communities: - four experts from outside the federal government, one of whom is a representative of a small- or medium- size firm; - four non-government employees who are not employed by or a representative of a producer of computer or telecommunications equipment; and - four members from the federal government, including one from the National Security Agency of the Department of Defense. Currently, Dr. Willis H. Ware, a senior researcher of the Corporate Research Staff of RAND, serves as Chairman of the Board. He was appointed in July 1989 following consultation with Congress which determined that it was inappropriate for a NIST official to chair the Board. As of December 1991, the full membership of the Board was as follows: - Chairman Willis H. Ware, RAND - Federal Members Bill D. Colvin, National Aeronautics and Space Administration Patrick Gallagher, National Security Agency Henry H. Philcox, Department of the Treasury, Internal Revenue Service Cynthia C. Rand, Department of Transportation - Non-federal, Non-Vendor Chris R. Castro, SRI, Inc. John A. Kuyers, Ernst and Young Eddie L. Zeitler, Fidelity Security Services, Inc. (vacancy) - Non-federal Gaetano Gangemi, Wang Laboratories, Inc. Steven B. Lipner, Digital Equipment Corp. Stephen T. Walker, Trusted Information Systems, Inc. Lawrence L. Wills, International Business Machines Corp. During 1991, the terms of Mr. Roger Cooper (Department of Justice), and Mr. Robert Courtney, Jr. (RCI, Inc.), expired. One vacancy remains to be filled in the Non-federal, Non-Vendor category. NIST's Associate Director for Computer Security, Mr. Lynn McNulty, serves as the Board's Secretary and is the Designated Federal Official (DFO) under the Federal Advisory Committee Act. The DFO is responsible for ensuring that the Board operates in accordance with applicable statutes and agency regulations. Additionally, the DFO must approve each meeting and its agenda. Through the Secretariat, NIST provides financial and logistical support to the Board as stipulated by the Computer Security Act of 1987. II. Major Issues Discussed The following section summarizes the discussions held by the Board in 1991. Additionally, the Board accomplishes a lot of informal, non-decisional, background discussion and preparation for meetings by electronic mail between meetings. The Board's activities also complement the other activities of the Board's members, several of whom are quite active in many aspects of these topics. Note that the minutes and agenda from the March, June, September, and December meetings are included as Appendices C to F, respectively. The required Federal Register announcement notices for the meetings are presented in Appendix G. The substantive work of the Board during 1991 was devoted to various topics related to the security of federal unclassified automated information systems. Among the most important were: - NIST's Computer Security Program; - OMB/NIST/NSA Computer Security Agency Visits; - NIST's Digital Signature Standard; - Electronic Mail Privacy; and - Computer Emergency Response Capabilities. NIST's Computer Security Program During 1991, one item of continuing interest to the Board was NIST's computer security program. In March, the Board was briefed by NIST as to its plans for 1991 and beyond. The Board at that time informally noted its concerns with the scope and adequacy of the program to meet NIST's responsibilities under the Computer Security Act. General discussion indicated that the Board believed that too much of the program is driven by externally funded taskings, drawing attention and resources away from other more important projects. The Board also noted that many projects are understaffed and, as a result, many tasks remain uncompleted and are carried over from year to year. During the year, the Board issued a recommended program plan to NIST. The plan consolidated the NIST plan into nine items and included the Board's view of the threat environment which should drive NIST's program. (These recommendations, issued in two parts, are included in Section III.) At the December meeting, the Director of NIST's Computer Systems Laboratory, Mr. James Burrows, examined each of the Board's recommendations one at a time, and explained why they could or could not be implemented. OMB/NIST/NSA Computer Security Agency Visits As a followup to the computer security plan review process mandated by the Computer Security Act, officials from OMB, NIST, and NSA have been visiting senior officials at federal departments and agencies. The purpose of these visits is to discuss major agency automation efforts, the risks to the agency's mission associated with those automation plans, and the protection that the agency has acquired or is planning to by the implementation of security measures. Senior managers are asked to report on three of the agency's most sensitive systems, including the kind of data processed by the systems, the potential threats to the systems and what measures are being taken to reduce the risks to the systems. At the March meeting, two panels were convened to discuss these visits. The first panel consisted of representatives from OMB, NIST, and NSA who have been active participants in the visits to federal agencies to review their computer security programs in fulfilling the intent of the Computer Security Act. The panel members reported that agencies have been candid in discussing their problems and that the visits have reinforced the need for additional agency guidance, particularly in the area of networking and laptops. The visits also served to let NIST and NSA know what they could do better to help agencies meet their security requirements. The second panel of three federal agency computer security program managers agreed that the visits were a success. However, all three managers expressed their opinion that feedback from OMB was desirable. An update of the agency visit program was presented at the June meeting. Agencies have requested guidance on issues such as security of electronic data interchange applications; application of electronic signature technology; and network security. A report on the visit process is to be prepared and completed in the Spring of 1992. In December the Board voted to send a letter to the Director of OMB noting that the agency visit process has been a success thusfar and recommended that a summary report be prepared of the visits. The Board also urged OMB to consider how the message of the visits could be effectively delivered to major federal centers outside the Washington area. Digital Signature Standard In August of 1991, NIST proposed a draft Digital Signature Standard (DSS) as a Federal Information Processing Standard. This issue has been of continuing interest to the CSSPAB. The Board was afforded briefings regarding the technical specification of the standard itself as well as a summary of the comments received by NIST (through December) on the standard. In December the Board formally expressed its grave concerns with the draft DSS and directed the Chairman to discuss the Board's concerns with the Director of NIST. Electronic Mail Privacy The Board initially examined the issue of electronic mail privacy and security in 1990. During 1991, the Board again considered the issue and agreed to send a letter to the Director of NIST recommending that users of federal e-mail systems be advised of the level of privacy to be accorded their messages. Computer Emergency Response Capabilities The ability of federal agencies to respond to computer emergencies, including virus incidents, was raised as a concern among Board members in 1991. The Board convened a panel of experts to discuss the current response system and requested that NIST contact federal agencies to determine whether most agencies had formalized response capabilities in place. Upon hearing that most did not, the Board formally recommended to OMB that it advise federal agencies of the need to properly plan and organize for computer emergencies. III. Advisory Board Correspondence During 1991, the Board issued letters reporting its findings on three important issues: - material internal control weaknesses; - privacy of electronic mail systems; and - NIST's information security program. Also, the Chairman prepared correspondence to the Office of Management and Budget regarding computer emergency response capabilities and the need to properly plan and organize for computer emergencies. The Board recommended that during the forthcoming revision of the security appendix to OMB Circular A-130, existing contingency planning requirements should be enhanced to include the need to plan for such computer emergencies as viruses, malicious external attacks, and other similar events. The Board also informed the Office of Management and Budget of its view of the progress of the Computer Security Act agency visit program described in OMB Bulletin 90-08 and the positive comments from all of those involved in the visits. The Board recommended that OMB build upon the successful formula that has produced the positive results. The Board believes that the emphasis on underscoring management involvement as a fundamental prerequisite for an effective computer security program is appropriate and should be maintained in a subsequent initiative. The Board also urged OMB to consider how this message can be effectively delivered to major federal centers and activities outside of the Washington area. Material Internal Control Weaknesses On May 17, 1991, the Board issued a letter to the Director of OMB advising him of its unanimous approval of a proposal to address agency lack of compliance with the computer security requirements of OMB Circulars A-130 and A-123. The Board recommended that OMB require that lack of compliance with certain of these requirements be defined as "material internal control weaknesses" which should then be required to be reported to the President and OMB under the Federal Managers Financial Integrity Act. Privacy of Electronic Mail Systems On June 19, 1991, the Board issued a letter to the Director of NIST advising him that users of federal electronic mail systems be informed of the level of privacy to be accorded their messages. The Board recommends that NIST work with OMB to identify a suitable means of implementation. Two approaches were suggested: 1) uniform government-wide guidance or 2) agency-specific guidance to be developed by each agency. Each approach has benefits and drawbacks. Uniform regulations, by definition, would be consistent across the government, although their implementations could vary. On the other hand, individual agency policies may be more appropriate for each agency's operating environment and constituency. Whichever approach is taken, departments and agencies should be required to inform users of the level of privacy which they can expect. NIST's Information Security Program The Board also issued its findings on August 22 and October 22, 1991, regarding NIST's Information Security Program. In March, NIST presented its program consisting of twenty-four items. The Board recommended its program of nine elements as appropriate to the current and near-term threat environment, with the objective of improving the level of federal computer security by focusing the NIST security program on critical areas in which results are urgently needed. Exhibits The Board's correspondence and replies (when received) are included in the following exhibits: Exhibit I Letter from Chairman Ware to Director Darman of OMB on material internal control weaknesses Exhibit II Letter from Chairman Ware to Director Lyons of NIST on privacy of electronic mail systems Exhibit III Answer from Director Lyons of NIST to Chairman Ware Exhibit IV Letter from Chairman Ware to Director Lyons of NIST on NIST's Information Security Program Exhibit V Answer from Director Lyons of NIST to Chairman Ware Exhibit VI A second letter from Chairman Ware to Director Lyons of NIST on NIST's Information Security Program Exhibit VII Letter from Chairman Ware to Director Darman of OMB on computer emergency response capabilities Exhibit VIII Answer from Director Darman of OMB to Chairman Ware Exhibit IX Letter from Chairman Ware to Director Darman of OMB on the Computer Security Act agency visit program (Reply anticipated in 1992.) Exhibit I THE NATIONAL COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD MAY 17 1991 Honorable Richard G. Darman Director, Office of Management and Budget Old Executive Office Building 17th Street and Pennsylvania Avenue, NW Washington, DC 20515 Dear Mr. Darman: The Computer system security and Privacy Advisory Board was established within the Department of Commerce by the computer security Act of 1987, P.L. 100-235. The charter of the Board establisheS a specific objective for the Board to advise the National Institute of standards and Technology (NIST) on security and privacy issues pertaining to federal computer systems. The Board is also to inform the Office of Management and Budget (OMB), the National security Agency, and appropriate Congressional committees of our findings. The purpose of this letter is to advise you of the unanimouS approval of the Advisory Board of our proposal (enclosed) to address agency lack of compliance with the computer security requirements of OMB Circulars A-130 and A-l23. We recommend that: OMB require that lack of compliance with certain of these requirement be defined as material internal control weaknesses" which would then be required to be reported to the president and OMB wider the Federal managers financial integrity Act. We feel that this procedure will significantly raise the level of compliance with established computer security requirements. Implementing the recommendation will require coordination between NIST and OMB; however, we have already coordinated our position with NIST and OMB personnel who attended the Board meeting in March. Thank you for your consideration of our recommendation. Sincerely, Willis H. Ware Chairman Enclosure Exhibit II THE NATIONAL COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD Jun 19 1991 Dr. John W. Lyons Director National Institute of standards and Technology Gaithersburg, MD 20899 Dr. Lyons: As you know, the Computer system Security and Privacy Advisory Board was established within the Department of Commerce by the computer security Act of 1987, P.L. 100-235. The charter of the Board establishes a specific objective for the Board to advise the National Institute of standards and Technology (NIST) and the Secretary of Commerce on security and privacy issues pertaining to Federal computer systems. The purpose of this letter is to advise you of the unanimous view of the Advisory Board that users of federal electronic mail systems be informed of the level of privacy to be accorded their messages. To accomplish this, the Board recommends that NIST work with OMB to identify a suitable means of implementation. In the discussions with OMB, we suggest that careful consideration be given whether such guidance should be uniform across the government or developed and issued by individual departments and agencies. Each approach has benefits and drawbacks. Uniform regulations, by definition, will be consistent across the government, although their implementations may vary. On the other hand, individual agency policies may be more appropriate for each agency's operating environment and constituency. Whichever approach is taken, departments and agencies should be required to inform users of the level of privacy which they can expect. Since computer system administrators and system programmers commonly have access to all data in the machine, the Board believes that every agency or department should establish a policy prohibiting casual reading of electronic mail by such individuals. Access to mail records should be permitted only as required by emergency or system failure circumstances. On the other hand, management personnel can also have access to the mail of others, and it is not clear what the appropriate policy should be. Each agency and department must examine this aspect with regard to its own management attitudes and philosophy, and establish an appropriate policy. Without a full understanding of the legal and regulatory environment which may apply, (e.g., the Freedom of Information Act), the Board cannot take a position as to what level of privacy should or can be, only that it be developed and users fully informed. However, we observe that much e-mail traffic is in the nature of interoffice mail and as such is related to the business of the organization. In this case, the individual sending or receiving electronic messages should have no expectation of privacy unless the organization has taken specific steps to assure it. In addition to our concern for the privacy of electronic mail, we believe federal agencies should also address its security aspects. In particular, the positive authentication of message originators and the confidentiality of electronic messages while in transit and in computer systems are major concerns. Security technology is already available which agencies should be encouraged to utilize now. An important new capability will be the digital signature standard which NIST intends to propose shortly and which will address the user authentication matter. Thank you for your time and consideration of our recommendation. I am available to discuss this with you at your convenience. Sincerely, Willis H. Ware Chairman Exhibit III UNITED STATES DEPARTMENT OF COMMERCE National Institute of Standards and Technolgy Gaithersburg, Maryland 20899 OFFICE OF THE DIRECTOR JUN 26 1991 Dr. Willis H. Ware Chairman, The National NIST Computer System Security and Privacy Advisory Board The Rand Corporation 1700 Main Street Santa Monica, CA 90406-2138 Dear Willis, Thank you for your letter from the Advisory Board on the subject of the security of electronic mail. I, as a user, am keenly aware of the problem and am grateful to you for pointing out that we should do something about this. Please be assured we shall address this matter. Sincerely, ORIGINAL SIGNED BY JOHN W. LYONS John W. Lyons Director Exhibit IV THE NATIONAL COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD AUG 22 1991 Dr. John W. Lyons Director National Institute of Standards and Technology Gaithersburg, MD 20899 Dear Dr. Lyons: As you know, the Computer System Security and Privacy Advisory Board was established within the Department of Commerce by the - computer Security Act of 1987, P.L. 100-235. The charter of the Board establishes a specific objective for the Board to advise the National Institute of Standards and Technology (NIST) and the Secretary of Commerce on security and privacy issues pertaining to Federal computer systems. The purpose of this letter is to provide you with the Advisory Board's recommendations (enclosed) for improving NIST's Information Security Program. Our proposal begins with a discussion of the current and near-term threat environment, thereby providing the context for the plan which follows. In contrast to the twenty-four items in NIST's program (as presented to us in March), our recommended program has nine elements. The Board believes that these nine items can contribute in a very significant way toward improving the level of federal computer security by focusing the NIST security program on critical areas in which results are urgently needed. You should be aware that we have already discussed our recommendations with Mr. James Burrows at our meeting in June. He indicated that NIST would be prepared to respond to our proposals at the September Advisory Board meeting. Thank you for your time and consideration of our recommendation. I am available to discuss this with you at your convenience. Sincerely, Willis H. Ware Chairman Enclosure A PROPOSED NIST INFORMATION SECURITY PROGRAM INTRODUCTION The following material is a plan devised by the Advisory Board for presentation to NIST as the Board's suggestions for improving the NIST information security program. This plan does not have the highly detailed structure which NIST brought to the March CSSPAB meeting, nor is that necessary for the immediate purpose of presenting a wholly different plan. The current NIST program has twenty-four line items. The one proposed here has nine. These nine items are not consolidations of the twenty-four. They are nine discrete items which can contribute in a very meaningful way to the safety of our rapidly increasing dependence on computer- based systems. Throughout this document, the word security, without modifiers, should be read to mean information security. THE CURRENT AND NEAR-TERM THREAT ENVIRONMENT In support of the recommendation of a specific NIST information security program, it is necessary to describe the security environment on which recommendations are based. The quite diverse array of experience encompassed by the members of the CSSPAB permits the board to describe a threat environment on which NIST can safely base its security program provided only that it maintain an awareness of any emerging and unanticipated problems. The CSSPAB believes the following statements to accurately describe the general threat environment and related considerations on which NIST should base its security program. 1. The Absence of Significant Discontinuities in the Threat Environment. Over the past twenty years and continuing until today, the distribution of loss to computer security incidents among several general categories has remained fairly constant. There have been no major and abrupt changes' wholly out of keeping with long term, clearlY discernible trends. The most significant changes in the threat complement have been viruses, attacks on the public switched networks, and opportunities for harm presented by a worldwide Internet spanning multiple countries and organizations. None of these relatively new problems have generated losses exceeding 1% of the total cost of our' security-related losses in the information systems environment. The inclusion of the security losses associated with IANs will still not top the 1% mark. (The source of the data supporting the 1% figure is described later in paragraph 3.) It is doubtful that viruses would be a meaningful problem had the microcomputer not been introduced. The penetrations into the public switched networks are directly attributable to the broadly-based assimilation of computer-based Switches into those networks. These two instances and the problems posed by the Intern et are but the most recent of a long series of security problems that have been encountered because we failed to consider carefully the security implications of many advances in data processing technology before putting them to t:se without adequate Safeguards. In general, threats do not create Vulnerabilities. The inverse is more commonly true. We build into our systems vulnerabilities to avarice, malice, carelessness, loyalties to other countries or organizations of persons with access to our systems, poorly trained and poorly motivated employees, technical show-offs, and irresponsibly directed curiosity. Those unfortunate characteristics of human nature, coupled with vulnerabilities to fires, floods, earthquakes, equipment failure and the many other similar and unfortunate things which can happen, are the origin of most security problems. Thus,' more often than not, the Vulnerabilities have the effect of encouraging specific threats. Our weaknesses are often the opportunities for others once they are aware of them. It is generally true that it is very easy to design a system which, after it is built, is very difficult if not impossible to secure in an economically feasible way. It is also true, however, that it is usually not difficult to design a system providing the needed functionality but which is adequately secure if security is among the initial and basically coequal functional objectives. Thus, it is usually unnecessary, but nevertheless common, to invite threats through the incorporation of vulnerabilities into our designs. Many of the systems which pose the more severe security challenges are those which evolved, Topsy-like, a component at a time, until it was belatedly recognized that the result was a complex difficult, if not sometimes impossible, to secure. Concern for the ability to secure, after the fact, systems which were developed with little or no concern. . for security must be a major consideration in fur design of security controls. However, the security needs of such systems must not be allowed to wholly dominate the programs to devise means for achieving security. Even though some of the more severe challenges are in existing systems, this should not be allowed to detract, by diversion of resources, from the drive to achieve adequate, economically feasible Security. 2. The Relative Importance of Threats.- It is not a simple task to rank threats in accord with their relative importance. It is improper to assign relative Importance to threats except in terms of both the consequences the': produce and their probability of occurrence. Both the consequences and the probabilities of the realization of specific threats are clearly system unique. Threats cannot be weighed by just tee severity of their consequences, because to do that is to ignore their probabilities of occurrence. Some of the most severe threats have probabilities of occurrence so low as to justify accepting the risks they present. If in the past we had ignored the probabilities of occurrence and weighed only the consequences, we would all now be wondering what to do with the few million bomb shelters in our back yards. The relative severity of threats clearly varies as a function of the attractiveness of the target systems, their geographic locations, and other factors often including the perceived quality of the security provided them. Threats should not be ranked by the number of security incidents attributable to a particular threat. If that is done, the incidents encountered or anticipated could then include huge numbers of relatively unimportant things while Illinois Bell's Hinsdale fire would be only one instance even though the cost to its customers exceeded $500 million. If threats are assessed in terms of the economic consequences, we have a workable basis for ranking them. No other basis has been shown to be workable in the information security environment. A major problem with ranking by economic consequences is the difficulties in costing social consequences, including loss of national security. It is commonly argued that we cannot put a price tag on such matters as personal privacy or national security when, in reality, we do it quite routinely though haphazardly. Quite often we draw a line at what we are willing to spend, in dollars or inconvenience, to protect a facility or a system of records even though we know that there is residual vulnerability which can be eliminated by paying a higher price. In protecting against hard-to-quantify losses, the line is more often drawn at what we can afford, what is politically acceptable, or what we want to spend than it is related to the magnitude of' the unfortunate consequences if the security is compromised. 3. Threat Rankings - A survey of several hundred public and private sector organizations in the United States, Canada, and in seven western European countries reveals remarkable consistency in the relative importance or cost of the information security problems they encounter. Further, these rankings have remained quite stable over a period of thirteen years. Not only have their relative positions remained unchanged, so.have the percentages of loss attributable to each problem category remained almost unchanged. For this reason, we should rely on these rankings until we have data indicating the need for change in them. These data indicate clearly that there is no basis for anticipation of an abrupt shift in the problem environment unless a specific cause for that shift can be identified. The categories into which the problems have been placed and the percentages of economic loss attributable to each are these: - 65% errors and omissions - 13% dishonest employees - 6% disgruntled employees - 8% loss of supporting infrastructure, including power, communications, water, sewer, transportation, fire, flood, civil unrest, strikes, etc. - 5% water, not related to fires and floods - <3% outsiders, including viruses, espionage, dissidents and malcontents of various kinds, and ex-employees who have been away for more than 6 weeks. It might seem that minor variations in such a major category as errors and omissions would make the percentages attributable to the other categories highly unstable, but such has not been the case. For example, the factors which raise or lower.losses to errors and omissions, often have similar effects on losses to dishonest and disgruntled employees. For this reason, even though the size of the total losses may change, the apportion among the categories has been fairly stable Again, these apportionments do not so much reflect' the magnitude of the threats as they do the generality of the security weaknesses encountered in a large system population. The data supporting the apportionments were derived from a study of 1,347 incidents, exclusive of errors and omissions, over a period of three years ending February 1991. Similar data extending back over thirteen years are also available. The data on errors and omissions were obtained from 442 organizations over that sane three-year period and from 2404 organizations over the thirteen year period. Voluminous questionnaires were used in gathering the data, but they were completed by 'investigators during on-site visits. For example, the one for incidents of computer related employee dishonesty has fifty-one pages. One criticism which might be made of these data will come from the assertion that those are just about the same numbers that we have seen for years". That is true and it is also the reason why they should be used. They clearly demonstrate the relative stability of the problem environment and provide justification for not anticipating seriously disruptive discontinuities in the threat environment until we have identified a credible cause for them. 4. New Threats.- The continued rapid expansion in our dependence on computer-based systems and the continued increase in the complexity of such systems bring with them, as they have for the past two decades, the need for new security measures, both technological and procedural, to counter the threats which result from their introduction. Twenty years ago the needed measures included such elemental things as write verification and protection against improper disk pack swapping. The then current security design deficiencies include such things as designs that required the operators at the consoles to enter the users passwords. We continue to add measures and, now as then, only after problems have been encountered and we suffer losses. There was then and there is now a need to consider the security implications of technical advances when we reduce those advances to practice and not later after we have been hurt. The greatest single change in the nature of data processing, with the exception of the microcomputer explosion, is the rapid increase in the communication of data among networked computers. Considerable unnecessary concern has been generated as a consequence of postulating dire threats resulting from this still increasing networking even though there are no signs of abrupt changes in the nature or magnitude of the associated threats. There is a real possibility that the greatest threat to the continue evolution of economically feasible, highly useful networks will be over-reaction to relatively minor security incidents. Indeed, it is not unreasonable to suggest that the real damage done by the Interneworm will be to the ease of use of that complex by those who would secure it. The overselling of security threats can itself be a problem often as threatening as the postulated problems. There is still a widespread fear in the public and private sectors that cryptographic techniques impose unacceptable complexity on a system and greatly increase the serviceability problems. Because of this, many organizations have not bothered to find that cryptography is not nearly so complex and not nearly so expensive as they believe it to be and, because it is not expensive, is an economically feasible way for protecting the integrity and confidentiality of communications. The rapidly evolving networking of systems clearly requires the continued rapid development of cryptographic systems which can accommodate the security needs of these complex systems. It is anticipated that this requirement will be reflected in the product-level standards and guidelines which are recommended below. Certainly a significant threat to the confidentiality of proprietary data held by multinational corporations and ranking immediately after that of departing employees, is communications intercept on satellite links. In spite of that, typically there is a lack of familiarity with and a fear of using commercial cryptography, and together they remain a real barrier to countering the threat. Exhibit V UNITED STATES DEPARTMENT OF COMMENCE National Institute of Standards and Technology OFFICE OF THE DIRECTOR September 9, 1991 Dr. Willis H. Ware Chairman The National Computer System Security and Privacy Advisory Board Gaithersburg, MD 20899 Dear Willis: Thank you for your letter of August 22 and the enclosed recomendations. I have gone through it and marked it up in several places and will be reviewing it with Jim and his team. With Ray Kammer's departure I have to rethink our working relations with other Federal agencies; your comments should help me with that too. Thank you for the report. Sincerely, John W. Lyons Director cc: JHBurrows Exhibit VI THE NATIONAL COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD OCT 22 1991 Dr. John W. Lyons Director National Institute of standards and Technology Gaithersburg, MD 20899 Dear Dr. Lyons: Enclosed herewith is a second document which sets forth the Advisory Board's context for the conduct of the CSL research program. Actually this and our July letter are two parts of one document but have been sent you in reversed order. If you will please put the enclosed item on top of the prior one, the two together will become a coherent treatment of the Board's concerns about the program as previously presented to us. The Board was particularly concerned and sensitive to the question of the boundary between the FIPS which NIST will publish for secure computer systems and the Criteria which NCSC has published and may revise. We feel it especially important that the vendor industry not have to market different products conforming to the requirements of your FIPS but separately to the NCSC Criteria. Our best attempt to express our concerns is the fourth paragraph of section four on page two. We think it might well for your off ice to maintain some visibility over the NCSC/CSL interaction and the FIPS/Criteria interface to assure the best interests of the country are served. We are available to discuss these two documents at your request. Sincerely, Willis H. Ware Chairman Enclosure A CONTEXT FOR THE NIST SECURITY PROGRAM I. POLICIES, POSITIONS AND RELATIONS. 1. NIST SECURITY Program Orientation - The principal thrust of the NIST/CSL security program should be to establish NIST/CSL as the preeminent authority to which the agencies of the federal government and, less directly, state and local agencies and the private sector look for leadership in information security. While NIST/CSL This often asked to perform consulting roles for agencies dealing with unclassified information, it should do so only to the extent that it does not limit the accomplishment of its principal thrust. NIST/CSL must issue such standards and guidelines in information security as will benefit a broad segment of its constituency. As noted below, it should take an aggressive stance in advancing the interests of both the civil agencies and the U.S. vendor community by devising workable and potentially acceptable proposals for cooperating with European security initiatives. 2. Selling the NIST/CSL Program - NIST/CSL should aggressively sell the benefits to the federal government of its security activities. Too many members of Congress, congressional and OMB staffers, and many others in the government consider information security to be no more than protection of data against unauthorized disclosure (confidentiality). The principal justification for funding the NIST/CSL security program should be the obvious benefits to the federal government, to state and local governments and to the private sector of having. data which have, as appropriate, the characteristics of accuracy, timeliness, completeness, and confidentiality. The decision makers need to understand that money spent enhancing these characteristics of data is money returned several fold in increased effectiveness and reduced cost of government. Unless the visibility of NIST/CSL's activities in computer and communications security is raised, there seems little reason to expect the major increases in funding needed to let NIST/CSL do what is really needed of it - and no one is able to raise its profile but NIST/CSL itself and, to a very limited extent, the Advisory Board. 3. NIST/CSL-NSA Relations - By both law and executive order, NIST/CSL and NSA perform significantly different functions in support of different though overlapping constituencies. The challenge for both agencies is to cooperate where necessary and appropriate without engaging in a burdensome and potentially endless process of coordination. Because the resources available to NIST/CSL are much smaller than those of NSA, the potential loss of productive effort is of much more concern to NIST/CSL. There are, however, areas where NIST/CSL and NSA must either coordinate their efforts or clearly delineate the boundaries between their activities. In the area of cryptography, where certain responsibilities have been given to NSA by both law and presidential directive, there is a need for a high level of cooperative activity. While both agencies are active in the area of operating system ("trusted system") computer security, a delineation of responsibilities such as proposed in section 4 below is desirable. Cooperative endeavors should not be rejected out of hand, but neither can cooperation be a forced goal for its own sake. It must be, rather, a basis for a mutually beneficial exchange of information. As it is charged to do by P.L. 100-235, NIST/CSL must maintain awareness of pertinent technical developments within NSA which might benefit-the constituency of the NIST/CSL security program and incorporate into' the NIST/CSL program those developments appropriate to the program. 4. NIST/CSL and NSA Roles re Evaluation Criteria - It should be anticipated that most or all vendors will, in time, enhance the basic design of their operating systems and the supporting hardware to the end that C2 or Bl capabilities will be uniformly available and no longer optionable by the customer except to the extent that such things as access control or individual accountability may have no meaning in specific applications and are not then imposed. NIST/CSL, with support from NSA, should take responsibility for the development and promulgation of criteria in the form of FIPS for what has until now been ref erred to as C2/BI of the DoD Trusted Computer Security Evaluation Criteria. Testing and evaluation of systems which meet these criteria should be conducted under the auspices of the National Voluntary Laboratory Accreditation Program NSA, with support from NIST, should continue to develop and promulgate criteria for B2 and higher levels of trust and to conduct evaluations as appropriate for these levels. There will likely be a tension between the desire for compatibility and continuity of the NIST/CSL criteria with those of NSA. NIST/CSL and NSA should each weigh carefully the needs of users, the security threats to be addressed, the needs of suppliers, and the desire for compatibility with other criteria (e.g., the European ITSEC) in determining what level of compatibility and continuity is appropriate. Draft criteria should be subject to trial use on systems of real-world scope and complexity, and the trial use experiences documented before the criteria are finalized. It is desirable that there be compatibility and continuity of the NIST/CSL criteria with those of NSA. 5. Other Agency Activities - NIST/CSL should undertake outside funded activities when they are consistent with and contribute toward the accomplishment of NIST/CSL's principal thrust. NIST/CSL should perform a careful review of its outside activities for FY92 and beyond and seek to terminate in an appropriate and timely manner those which do not directly support its basic goals and obligations. 6. Crptography - NIST/CSL must continue its essential role in support of suitable cryptographic protection for the civil agencies and the private sector. Specific product-level activities, are a subset of paragraph 11.5 of the document: "A Proposed NIST R&D Information Security Program." There is need for continued pursuit of exportable algorithms. The current arrangement is seriously inadequate to the security needs of many organizations needing secure trans-border communications. Such security is essential to the national security even though the data are not those usually recognized as "national interest" data. The economic well-being of the U.S. business community is an extremely important national interest matter. 7. CERTS - NIST's activities in this aspect of the program should be, limited to coordination and facilitation of federal agency activities. NIST should undertake no responsibilities that properly belong in operational agencies. Exhibit VII THE NATIONAL COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD January 7, 1992 Honorable Richard Darman Director, Office of Management and Budget Old Executive Office Building Washington, DC 20503 Dear Mr. Darman: As provided by the Computer Security Act of 1987, I would like to take this opportunity to report to you that the Computer System Security and Privacy Advisory Board has reached consensus on an emerging issue effecting the security of federal computer systems. The problem that we bring to your attention is the apparent lack of formalized computer emergency response capabilities on the part of most federal agencies which operate unclassified computer systems and networks. The need for formalized, structured emergency response capabilities was underscored at the time of the malicious software attack on the INTERNET in November. 1988. As a result of that event the Department of Defense established the Computer Emergency Response Team at Carnegie Mellon University. The value of the activity has been proven.repeatedly over the past few years, and its success has led to the creation of eleven similar centers within the Department of Energy, the National Aeronautics and Space Administration and the military services. During our September 1991 meeting, the Board requested that personnel from the National Institute of standards and Technology informally survey the federal community for the purpose of identifying other organized computer emergency response structures. -This informal survey identified no additional formally structured computer emergency response entity that could be activated in the event of a significant computer and/or telecommunications network emergency. Although we note that most agencies appear to be dealing effectively with localized incidents of computer viruses, this approach may not be adequate to enable them to respond to a highly sophisticated or large scale attack. We believe that the establishment of such a structured response capability within most agencies to be highly desirable. The public interest will be best served with the creation of organized computer emergency response capabilities. Proper planning, together with comprehensive management procedures and oversight may well produce cost savings when compared to uncoordinated, ad hoc attempts to respond to computer emergencies. Accordingly the Computer System Security and Privacy Advisory Board urges that the Office of Management and Budget undertake the following actions: - Promptly advise Federal agencies of the need to properly plan and organize for computer emergencies. A new NIST publication, "Establishing a Computer Security Incident Response Capability," should be useful to agencies in the development of these capabilities. - During the forthcoming revision of the security appendix to OMB Circular A-130, existing contingency planning requirements should be enhanced to include the need to plan for such computer emergencies as viruses, malicious external attacks, and other similar events. We believe that the lack of an adequate computer emergency response capability within federal agencies is a significant vulnerability that can be reduced through the recommended actions. I appreciate the opportunity to express the recomendations of the.Computer System Security and Privacy Advisory Board. You can reach me through the RAND Corporation, 1700 Main Street, P.O. Box 2138, Santa Monica, CA 90406-2138. Sincerely, Willis H. Ware Chairman Exhibit VIII EXECUTIVE OFFICE OF THE PRESIDENT OFFICE OF MANAGEMENT AND BUDGET WASHINGTON, D.C. 20503 Feb 6, 1992 Dr. Willis R. Ware Chairman, national Computer System Security and Privacy Advisory Board National Institute of Standards and Technology Building Gaithersburg, MD 20899 Dear Dr. Ware: Thank you for your letter of January 7, 1992 to Director Darman concerning the need for Federal agencies to establish computer emergency response capabilities. As You know, the Office of Management and Budget (OMB) has long had an interest in assuring the adequate security of Federal computer systems. In our view, security includes not only efforts to prevent incidents, but also the ability to detect and recover from them should they occur. Integral to recovery is planning and organization for such contingencies. In accordance with the Board's recommendation, I recently forwarded copies of the National Institute of standards and Technology publication, "Establishing a Computer security Incident Response Capability," to senior information resources management officials representing Federal departments and agencies and asked them to consider establishing such programs. additionally, I can assure you that we will give great weight to the Board's recommendation that we include an explicit emergency response requirement in our forthcoming revision to Appendix III of 0MB Circular No. A-l3O. As always, it is a pleasure to hear from you and the Board. look forward to our future opportunities to work together. Sincerely, James B. MacRae, Jr. Acting Administrator and Deputy Administrator Office of Information and Regulatory Affairs Exhibit IX THE NATIONAL MPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD January 9, 1992 Honorable Richard Darman Director, Office of Management and Budget Old Executive Building Washington, DC 20503 Dear Mr. Darman: As provided by-the Computer Security Act of 1987, I am pleased to it the following report from the Computer System Security and Advisory Board for your consideration. During the last three Advisory Board meetings we have reviewed the progress of the Computer Security Act agency visit program described in OMB Bulletin 90-08. In accomplishing this project we have heard from a wide variety of federal employees involved in various aspects of this effort. These individuals have , included members of the OMB staff responsible for planning and executing the visit program; agency computer security officials and senior information management executives, and participants from the National Institute of. standards and Technology (NIST) and the National. Security Agency (NSA). I am very pleased to state-that we have heard nothing but positive comments from all of those involved in the agency visit program. We have been particularly impressed with the enthusiastic reactions of agency participants, who have advised the Board that visits to their agencies have resulted in.greater awareness of computer security issues on the part of senior officials in their organizations. This, in turn, has resulted in enhanced management support for agency computer security programs. The Board notes that within the next few months OMB/NIST/NSA representatives will have completed visits to all of the agencies included in the initial Bulletin 90-08 program. We believe that it would be very beneficial if a summary report documenting the results of this activity were prepared and shared with concerned agency and Congressional officials, as well as interested private citizens. The pending conclusion of visits projected in Bulletin 90-08 will require OMB officials to plan for additional activities designed to sustain the spirit and intent of the Computer Security Act of 1987. In planning these future activities, our Advisory Board recommends that OMB build upon the successful formula that has produced the positive results noted above. We believe that the emphasis on underscoring management involvement as a fundamental prerequisite for effective computer security program is appropriate and should be maintained in a subsequent initiative. The Board also urges OMB to consider how this message can be effectively delivered to major Federal centers and activities outside of the Washington area. I appreciate the opportunity to express the views of the Computer Security and Privacy Advisory Board. I look forward to your response. You can reach me through the RAND Corporation, 1700 Main Street, P.O. Box 2138, Santa Monica, CA 90406-2138. Sincerely, Willis H. Ware Chairman IV. 1992 Advisory Board Workplan I. INTRODUCTION This section sets forth the proposed 1992 work plan for the Computer System Security and Privacy Advisory Board (CSSPAB). This document, approved by the Advisory Board, is intended to be used as a planning guide for the Board's 1992 activities. The Board recognizes that other subjects not previously identified in this planning document may arise during 1992. The Board reserves the right to address any matter that pertains to its fundamental missions and may modify its program plan to meet evolving situations and changing priorities. II. APPROVED 1992 WORK ITEMS FOR CSSPAB A.Action Items. The Board will examine the following new topics during its 1992 program year: A.1.Citizen Access to Government Electronic Records. There is considerable discussion underway concerning this issue. A legislative proposal, S. 1940, "Electronic Freedom of Information Improvement Act of 1991," was recently introduced for Congressional consideration. The Board will examine the information system security and related privacy issues inherent in this important public policy debate. A.2.Data Encryption Standard (DES) Revalidation. The DES will come up for revalidation in early 1993; however, the public policy issues underlying any decision to revalidate DES or move to another encryption standard will be decided during 1992. The Advisory Board may be the only public forum, outside of the Congress, where this matter can be discussed in a dispassionate manner by knowledgeable individuals from the public and private sectors. The Board will review developments in this subject area. A.3.Public Key Cryptography. The Board will review the progress in developing a digital signature standard for use by the unclassified segment of the federal government. Of equal importance will be an examination of the infrastructure issues related to the use of public key cryptography by federal agencies. Regardless of the algorithm to be selected as the basis for the standard, it is important that critical policy and technical alternatives be identified for managing the issuance and distribution of certificates. Which organizational entities of the government should have operational responsibilities for the infrastructure? A.4.Computer Security Guidelines and Standards. The Board will monitor NIST and NSA plans and programs for the international harmonization of computer security requirements as well as their experiences and plans for guidelines, standards, and interpretations. The Board will pay particular attention to the NIST/NSA Work Plan on Trusted System Technology. NIST program updates should be scheduled in March 1992 and September 1992. NSA program updates should be scheduled for June and December 1992. Each briefing should contain an update on the NIST/NSA Work Plan. The Board should prepare an interim report of its findings and recommendations by September 1992 and a final report by December 1992. A.5.Security Evaluation Process. The Draft NIST/NSA Work Plan on Trusted System Technology identifies the possibility of NSA focusing on the higher levels of trust (B2 and above) and NIST picking up the lower levels of trust (C2 and B1), perhaps under the auspices of the National Voluntary Laboratory Accreditation Program (NVLAP). This suggestion may help increase the availability and timeliness of evaluated products at all levels by focusing attention and increasing resources available to specific areas. The Board will review the possibilities of this development through discussions and briefings from NSA, NIST, and civilian and defense organizations that would be affected by this split of responsibilities. One model for such an evaluation program might be the FIPS 140-1 cryptographic module product evaluation process. The Board will review this evolving process as part of its overall examination. This area should be a topic of discussion at each of the Board meetings. The Board should issue its recommendations on this topic in initial form in June 1992 and final form in December 1992. A.6.Privacy. There is a renewed interest in privacy issues in the public press with mixed signals coming from the public at large, concern for privacy but unwillingness to pay for protection/be inconvenienced. The Board should review the measures that are needed/being taken by the Government to protect privacy in federal programs and issue recommendations on what NIST and others should be doing to encourage protection of privacy information. Specific briefings from agencies involved in handling privacy information should be scheduled early in the year. The Board should report on its recommendations by September 1992. The scope of this activity will also include monitoring developments in European privacy regulations to assess their potential impact upon U.S. entities. A.7.Changes in National Computer Security Policies. The Board should continue to receive written updates and briefings from the Executive Secretary on any pending or proposed changes in national computer security policies. This activity will include the revision to Appendix III, OMB Circular A-130 which the Board recognizes as being a critical component in the security policy foundation for the Government's unclassified systems. A.8.Threat and Vulnerability Assessment. The Board will compare and contrast developments in the national security community in the area of threat assessment and vulnerability reporting with existing capabilities for the unclassified community. Specifically, the Board will hear about the DCI Threat IV project and the USAF Vulnerability Reporting Program. Are similar functions needed to support the unclassified community? If so who should provide them? B.Monitoring Activities. The Board has expressed a desire to maintain a continuing interest in certain aspects of the NIST program and to receive periodic briefings on various critical issues. The Board may choose to exercise its statutory reporting responsibilities if it believes that a specific issue has become sufficiently important to warrant such action. B.1.Security and Open Systems. A major segment of the NIST Computer Systems Laboratory program is directed to achieving the concept of open systems. The Board will review the current status of security within the open systems context and seek to identify any critical areas where security issues may impede the full utilization of open systems. One frequently voiced problem area involves the lack of an adequate public key based cryptographic key distribution standard. Is this a valid concern and are there other security gaps that need to be addressed by NIST and other standards entities? B.2.Effective Use of Security Products and Features. A study conducted by the President's Council on Integrity and Efficiency indicated that many security functions and features were either unused or misused by system administrators and users. The experience of emergency response teams further bears this out. The Board would like to examine what must be done to change this and whether better guidelines, training etc. needed on how to use basic security tools and features designed into existing products. B.3.Status of Computer Emergency Response Capabilities in Civil Agencies. The Board has heard from several sectors of the US Government that have organized highly effective emergency response teams and centers. How well prepared are other agencies such as HHS, HUD etc. to handle computer emergencies? Is there a requirement for such agencies to establish such a capability? Periodic briefings on the use of a Computer Security Incident Response Capability (CSIRC) and what lessons can be learned to improve security would be useful. Since most incidents occur because accepted routine security practices are not followed, should this not be well publicized as an awareness or training tool? B.4.International Hacking. Cases of international hacking such as those that Cliff Stoll documented seem to keep occurring. Hackers continue to exploit the same old vulnerabilities that Stoll and many others have documented. Where is the accountability for taking care of known problems? Also, there appears to be continuing organizational confusion on the international hacking problem (i.e., who in the Government, if anyone, is or should be responsible?). B.5.Local Area Network (LAN) Security. Federal agencies are experiencing significant security problems with the utilization of LAN technology. The pace of the installation of this technology, combined with the security exposures resulting from the use of LANs has created a new level of risk for federal information systems. Another aspect of this issue will be the potential explosive growth in the installation of wireless LAN technology over the next few years. The Board will examine the LAN issue to determine what can be accomplished to improve the security of installed LANS and what research, policy and/or other initiatives must be undertaken to effect a long term improvement in LAN security. B.6.Information Security Foundation. The Board will monitor developments in this area and offer appropriate comments/guidance as needed. B.7.Implementation of the Computer Security Act. Subsumed under this heading are the various related issues the Board would like to address in 1992. These include an examination of Office of Management and Budget policies, including the anticipated rewrite of OMB Circular A-130. Also of interest is the role of the Inspector General in computer security. Computer security training and its effectiveness are also to be studied. Lastly, the Board would look into the status of OMB/NIST/NSA security planning agency visits. What lessons have been learned? What are the plans for a followup activity? B.8.Security and the Public Switched Network. A number of studies have highlighted the vulnerabilities of the public switched network. At the moment, much activity is taking place behind closed doors on this issue, particularly in the National Security Emergency Preparedness arena. At some point, this issue needs to be surfaced and examined by the Board. B.9.Electronic Data Interchange (EDI) Security. Many federal agencies are about to launch ambitious automation programs that will make extensive use of EDI technology. There are significant security policy and technical issues that must be addressed to assure that the use of EDI complies with the spirit and intent of the Computer Security Act and other existing computer security government directives. The Board will address this issue both from a policy and technology perspective. V. Conclusions During its third year, the Board continued to build the foundation toward progress in the years ahead. It developed a work plan and established its priorities for 1992. The Board has begun to examine those issues which it should study further and has heard from a number of agencies and organizations as to its role and duties. While the Board has initiated an action plan to identify emerging computer security and privacy issues, much remains to be accomplished in successfully addressing the challenges of the 1990s. APPENDIX A Computer Security Act of 1987 See Separate File APPENDIX B Charter of the COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD See Separate File APPENDIX C AGENDA Meeting of the Computer System Security and Privacy Advisory Board March 19-20, 1991 Stouffer Harborplace Hotel, Baltimore, Maryland Tuesday March 19, 1991 9:00 Meeting Overview Lynn McNulty Executive Secretary 9:10 Remarks from the Chair Willis Ware Chairman NIST's Computer Security Program - Current and Future Activities 9:15 Setting the Stage: Findings from FMFIA Submissions Lynn McNulty 9:30 1991 NIST Computer Security Activities James Burrows Director, Computer Systems Laboratory (CSL), NIST and Stu Katzke, Chief, Computer Security Division, NIST 10:15 Break 10:30 Continue 11:45 Status Report - Computer Security Handbook Lynn McNulty, NIST 12:00 Lunch Afternoon Closed Session 1:30 Presentation of Out Year Plans and Budgets Stu Katzke 2:30 Discussion 3:00 Break 3:15 Future Plans & Initiatives - ITSEC & Criteria 5:00 Close End Closed Session Wednesday, March 20. 1991 Implementation of the Commuter Security Act 9:00 Status of OMB Policies Robert Veeder Acting Director, Information Policy Branch Office of Management and Budget 9:30 View from the Hill Barbara Kirsch House Science, Space and Technology Committee 9:40 Perspectives on Success of On-going Agency Visits Robert Veeder & Edward Springer Office of Management and Budget Irene Gilbert Computer Security Division National Institute of Standards and Technology Paul Peters National Computer Security Center National Security Agency 10:20 Break 10:35 OMB Bulletin 90-08 Visits - Agency Perspectives Jules Romagnoli U.S. Dept. of State John Tressler U.S.Dept. of Education Richard Carr National Aeronautics and Space Administration 11:10 Discussion Pending Board Topics 11:30 Computer Security Professionalization Issue Arthur F. Chantker U.S. Marshals Service 12:00 Lunch 1:30 Discussion - E-Mail Privacy Revisited 2:00 Data Categorization Steve Lipner and Eddie Zeitler 2:30 Improving Security in Federal Computer Systems Bill Colvin 2:45 Draft Annual Report 3:00 Public Participation (as required) 3:20 Discussion of June Meeting Agenda 3:30 Close Next Meeting June 12-13, 1991 Sheraton Reston International Hotel Reston, Virginia FINAL MINUTES OF THE MARCH 19-20, 1991 MEETING OF THE COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD March 19, 1991 Call to Order Dr. Ware, Chairman of the Board, called the meeting to order at 9:00 a.m. at the Federal Hill Room of the Stouffer Harbourplace Hotel in Baltimore, Maryland. He reviewed the reference materials provided to the members. In response to a question, he announced that no news was available regarding approval of new Board members. Mr. Wills indicated that the Board has had vacancies since September 1990 and would soon be crippled by the lack of members. Dr. Ware, Board Chairman, indicated' that he had no additional information on whatever bottlenecks may be delaying the approval of new members. Mr. Burrows said that he could go back to the Director of the National Institute of standards and Technology (NIST) and alert him of the problem. (ACTION - Mr. Burrows) Due to a late arrival, the formal approval of the minutes was delayed to allow for a quorum to be present. (The late member arrived soon thereafter.) Review of NIST's Commuter security strategic Plan Mr. McNulty opened the discussion by providing a brief summary of the 1990 reports to the president by federal agencies and departments under the Federal Managers Financial Integrity Act. (See Attachment A.) A brief discussion ensued which covered the status of the revised ITSEC and NIST's digital signature standard efforts. Dr. Ware -inquired whether the standard to be proposed would be in concert with S. 266's sense of the Congress statement regarding the availability of plaintext. Mr. Burrows responded that the standards would be for signature and hashing only. Dr. Katzke, Chief of the Computer security Division of NIST's Computer Security Laboratory, proceeded to review the Division'S FY- 1991 Computer security strategic Plan. He was accompanied by his group leaders, who were available to provide detailed program descriptions. He began with an overview of recent international and national events and trends. Next he described the logical organization of the plan, which is divided into six components: - National Computer security Leadership Activities - Computer security Management - Computer security Technology and standards - Agency Support and Assistance - Open Systems Environment standards - Other Agency Projects Within these six components are eight major projects on which NIST will focus. These are: - Computer Security Handbook and Framework - Open Systems Environment - Information Technology Security Criteria - Advanced Authentication Technology - Cryptographic Family of Standards - Computer Emergency Response - Testing and Evaluation - Agency Support and Assistance The Board discussed the majority of these to some extent. The Advisory Board, in its general discussion, voiced concern about the scope and adequacy of the program to meet responsibilities of P.L. 100-235. There is a general feeling that too much of the program is driven by external tasking that is not necessarily in the direct interest of P.L. 100-235 obligations, and that many of the projects are understaffed, and as a result are carryovers from years prior to the enactment of P.L. 100-235. No formal recommendations were adopted by the Board regarding the NIST Computer Security Program Plan. Closed Session During the afternoon session, which was closed to the public, the Board discussed possible NIST plans and initiatives for out-years. Specifically, the Board's discussions focused upon possible approaches to the development of computer security standards and guidelines in their joint, multi-year effort with the National Security Agency. The Board took no actions during the closed session. March 20, 1991 Commuter Security Personnel Mr. Arthur Chantker of the U.S. Marshals Service, on detail to NIST, provided a briefing to the Board on a NIST project to examine the staffing of computer security positions in the federal government. (See Attachment B.) While the study is continuing to gather data, it is clear that there is no uniformity to what series are used by agencies for staffing these positions. Mr. McNulty agreed that NIST would work to collect the number of positions currently staffed and provide that material to the Board when it was available. (ACTION - Mr. McNulty) In discussions which followed, the Board agreed to look more closely at this issue at the June meeting. Mr. Courtney volunteered to lead a discussion at the next meeting on how to best utilize computer security talent. (ACTION Mr. Courtney) Congressional Update Next, Ms. Barbara Kirsch, a General Accounting Office employee on detail to the House Science, Space and Technology Committee, presented her personal views of the current status of relevant events in the Congress. The Transportation, Aviation and Material Subcommittee, which has traditionally sponsored the computer security hearings (most recently in July 1990), has been merged into the Technology and Competitiveness Subcommittee. Computer security hearings are tentatively set for the May or June timeframe of this year. No further details were available about the planned hearings. Regulatory Update Robert Veeder, Director of the Information Policy Branch of the Office of management and Budget (OMB), followed with an overview of the success of the OMB/NIST/NSA agency computer security visits and related matters. He expressed the opinion that the Privacy Act of 1974 does not appear to work very well in the contemporary electronic environment and may require modifications. Senator Leahy is about to introduce an Electronic FOIA bill which will also address the issue of what a record is. A proposed revision to the Computer Privacy and Matching Act is being developed at OMB as well. OMB Circular A-130 is also under revision. In response to a question from Dr. Ware, Mr. Veeder indicated that better enforcement may be necessary for certain aspects of the Circular. Dr. Ware expressed the Board's desire to maintain a dialogue with OMB on these issues. Approval of the Minutes Prior to proceeding with the panel sessions, with a quorum present and in open session, the Board approved the minutes of the December, 1990, meeting. Computer Security Agency Visits The first panel consisted of representatives of OMB, NIST, and NSA who have been active participants in the visits to federal agencies to review their computer security programs in fulfilling the intent of the Computer Security Act. The panel included Mr. Robert Veeder and Mr. Edward Springer of OMB, Mr. Patrick Gallagher, Director of the National Computer Security Center, and Ms. Irene Gilbert of NIST's Computer Security Division. Eight meetings with agencies have taken place so far. Four additional agencies have been scheduled; approximately forty remain unscheduled. A visit to the Department of Defense was scheduled but was delayed due to the Middle East War. Mr. Veeder emphasized that the purpose of the meeting was to meet with management personnel - not technical staff. Mr. springer said the visits had two purposes: 1) to raise awareness of computer security and 2) to change behavior. The concept of "insurance" (vice computer security) came up frequently at the meetings as it was a concept familiar to managers. OMB will be developing a report of the visit process. Agencies have been candid in discussing their problems. Ms. Gilbert said that the visits have reinforced the need for additional agency guidance, particularly in the area of networking and laptops. Mr. Gallagher noted that the visits also served to let NIST and NSA know what they could do better to help agencies meet their security requirements. Next a panel of three federal agency computer security program managers was convened. The panel consisted of Mr. Richard Carr of the National Aeronautics and Space Administration (NASA), Mr. John Tressler of the Department of Education and Mr. Romagnoli of the Department of State. At the State Department, the OMB/NIST/NSA visit was considered a success. A number of planning meetings held with Deputy Assistant Secretaries was very useful to explain the security program and raise awareness of its activities. Internal relationships within the Department are greatly improved with a higher level of cooperation and easier access to management officials. Mr. Romagnoli did recommend that a follow-up letter be sent from OMB to the Department. Overall, the visit was much more useful than the plan submission process, which was termed a "fiasco." Mr. Tressler began by reviewing the decentralized program in place at the Education Department. His was also the first agency to be visited and was considered a learning experience by both the Department and the OMB/NIST/NSA team. A summary of the fifty sensitive Education systems was developed and presented to management for a decision as to which three would be selected for the meeting. As a result of the meeting, the. level of security awareness has increased. Overall, the process went well; however, it would be useful to have a follow-up and to get management more involved in security matters. Mr. Carr also emphasized the positive results of the agency visit. At NASA, approximately forty people attended the meeting, which indicated the seriousness of the visit. He also echoed the desirability of feedback from OMB as to their reactions to the meeting. Mr. Colvin interjected that NASA holds agency-wide meetings every six months on these matters and the Administrator is briefed as to findings of the vulnerability studies. Dr. Ware asked the panel if there was a group through which those agencies which have been visited could share their experiences so that other agencies could know what to expect. Mr. Tressler replied that the Federal Computer Security Program managers Forum, chaired by Mr. McNulty, was an ideal vehicle for such information sharing. Approval of Annual Report Prior to breaking for lunch, with a quorum present and in open session, the Board unanimously adopted its draft 1990 Annual Report. Dr. Ware will forward the document to NIST for appropriate distribution. After lunch, Dr. Ware informed the Board that Mr. Roback would serve as the Designated Federal Official for the remainder of the meeting in Mr. McNulty's absence. Computer Security Reporting Under FMFIA Mr. Colvin reviewed his proposal that the lack of compliance with certain requirements of OMB Circular A-130 and A-123 be designated !'material internal control weaknesses." These weaknesses have to be reported to the President under the Federal Managers Financial Integrity Act. It would be left to NIST and OMB to decide specifically which deficiencies (e.g., lack of a tested contingency plan) would be defined as weaknesses. Such a new procedure would result in a more accurate reporting process and reduce the level of subjectivity across agency reporting. It would also give the heads of agencies more information as to the status of security in their organization. Additionally, it would provide OMB and NIST with more knowledge about the status of computer security across the government. He recommended that the Board avoid micromanagement and let OMB identify the specific weaknesses to be reported. He also stressed the need for speedy action as OMB was in the process of rewriting OMB Circular A-130. Mr. Cooper stated that this item looked like a "real winner." With a quorum present and in open session, the Board unanimously adopted the recommendation. (See Attachment C.) The secretariat was asked to prepare a transmittal letter to the Director of NIST. (ACTION - Secretariat) E-Mail Privacy The Board briefly discussed e-mail privacy as a follow-up to its discussion in December 1990. It was agreed that it was desirable to have a position paper with recommendations drafted for discussion at the June meeting. Dr. Ware agreed to work with the secretariat to prepare the document for discussion and coordinate it via e- mail. (ACTION - Dr. Ware/Secretariat) Data Categorization Messrs. Lipner and Zeitler handed out a concept paper on data categorization. (see Attachment D.) During a short discussion, Mr.Walker suggested that a legislative solution was necessary; only a top-down approach could be successful. While no conclusions were reached during the discussion, it was the sense of the Board to defer further action on this item. Public Participation No members of the public wished to speak. June Meeting Agenda The Board agreed that the following topics would be included on the June agenda: - Vulnerabilities of the Public Switched Network (1/2 hour) - Computer Security Personnel - NIST Update and - Utilization of Existing Talent (Mr. Courtney) - E-Mail Privacy - Discussion of Draft Letter - FOIA/Privacy Act/Sensitive Information (OMB) - Update of Agency Visits (Dr. Katzke) - Update on EC Meetings - NIST Report on Criteria Progress - Information Security Foundation (Mr. Walker) Close The meeting was adjourned at 3:15 p.m. Lynn McNulty Secretary CERTIFIED as a true and accurate summary of the meeting Willis Ware Chairman AGENDA Meeting of the Computer System Security and Privacy Advisory Board June 12-13, 1991 Sheraton Reston Hotel, Reston, Virginia Reminder - Under the Federal Advisory Committee Act, all Board documents discussed at Board meetings in open session are available to the public. Wednesday June 12, 1991 I. Introduction 9:00 Meeting Overview & News Update Lynn McNulty Executive Secretary 9:10 Remarks from the Chair Willis Ware Chairman II. Federal Information Policy Developments Note: OMB Offered at the March to provide the Board with a review of the current governmental regulatory environment. This is anticipated to be the first in a series of briefings to the Board. ACTION - Agreement on Future Actions 9:15 Federal Electronic RecordkeepiPg Ken Thibodeau Director, Center for Electronic Records National Archives and Records Administration 10:15 Break 10:30 Discussion III. NIST Update During this session, NIST will present an update of their recent agency visit activities. 10:45 Update of Agency Visits Irene Gilbert IV. Review of Draft Board E-Mail Privacy~& Security Position ACTION - Review/Accept Draft Letter 11:00 E-Mail Privacy Willis Ware V. Public Switched Network Issues Note: At the March meeting the Board agreed to briefly look at this topic by discussing the publicly available NSTAC report. REMINDER: Please have reviewed the NSTAC report previously provided. ACTION - Determine if this is an area the Board wishes to examine in greater detail. 11:30 Discussion of Public Switched Network Issues 12:00 Lunch Closed Session VI. Discussion of NIST's Lone Range Commuter Security Plans Note: At the last meeting, the Board was provided an overview of the NIST five year computer security strategic plan.' During this session, the Board may also wish to examine 'the, draft NIST/NSA Trusted Systems Technology workplan. This session will focus upon Advisory Board,, reaction to,NIST's long-range plans. ACTION - As Required by Discussion Note: All recommendations itist be adopted in open session. 1:30 Advisory Board Reaction to the Plan 2:00 Break 2:15 Discussion VII. Government Commuter Security Research Programs Note: NSA has been invited to present their long-range unclassified research program. 4:00 NSA's Long Range Research Program Terry Ireland Deputy Chief, INFOSEC Research and Technology National Security Agency 4:45 Discussion 5:00 Close End of Closed Session Thursday, June 13. 1991 VIII. Information Security Foundation Note: At the last meeting, Mr. Walker asked that the Board discuss the Information Security Foundation. Other interested individuals have been assembled to give their views as well. ACTION - As required by discussion 9:00 Information Security Foundation - Panel Discussion Steve Walker Trusted Information Systems, Inc. Board Member Doug Jerger Vice-President American Software Association, ADAPSO Ed Burke Director, Advanced Systems MITRE 10:15 Break IX. NIST Computer Security Program This session will allow time for the Board members to followup on their discussions held during closed session and, as appropriate, adopt recommendations open session. 10:30 Discussion 12:00 Lunch X. Commuter Security Staffing Note: This session continues the discussion from the last meeting on the staffing of federal computer sec urity positions and the professionalization of the discipline. 1:15 Computer Security Personnel Study - Update, Lynn McNulty XI. Wrap-up 1:30 Final Consideration of Recommendations (as necessary) 2:00 Public Participation (as necessary) 2:30 September Meeting Agenda Discussion ACTION - Develop topics and proposed speakers for September 3:00 Close Next Meeting September 18 - 19, 1991 (location TBD) MINUTES OF THE JUNE 12-13, 1991 MEETING OF THE COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD JUNE 12, 1991 Call to Order Dr. Willis Ware, Chairman of the Board, called the meeting to order at 9:00 a.m. at the Sheraton Hotel in Reston, Virginia. Dr. Ware asked the Board Secretary to brief the Board members regarding any organizational developments which had occurred since the last meeting. Mr. McNulty stated that he was pleased to announce that the formal appointment letters for Messrs. Gallagher, Walker, and Kuyers had been sent from the Director of the National Institute of Standards and Technology (NIST). He remarked that since the March meeting, he also responded to a Congressional inquiry about the delay in processing Board nominations outstanding for six to eight months. Mr. McNulty concluded his opening remarks by reviewing several other administrative and procedural matters. Federal Information Policy Developments--Electronic Record Keeping Mr. NcNulty then introduced Mr. Ken Thibodeau, Director, Center for Electronic Records of the National Archives and Records Administration (NARA). Mr. Thibodeau's presentation is part of an on-going series of Office of Management and Budget (OMB) sponsored briefings for the Board on federal information policy issues. Mr. Thibodeau briefly described NARA's mission and method of operation. He stressed.that the permanent preservation of government records is an important part of the accountability concept which underlies-our form of government. However, the federal record keeping environment is changing from paper to electronic, and this in turn is having an impact upon NARA. One of the fundamental issues confronting NARA is what constitutes an "official" electronic record. Other related issues include the handling of relational data bases, lack of standards for submission of electronic records to NARA, and retention periods for records stored on electronic media. It is anticipated that between 1991 and 1995 over one thousand electronic data bases will be transferred to NARA. The security and privacy related issues that NARA must confront as it becomes more deeply involved in preserving electronic data bases include: (l) the desire for on-line public access to these records; (2) preservation of individual privacy; and (3) assuring the integrity of electronic records in the custody of NARA. Mr. Thibodeau also discussed the new NARA facility that is nearing completion on the University of Maryland campus in College Park. He stated that computer systems to be installed at this complex will process many of the electronic data bases in the custody of NARA. There are plans to have extensive local and remote public access to these electronic records. At the conclusion of his presentation, the Chairman thanked Mr. Thibodeau for his very informative briefing. Update on the OMB/NSA/NIST Agency Visit Program Ms. Irene Gilbert of the MIST Computer Security Division briefed the Board on the current status of the agency visit program being accomplished in accordance with the provisions of OMB Bulletin 90- 08. She briefly Summarized the activities that have occurred since the Board discussed this activity at its March meeting. Ms. Gilbert was asked by a Board member what types of guidance federal agencies have requested during these meetings. She stated that agencies have requested guidance on issues such as security of electronic data interchange applications; application of electronic signature technology; and network security. Mr. Walker raised the question about whether or not there is a long term plan on what will follow the completion of this series of visits. Thusfar, there has been no formal overall analysis of the results of the agency visits nor have the results been correlated with the NIST/NSA Joint Strategic Plan effort. The Board raised, but did not settle, the question of whether agency visits should be continued on a periodic basis. After some discussion, it was agreed that the Chairman and the Board Secretary would discuss this matter with appropriate OMB officials and report to the Board at the next meeting. (ACTION: Dr. Ware and Mr. McNulty) Electronic Mail Privacy The discussion held during this segment of the Board meeting focused upon confidentiality and privacy concerns related to the Board's use of the NIST Computer Systems Laboratory electronic mail system. It was agreed that Board members should have a fundamental understanding that this e-mail application provides no security and that members using this service be guided by this fundamental principle. The Board agreed, in open public session, to send a letter to the Director of MIST to relay the Board's concerns that users of federal e-mail utilities be informed of the level of privacy to be accorded their messages. The letter also recommends that NIST work with OMB to identify a suitable means of implementation. (See Attachment #1.) The Board Chairman requested NIST to prepare a short security policy statement that could be disseminated to all present and future Board members. (ACTION: NIST) Public Switched Network The Board conducted an informal discussion of the security issues related to the Public Switched Network (PSN). (Note: The members had been provided a copy of the publicly available December 1990 report issued by the National Security Telecommunications Advisory Committee in a mailing prior to the March meeting.) It was agreed that with the fundamental changes that have occurred in switch technology over the past decade, significant "computer security" issues now confront the telecommunications industry. Fundamental problems related to operating systems security, access control, user identification/authentication, and other generic computer security concerns are present in the PSN. Mr. Walker summarized the issue by stating that the security problems confronting the PSN appear to be "a classic case of vulnerability induced threat." The Board concluded its discussion of this matter by agreeing that the security concerns related to the PSN were indeed significant, but that the problem was being addressed in other government sponsored forums. Consequently, there was no requirement at this time to become involved in this issue. It was also observed that discussion of such vulnerabilities (of a non-federal system) in open session was not desirable. Discussion of NIST'S Long Range Strategic Computer Security Program Plan I During the afternoon session, the Board discussed the multi-year program plan for the NIST computer security program, including its out-year budgets. (Although the agenda indicated that the session would be closed, the Secretary announced that the afternoon session on the NIST plan would be open to the public. Only the NSA briefing would be closed.) The NIST long-range program plan had been briefed to the Board at its March meeting. In the intervening period, the Board members conducted considerable informal discussions on the general directions and specific components of this plan. The principal discussions held during this period focused upon a recommendation of an alternate NIST computer security program which had been prepared by Mr. Courtney. The document he presented to the Board consisted of three major sections: background/threat environment, Part A (program context), and Part B (program recommendations). The Board considered the proposal and accepted he initial draft. However, after extensive discussion, the matter was deferred to the following day on a motion to reconsider. National Security Agency (NSA) Commuter Security Research Program During the final hour of day, a closed session was held at which the Board received a briefing on the long term NSA computer security research program. This was provided by Mr. Terry Ireland, Deputy Chief of the INFOSEC Research and Technology Group. Mr. Ireland described NSA's multi-year work plan in a number of areas related to the security of computers and networks. The Board found this to be a highly useful presentation as it allowed for a useful comparison with the NIST strategic program plan currently under review. - The meeting was recessed for the day at 5:00 p.m. June 13, 1991 Information Security Foundation The initial session of the day was devoted to a discussion of the developments concerning the formation of an Information Security Foundation (ISF). Mr. Walker opened the discussion by providing a background briefing on the evolution of the ISF concept recommended in the December 1989 report, Computers at Risk, prepared under the auspices of the National Research Council under sponsorship by the Defense Advanced Research Projects Agency. Mr. Walker advised the Board that the study committee had come to the conclusion that something like an ISF was needed to perform the advocacy and supporting services functions needed to fully address the fundamental issues raised by Computers at Risk. Mr. Walker further advised the Board that the proposal for an ISF was placed in the document without any specific concept of how such an entity would be established. Since the publication of the document, several groups have come forward and have expressed an interest in serving as the catalyst for the ISF. Mr. Doug Jerger, Vice President of the American Software Association (a division of ADAPSO), discussed his groups interest in creating an ISF. He stated that ADAPSO would be sponsoring a meeting on June 25 to bring all of the parties interested in establishing an ISF together and initiate discussion on how this concept can be translated into a viable group. Mr. Edmund Burke of the MITRE Corporation gave the last presentation of this session. He stated that his organization has studied the prospects for an ISF and supports the concept of such an organization. MITRE believes that it is well suited to serve as the sponsoring organization and is willing to fulfill such a role. Mr. Burke emphasized that MITRE is particularly interested in the testing and evaluation aspects of any ISF that may be established. Discussion of NIST's Long Range Strategic Computer Security Program Plan II While this session was a continuation of the subject matter initiated during the previous day, the discussions primarily focused upon recommendations for the NIST program plan. There was considerable discussion among the Board members on the desirability of including "Part A" in the final version of the document to be sent to the Director of NIST. After some discussion, it was agreed that. "Part A" would not be included in the final version but would be deferred for additional. consideration. The Board voted to approve the document in substance (without Part A). Those voting in favor (of the introduction/threat and Part "B" document) include: Courtney, Zeitler, Wills, Kuyers, Lipner, Walker, and Colvin. Those opposed: Gallagher' and Mancher. Reasons for opposing" the recommendation included the argument that the Board had insufficient time to review the proposal. Additionally, the Board authorized the Chairman to make language changes to the approved document before being formally transmitted to' NIST senior management. (See Attachment #2.) Following this discussion, Mr. Walker expressed a concern regarding the procedures underlying the preparation, presentation, and approval of this document. He expressed the opinion that the Board members who had not participated in the. preparation of this. document had been given little time to study the paper before it was presented for a formal vote. Mr. Walker stated that he believed that in matters of such consequence as far reaching recommendations regarding the overall NIST program. Board members should be afforded more time to review such documents. Mr. Gallagher supported Mr. Walker's comments and further stated that he was very concerned by the lack of established Board procedures which governed the dissemination and review of such position papers. Mr. Gallagher proposed a formal motion that the Board Secretary prepare a set of written procedures prior to the next meeting for handling such actions as the coordination of Board position papers. The Board agreed with this motion. (ACTION: Board Secretary) Commuter Security Staffing Mr. McNulty provided the Board a short summary of the progress made since the March meeting on studying the job classification of individuals performing computer security duties in the federal government. He presented the Board with copies of a draft study and requested their comments on the report. It was the consensus of the Board that no further action was required on this matter in the foreseeable future. Public Participation No members of the public in attendance at this meeting accepted the Chairman's invitation to address the Board on matters related to the security and privacy of federal computer systems. Fiscal Year 1992 Work Plan The Chairman noted that it was time to develop a work plan for FY-92. He requested volunteers to-serve as an informal committee to develop a work plan for the Board's consideration. The following individuals volunteered to serve on this committee: Messrs. Lipner, Gallagher, Walker, and Zeitler. The Board Secretary was basked to make the appropriate arrangements so that the Work Plan committee could meet and develop its suggestions for presentation at the September Board meeting. (ACTION - BOARD SECRETARY) September Meeting Topics A brief discussion was held to determine topics which would be desirable for the September meeting. Those mentioned included: NIST reaction to the Board's recommendations regarding the NIST strategic plan, ITSEC update, NSA/NIST trusted systems criteria work, software engineering and reliability, CERT program briefing, and the draft digital signature standard. Closing The meeting was adjourned at 2:45 p.m. Attachments: l) E-Mail Letter 2) NIST Program Letter Lynn McNulty Secretary CERTIFIED as a true and accurate summary of the meeting Willis Ware Chairman AGENDA Meeting of the Computer System Security and Privacy Advisory Board September 18-19, 1991 Stouffer Harborplace Hotel, Baltimore, Maryland Wednesday September 18, 1991 1. Opening Remarks 9:00 Welcome Lynn McNulty, Board Secretary 9:10 Remarks from the Chair Willis Ware, Chairman 9:15 Review and Approval of Proposed Rules Willis Ware 11. Privacy Issues 9:20 European Privacy Initiatives Wayne Madsen CSC Inc. 9:45 EC Privacy Initiative and the Impact upon International Businesses Bill Whitehurst IBM, Inc. 10:15 Break 10:30 A U.S. Data Protection Board? Bob Gellman Sub on Information, Justice and Agriculture House Government Operations Committee 11:15 Discussion 12:00 Lunch 111. NIST Update & Response 1:30 Response to the Board's Recommendation (Part B) Stu Katzke 2:00 Digital Signature and Handbook Updates Lynn McNulty 2:15 Agency Visit Updates Jon Arneson NIST 2:30 NIST/NSA Joint Strategic Plan Stu Katzke (NIST), Gene Troy (NIST), and Col. Ron Ross (NSA) 3:00 Discussion 3:30 Break III. Board's Recommendations - NIST Program Plan 3:45 Review of "Part A" - Board's Recommendations Regarding the NIST Strategic Program Plan 5:00 Recess Thursday, September 19, 1991 V. Information Security Foundation 9:00 Information Security Foundation Update Lynn McNulty VI. Emergency Response - Part I 9:10 Overview NIST's Role Stu Katzke 9:15 CERT System - Panel Discussion Rich Pethia Carnegie-Mellon University Gene Schultz Lawrence Livermore National Laboratory John Wack NIST 10:30 Break VII. Federal Technology Forecast 10:45 Robin Rather Information Strategies Group, Inc. 11:45 Discussion 12:00 Lunch VIII. Board's 1992 Work Plan 1:15 Report of Drafting Committee Steve Walker Public Participation (as required) 2:45 Agenda for December Meeting 2:55 Closing Remarks 3:00 Close Next Meeting December 10-11, 1991 (Tue./Wed.) Marriott Hotel Gaithersburg, Maryland MINUTES OF THE SEPTEMBER 18-19, 1991 MEETING OF THE COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD Wednesday, September 18, 1991 Call to Order Dr. Willis Ware, Chairman of the Board, called the meeting to order at 9:00 a.m. at the Stouffer Harbourplace Hotel in Baltimore, Maryland. Members present were: Messrs. Cooper, Gallagher, Zeitler, Colvin, Kuyers, Lipner and Walker. Mr. Lynn McNulty, Board Secretary, announced that since the Board's last meeting in June, Ms. Rhoda Mancher has resigned from the Board. In consideration of the June Board minutes, Mr. Cooper moved that they be accepted, which was seconded by Mr. Lipner. With no objections, the minutes were approved. The Board then considered adoption of draft operating procedures for bringing items to the attention of the Board. (See Reference #1.) Mr. Zeitler moved for their approval, which was seconded by Mr. Courtney. No objections were interposed and the procedures were passed unanimously. Privacy Issues Mr. Wayne Madsen of the Computer Sciences Corporation (NJ) and author of a soon to be published book on privacy issues addressed the Board on privacy developments worldwide. The views expressed were his own and not necessarily those of his employer. (See Reference #2.) He indicated that it is anticipated that all members of the Council of Europe will pass privacy legislation by 1993. The use of identification numbers has caused a great deal of grief and hesitation among European countries, particularly those in Eastern Europe. In 1990, EC's Directorate General XIII prepared a draft directive on personal data, which stated .that people own data about themselves. Businesses, therefore, cannot share this data with each other. Much has been picked up by the United Nations' draft guidelines for the regulation of computerized personal datafiles. Mr. Madsen also reviewed statutes and pending legislation in various other countries. Finally, he discussed his recommendations for a U.S. data protection authority. Mr. William Whitehurst, Director of Data Security Programs, IBM, presented an international business perspective on the EC proposal. He began with an overview of the differences in approaches to privacy of the U.S. vis-a-vis the EC. Next, the goals and intent of the EC proposal and a spectrum of the types of individual consent (from no consent through "opting out," to specific written consent for each use) were presented. Mr. Whitehurst displayed a Direct Marketing Association brochure for Board review. The Electronic Mail Association has also recently issued mail privacy guidelines for member organizations. Consequences for businesses and individuals, including inefficiencies and higher prices, also were discussed. He stressed the need to balance society's legitimate needs and individual privacy. Lastly, he Presented various approaches which have proven effective, including codes of conduct, ethical behavior, competition, sectoral guidelines, and voluntary guidelines. Next, Mr. Bob Gellman of the Subcommittee on Information, Justice and Agriculture, House Government Operations Committee, addressed the Board. The views expressed Were his own. Jurisdiction of the Subcommittee extends over the Freedom of Information Act of 1974 and the Privacy Act of 1974. His primary concern is that people should have some control over the use of their personal information. The Subcommittee has introduced H.R. 685, the Data Protection Act of 1991, which would establish a permanent, independent, non-regulatory Data Protection Board (DPB). The DPB would be comprised of three individuals and a staff of fifty, minuscule by federal bureaucracy standards. The DPB's jurisdiction would extend over three major areas: (1) the federal government's own records, (2) private sector in an "advisory only" capacity, and (3) international data protection issues. The DPB could also be used for new technologies (e.g., video rentals). (See Reference #3 for the floor the statement by Congressman Wise upon Introduction of the bill.) The DPB would also be very useful in dealing with its European counterparts. Mr. Gellman also noted that this is the first year that the U.S. has sent a representative to the annual European meeting of data protection commissioners. A sunset provision is included in H.R. 685. However, it was noted that there is virtually no chance of the bill's passage; it is simply too controversial. Mr. Gellman observed that while many companies have agreed to follow the OECD privacy guidelines, there have been no changes in firms' behavior. In fact, officials at many firms that have signed the guidelines now disclaim knowledge of their firm's approval. The Europeans are well aware of the need for enforcement in this area. He believes that our privacy laws are out-dated and that someone needs to champion this issue. It now appears that the EC directive will be enforced through contract provisions. This could lead to European initiated "privacy audits" of U.s. firms. Another bill before Congress is H.R. 2443 which is a series of ten proposed amendments to the Privacy Act. One of these would extend the Act's protections to foreigners, who are currently excluded. A discussion as to what the Advisory Board might contribute in this area was held. No consensus emerged regarding the Advisory Board's role in this issue. The Board will, however, continue to monitor developments. NIST Update & Response The Board then turned its attention to the NIST security program. Dr. Stuart Katzke, Chief of the Computer Security Division of NIST's Computer System laboratory, provided a response to the Board on its recommendations, approved at the June meeting and transmitted to Dr. Lyons, to refocus the computer security strategic plan. He began with a brief introduction of the NIST plan and the Board's recommended plan. He next reviewed each of the Board's recommendations in turn and those elements of NIST's plan which correspond to those recommendations. See Reference #4 for Dr. Katzke's briefing materials. He also reviewed two areas in which the Board had made no recommendation in June: 1) CERT (now FIRST) and 2) Agency support and Assistance. Mr. Lipner stated that while it was good that NIST has identified with the Board's objectives, he was concerned that the existing program plan has been forced into the Board's framework. He would encourage NIST to sign up to the spirit of the Board's recommendations. If that means shelving some tasks, so be it. He indicated the need for NIST to look at the intent of the Board's recommendations. Next, Mr. McNulty provided the Board with an overview of the draft Digital Signature standard (DSS). See Reference #5 for a copy of his presentation materials. The Board expressed interest in receiving a briefing as to NIST's plans for the supporting infrastructure for the standard. (ACTION - SECRETARY) Mr. Arneson provided the Board with an update of the agency computer security visits by OMB, NIST, and NSA. Little activity has taken place since the briefing to the Board in June. The Board expressed the desire to receive a copy of a typical letter from OMB to the agency informing them of the upcoming visit. (ACTION - SECRETARY) Dr. Ware suggested that agency visits be held every two years. Next, Dr. Katzke introduced Col. Ron Ross of NSA and Mr. Gene Troy of NIST who presented a briefing on the Joint INFOSEC Criteria effort. (See Reference #6.) Mr. Walker indicated that their plan was a good crystallization of a program plan. Mr. Gallagher asked if the Board would follow plan's implementation to see how tasks measured up to the promised milestones. Mr. Walker asked for the fall 1991 products to be sent to the Board prior to the December meeting and an update in December. (ACTION - SECRETARY) It was agreed that they would be provided to the Board prior to the December meeting if completed for public review by that time. The Chairman noted the Board's generally positive preliminary response to the program plan. The Board then continued with its discussion of the draft document "A Context for the NIST Computer Security Program," referred to as "Part A." A long discussion was held over the last paragraph of section four. Mr. Lipner stated that there was a lot of discussion via electronic mail regarding the need for a smooth seam between BI and B2, i.e., the NIST and NSA areas of responsibility, respectively. The Board discussed the need for such compatibility. After more discussions, substitute language was proposed. Mr. Lipner motioned to accept the substitute language. No objections were raised and the draft recommendation was amended. Mr. Walker moved to accept the entire document and forward it to Dr. Lyons. Mr. Zeitler seconded the motion, which passed unanimously. (See Reference #7.) The Board recessed for the day. Thursday, September 19, 1991 Information Security Foundation With a quorum present, the Board opened its business at 9:00 a.m. with a update report from Mr. McNulty on the creation of the Information Security Foundation (ISF). The creation of the ISF was recommended by the National Research Council report, Computers at Risk. A meeting, coordinated by ADAPSO, was held on June 25, 1991 and attended by 20-25 people. Organizations in the forefront of this activity include: SRI, ADAPSO, MITRE, and ISSA. A number of subcommittees were formed to look at each of the report's chapters. The next meeting will be held on September 30, 1991 to examine the subcommittees recommendations. It was noted that there does not appear to be a formal agreement to proceed any further at this point. Dr. Ware inquired as to NIST's view-of the ISF. Mr. Burrows indicated that it was not viewed as a competitor and that there was little chance of it receiving government funding. One major problem in getting the ISF up and running is that users are not willing to' pay up-front costs far security. A discussion of the necessity of the ISF vis-a-vis the NIST criteria effort ensued. Mr. McNulty asserted that the ISF has not yet reached critical mass. Emergency Response A panel, composed of Mr. John Wack of NIST, Mr. Eugene Schultz of Lawrence Livermore National Laboratory, and Mr. Rich Pethia (Carnegie-Mellon University) addressed activities in the CERT arena, now called Forum of Incident Response and Security Teams (FIRST) Mr. Wack reviewed NIST's central coordination role under FIRST. (See Reference #8.) Next, Mr. Rich Pethia of the CERT Coordination Center at Carnegie-Mellon University which serves the Internet Community, addressed the Board. Internet now has over 500,000 hosts, is growing at 10% per month, and is international in scope. His review of security incidents stressed that while the actual frequency of incidents may not be up, the reporting rate has clearly increased. A lot of the problems seen by the CERTs would be corrected by two things: l) better account management, and 2) better out-of-the-box system configurations by vendors (i.e., systems automatically set in the most secure, rather than the least secure mode). Dr. Ware asked about the apparent lack of civil government presence in the FIRST effort. Mr. Pethia stated that NIST is ideally situated to prod civil agencies to get involved. (See Reference #9.) Mr.- gene Schultz, of the Computer Incident Advisory Capability (CIAC), Lawrence Livermore National Laboratory, presented an overview of the DoE CIAC. He reviewed DoE's sponsorship, reasons for the CIAC's formation, it charter, and other agencies and teams with which CIAC coordinates. He then focused on the national response to incidents. There is no single point of contact with the U.S. Government, no established mechanism for cooperation between government communities and a lack of coordination efforts. Mr. Colvin stressed the role of the Inspector General community to assist this effort. Mr. Schultz emphasized the need for uniform computer security standards for federal internet computer systems. He then provided possible areas for the expansion of NIST's role. (See Reference #10.) Mr. McNulty noted that the Board has heard from agencies which are leaders in emergency response capabilities. He noted that it would be useful for the Board to hear from other, primarily civilian, government agencies regarding their efforts to develop CERT-type capabilities. Mr. McNulty offered to collect information regarding the status of the other agencies and to have these results presented at the next Board meeting. The Board agreed to take advantage of this offer. (ACTION - SECRETARY) Future Technologies Ms. Robin Rather of the Information Strategies Group (ISG), Inc. (VA), presented an overview of emerging technologies. The paradox which is inherent in rapid change is impatience versus intolerance for rapid change. She noted that 90% of the people who were using computers in 1990 were not using them in 1980. Factors used by ISG to determine high impact technologies include: 1) 30% - 50% growth per year, and 2) demonstrated user benefits. ISG receives the most inquiries per month on wireless LANs, videoconferencing, and U.S. federal GIS spending. Major technical gaps which must be filled in the move toward true multimedia include interoperability, network management and integration, and software and hardware synergy. She noted that "the jury is still out" on ISDN, outsourcing, and AI. (See Reference #11.) Board's 1992 Work Plan The Board's draft work plan for 1992, coordinated by Mr. Walker, was considered by the Board. Changes were suggested and it was agreed that the plan would be placed on the agenda for the December meeting. (ACTION - SECRETARY) Public Participation Ms. Julie Smith from Logistics Management Institute offered to brief the Board at its next meeting on EDI security and data categorization. December Board Meeting Items identified for the December Board meeting included: a summary of other agency CERT activities, an update on the NIST/OMB/NSA visits, digital signature infrastructure briefing, FIPS-140-l short technical briefing, a short ISF update, an OMB A-130 rewrite update, LAN security (perhaps Ms. Rather), a briefing from a major software house on application security, and Ms. Smith from LMI on EDI security and data categorization. Closing Dr. Ware noted that, as this was the last meeting of FY-91, the appointments of Messrs. Cooper and Courtney had expired. Their valuable contribution to the Board will be missed. The meeting was adjourned at 12:10 p.m. References Note: References are not included as attachments to the minutes, but are maintained on file with, the Secretariat. #1 - Procedures #2 - Wayne Madsen's presentation #3 - Wise floor statement #4 - Dr. Katzke's presentation #5 - DSS Briefing Lynn McNulty #6 - Ross/Troy Criteria briefing Secretary #7 - Part A (Final, as passed) CERTIFIED as a true #8 - Wack presentation accurate summary of #9 - Pethia presentation the meeting #10 - Schultz presentation #11 - Rather Presentation Willis Ware Chairman AGENDA Meeting of the Computer System Security and Privacy Advisory Board December 10-11, 1991 Marriott Hotel, Gaithersburg, Maryland Tuesday, December 10, 1991 I. Opening Remarks 9:00 Welcome & Update Lynn McNulty, Board Secretary 9:10 Remarks from the Chair & Review and Approval of Minutes Willis Ware, Chairman 9:15 Introductions 11. Paperwork Reduction Act and Its Relationship to OMB Circular A-130 9:20 Peter Weiss Senior Management Analyst Office of Management and Budget and Ed Springer Senior Management Analyst Office of Management and Budget 111. Information Security Foundation 9:45 International Information Security Foundation Cris Castro SRI 10:00 Discussion 10:15 Break IV. Emergency Response 10:30 Security Incident Management at Digital Equipment Corp. Steve Redfern Digital Equipment Corporation 11:15 Review of Other CERT Activities Lynn McNulty 11:30 Discussion 12:00 Lunch V. NIST Updates 1:30 Agency Visits, Handbook (NIST speakers)- 1:40 Integrated 051, ISDN and Security Program Patricia Edfors Program Manager, NIST 2:00 Trusted System FIPS Update Col. Ron Ross, NSA VI. Government Cryptographic Standards 2:30 FIPS 140-1 (draft) - Technical Overview Miles Smid, NIST 3:15 Break 3:30 Digital Signature Update Miles Smid, NIST 3:45 Discussion 4:00 Recess Note: Cancellation of scheduled speaker has resulted in a shorter session for today. Wednesday, December 11, 1991 VII. Electronic Data Interchange Security 9:00 EDI Security - Panel Julie Smith Logistics Management Institute Elaine Barker NIST Bob Campbell Advanced Information Management, Inc. Victor Hampel Logistics Management Institute 10:15 Break VIII. NIST Response to Board's Recommendations 10:30 NIST Response to Board Program Recommendations James Burrows Director, Computer Systems Laboratory, NIST and Stu Katzke Chief, Computer Security Division, NIST 12:00 Lunch IX. Board's 1992 Workplan 1:30 Discussion X. Public Participation 2:15 Public Participation (as required) XI. Wrap-up 2:45 Agenda for March Meeting 2:55 Closing Remarks 3:00 Close Next Meeting March 17-18, 1992 (Tue./Wed.) Sheraton Inner Harbor Hotel Baltimore, Maryland MINUTES OF THE DECEMBER 10-11, 1991 MEETING OF THE COMPUTER SYSTEM SECURITY PRIVACY ADVISORY BOARD December 10, 1991 Call to Order Dr. Willis Ware, Chairman of the Board, called the meeting to order at 9:00 a.m. at the Marriott Hotel in Gaithersburg, Maryland. Members present were: Castro, Gallagher, Wills, Gangemi, Philcox, Zeitler, Colvin, Rand, Kuyers, Lipner and Walker. The Chairman and Mr. Lynn McNulty, Board Secretary, welcomed the four new Board members whom the Director of NIST had appointed since the September meeting. In consideration of the September Board minutes, Mr. Kuyers moved that they be accepted, which was seconded by Mr. Wills. No objections were raised and the minutes were accepted unanimously. International Information Security Foundation (IISF) Mr. Cris Castro briefed the Board on a meeting held December 5-6, 1991 in San Antonio, sponsored by ADAPSO, to look at the formation of an IISF. Progress has been slow since the call for the formation of such a group in the National Research Council Report Computers at Risk. Approximately five meetings have been held to examine the viability of forming an IISF. Among those participating organizations, ADAPSO has been the most visible. SRI (Mr. Castro's employer), made presentations at several meetings of an approach to an IISF. SRI sent letters to the Fortune 200 companies asking for contributions ($10,000) for seed funding for the organization. Approximately 19 contributions have been received to date. SRI's very modest approach to the creation of an IISF does not include performing security certifications. He also noted that a funding level of approximately one-half to three-quarters of a million dollars is needed for the IISF to be of interest to SRI management. Mr. Whitehurst of IBM, who was in attendance at the meeting, also provided the Board with his insights into the meeting in San Antonio. In particular he noted the meeting's recommendation that the scope of the IISF be reduced. The Chairman asked Mr. Castro to keep the Board informed of IISF developments at future meetings. (ACTION - SECRETARY and MR. CASTRO) Re-Write of OMB Circular A-130 Mr. Peter Weiss, Senior Management Analyst, Office of Management and Budget (OMB), discussed the framework for policies of OMB Circular A-130. A whole range of issues related to the Paperwork Reduction Act are under discussion; for example, Circular A-3 on government publications and Circular A-114 on audio-visual materials. Additionally, the Congress is currently revising the Paperwork Reduction Act and OMB hopes to incorporate concepts from this revision in the revised Circular. Marginal cost of data sharing, for example, may be incorporated under the general rule that the government should not use the sale of information for revenue purposes. Records management, archival issues, new technology's influences on collection and dissemination are all issues which will be dealt with during the first phase of the rewrite of the Circular. During the second phase, issues such as information technology management, strategic planning, IRM investment, how OMB will review budget requests, and computer security will be examined. Mr. Ed Springer, Senior Management Analyst, OMB, then provided the Board with a review of Appendix III, to Circular A-130 dealing specifically with computer security. There are three main thrusts to the current Appendix: application/user security, personnel security, and installation security. Following this review, issues to be included in the review were briefly discussed, including: the requirements of the Computer Security Act of 1987, NIST guidelines, and amending the definition of sensitive information to be consistent with the Act. It is his desire to have a draft of the document available for comment by early Spring. It was also noted that the Federal Computer Security Program Managers Forum plans to provide input to OMB regarding the security-relevant aspects of the rewrite. Emergency Response Mr. Steve Redfern, Digital Equipment Corporation (DEC), provided an overview of security incident management at DEC. Two separate issues were addressed in his presentation (Reference #1): 1) how DEC corrects problems with its software products and distributes those corrections and 2) how DEC responds to internal attacks of malicious software. During the discussion session following the formal presentation, he stressed the importance of communication in being able to respond effectively to such incidents. Mr. Walker asked about the scope of the problem at DEC. Mr. Redfern replied that approximately 60 incidents were qualified as "significant" and handled during 1990. Mr. Burrows inquired whether an increasing number of DEC customers were asking to be notified as soon as DEC heard of a potential problem. Mr. Redfern replied that the information is held close until a fix is ready for distribution. In reviewing CERT-type activities in the federal government, Mr. McNulty relayed that Ms. Kathie Everhart at NIST had been contacting non-DoD federal agencies to determine whether they had formalized a CERT-type structure. Unfortunately, other than those identified at the September meeting, no other non-DoD formal structures could be located during this informal survey. Two of the federal Board members were asked what they do to respond to incidents. They indicated that such incidents were dealt with individually, with the appropriate people notified and participating as necessary in each situation. Discussions identified one main source of virus infections to be the transfer of diskettes from the home to office. Dr. Ware asked the members if there was sufficient interest in drafting a letter to OMB on the emergency response issue. There was an agreement that such a letter should be drafted. (As discussed below, the draft letter was acted upon later in the meeting.) NIST Updates Mr. McNulty provided the Board with a brief update on several NIST activities of particular interest to the Board. The series of OMB/NIST/NSA visits to senior agency management officials continues. Ms. Rand noted that the visit to the U.S. Department of Transportation was very helpful in getting senior officials to focus on the issue for a substantial period. Mr. McNulty noted that a report on the visit process was to be prepared and completed in the Spring of 1992. Next, he reviewed the progress NIST has made on the development of the Computer Security Handbook, which was recommended by the Board in its October 1990 letter to the Director of NIST. Following an open., fully competitive procurement process, the contract to write the Handbook was awarded in September 1991 to Trusted Information Systems. Dr. Ware inquired whether a delivery schedule is available for distribution to the Board. Mr. McNulty answered that the outline and introduction were still being debated within NIST, and once these were agreed upon, a realistic delivery schedule could be prepared and delivered to the Board. It is NIST's intention to make drafts of the Handbook chapters available to the Board once NIST has cleared them internally. It was suggested that the Handbook be placed on the March agenda. (ACTION - SECRETARY) Following this, Ms. Patricia Edfors, Program Manager of NIST's Integrated OSI, ISDN and Security Program briefed the Board on her program. (See Reference #2.) Dr. Ware noted that the first overhead transparency implies that the government, industry and academia are equal recipients of the program's products from the program while the Computer Security Act of 1987 clearly directs NIST to do work for the government Ms. Edfors replied that her program conducts research on items of potential interest to the government, which are also often of interest to others as well. However, the principal focus is meeting the government's needs. Next Dr. Katzke, Chief of NIST's Computer Security Division, provided the Board with an overview of the progress made under the Joint NIST/NSA Strategic Plan for the development of Federal Information Processing Standards (FIPS) for Trusted Systems Technology. (See Reference #3.) He reviewed the near term objectives for the program, which includes the publication of federal computer security criteria and the establishment by NIST of an evaluation process for C2 enhanced operating systems. The long term objectives as well as an explanation of the reasons for the criteria development were also presented. Following Dr. Katzke's overview, Col. Ron Ross of NSA provided the Board with a more detailed status briefing of the federal criteria project, which included the top-level goal, project objectives, projected milestones and the status of each. In discussions which followed, the Board noted the success of the project so far and that they would like to receive updates at each meeting. (ACTION SECRETARY) Col. Ross said approximately 35 people are participating in some capacity in this effort, equating to approximately 10 people full-time equivalent. During discussions which followed, Mr. Gallagher offered to have a briefing for the Board on the integration of trusted products and work on the Defense Intelligence Agency's compartmented mode workstation. (ACTION - SECRETARY and MR. GALLAGHER) Next, Mr. Miles Smid, Chief of the Computer Security Division's security Technology Group at NIST presented a brief overview and technical Specifications of the draft of FIPS 140-1, Security Requirements for Cryptographic, (See Reference #4.) In response to a question from the Board, he noted that until FIPS 140-1 is approved, federal users could use either NSA endorsements (no longer being performed) or accept vendor written self-certif ication of conformance. He hopes to have a new draft of the document prepared in early 1992. Mr. Smid then turned to the issue of the draft Digital Signature Standard (DSS). (See Reference #5.) Of particular interest to the Board was the extension of the public comment period and summary of negative comments. Approximately 60 comments have been received. Two observations were made: 1) the international standards process will force the use of RSA; and 2) the DSS is not salable outside the USA, particularly in light of the suspect role of NSA. In a discussion of future actions, Mr. Burrows noted that the patent issues remain to be resolved; the application is still pending at the Patent and Trademark Office. Mr. Walker requested that at the March meeting a sufficient period of time (perhaps 2 hours) be set aside solely for discussion of this issue. (ACTION - SECRETARY) The Board then recessed for the day. December 11, 1991 Security of Electronic Data Interchange The day opened with a panel focused on the security issues of Electronic Data Interchange (EDI). Panelists included: Ms. Julie Smith of Logistics Management Institute (LMI), Ms. Elaine Barker of NIST, Mr. Bob Campbell of Advanced Information Management, Inc., and Mr. Viktor Hampel, a consultant to LMI. Ms. Smith provided an overview of EDI security within the Department of Defense, including: electronic commerce, security issues, and a thorough review of their EDI risk assessment methodology. (See Reference #6.) Next, Ms. Barker reviewed EDI security activities in the voluntary standards community, including ANSI X12.58, X12.42, and X9.17. (See Reference #7.) Mr. Bob Campbell followed with his perspective as to the pressing requirements for EDI security. He stressed that developments were moving such that the U.S could be left behind if it is not a leader in this area. Finally, Mr. Hampel provided the Board with an update of IA's efforts to implement public- key cryptography in EDI, including: modernization and data protection in the Department of Defense, implementation of the draft DSS, commercial interests, new requirements, and recommendations. Mr. Walker inquired as to what the most important thing that the Board could do to aid the development of EDI security. Mr. Campbell replied that the Board could stress the need for urgent action lest the world leave the U.S. behind, while Ms. Smith noted the need for risk management guidelines, a clearer definition of "sensitive," and the need for a digital signature algorithm. Ms. Barker added that help was needed from interested, knowledgeable individuals and organizations for the development of standards. Dr. Ware thanked the panel and noted that the Board may wish to reexamine the issue in a year or so. NIST Response to Board's Recommendations During this session NIST presented its response to the recommendations made by the Board regarding a restructuring of the NIST computer security program. Mr. James Burrows, Director of the Computer Systems Laboratory (CSL), summarized each of the Board's recommendations and NIST's actions to support each. (See Reference #9.) Of particular interest was his call for the help of the Board's industry members to provide him with updates of Mr. Burrows with which is available to 14. (ACTION - MR. CASTRO) In discussing product level security specifications, Mr. Burrows stressed that this and testing suites were very expensive undertakings, far in excess of the entire CSL computer security program. Regarding the Board's recommendation that the principal thrust of the NIST program should be to establish itself as the preeminent authority in the field, he noted that such an undertaking was a very expensive proposition. He said that he could keep his people on the road full time, responding to requests for conference and training session speakers, and noted the tradeoff between appearance of leadership and actually producing useful materials. Regarding exportable cryptography, he said that the federal agencies were not influential enough to swing the issue; it would require commitment on the part of the vendor and user communities. Following this overview, Dr. Stu Katzke, provided an overview of the resources available for the computer security program for FY-91 and FY-92 and their actual and planned expenditures, respectively. (See Reference #10.) The Board then discussed the NIST program, quickly focusing upon the draft DSS issue. Statements were made by a number of Board members that the DSS was a drain on NIST resources, inconsistent with international standards, and not technically adequate without key management functionality. A motion was made to 1) express the sense of the Board that the DSS has grave problems and 2) to authorize and direct the Chairman to raise the Board's concerns with the Director of NIST. (See Reference #11.) Members voting in favor of the motion were: Castro, Colvin, Gangemi, Kuyers, Lipner, Walker, Wills, and Zeitler. Mr. Gallagher voted against the motion while Mr. Philcox and Ms. Rand abstained. The same motion included an agreement that the Board would develop a formal written position for consideration at the March meeting. The Secretary agreed to coordinate a meeting between the Chairman and the Director of NIST. (ACTION - SECRETARY) Following the lunch break, the Secretary distributed two draft letters to OMB Director Darman on: 1) the need for federal agencies to establish formal emergency response capabilities, and 2) the OMB/NIST/NSA agency visit process. Following brief modifications, both letters were approved in open public session to be sent following editorial corrections by the Secretary. (ACTION - SECTARY) (See References #12 & #13.) Board's 1992 Workplan The Board discussed its draft workplan for 1992, providing considerable input to Mr. Walker and Mr. McNulty, who agreed to develop a revised plan for coordination. (ACTION - SECRETARY and MR. WALKER) Further, it was agreed to ask the Secretary to verify clearances for the Board members so that the classified Threat IV project could be briefed at a future Board meeting. (ACTION - SECRETARY) Mr. Gallagher offered use of one of his facilities for the briefings at the March meeting (in Baltimore), if the clearance issue was resolved in time. Messrs. Zeitler and Castro agreed to champion the issue of the Data Encryption Standard (DES) Revalidation for a meeting in 1992. (ACTION - MR. CASTRO and MR. ZEITLER) Further, Messrs. Lipner and Walker agreed to coordinate the Public Key Cryptography issue for a 1992 meeting. (ACTION - MR. LIPNER and MR. WALKER) Public Participation Mr. Whitehurst provided the Board with a brief summary of the recent OECD meeting on Privacy Guidelines to see how well the guidelines were being implemented. Very few responses were received to an Australian questionnaire sent to all firms which agreed to follow the guidelines. The OECD will not develop more specific guidelines but will hold annual meetings to examine progress made in implementing the guidelines. Mr. Wayne Madsen commended the Board on its decision to move privacy to an action item in its workplan. He said that by January of 1993 the EC privacy directive will be in place which will prohibit the transfer of privacy information to other countries without the same level of protection. A U.S. delegation attended, which appeared to primarily represent U.S. direct market merchants. Dr. Sara Comley noted that no one in the U.S. government was interested in the policy aspects of genetic privacy. The government never sent representatives to international meetings of data protectorates; she contacted the Assistant Director of the FBI, who said INTERPOL was there but not any U.S. government representatives. She believes that this issue needs a reassessment by the government and is very concerned why no one is interested in privacy issues. Wrapup The meeting was adjourned at 3:00 p.m. References Note: References are not included as attachments to the minutes, but are maintained on file with the Secretariat. #1 - Redfern briefing #2 - Edfors briefing #3 - Ross briefing #4 - Smid briefing (FIPS 140-1) #5 - Smid briefing (DSS) #6 - Smith briefing #7 - Barker briefing #8 - Hampel briefing #9 - Advisory Board Recommendations #10- NIST Computer Security Program Areas #11- DSS Motion #12- CERT letter to Darman #13- Agency Visit Letter to Darman Lynn McNulty Secretary CERTIFIED as a true and accurate summary of the meeting Willis Ware Chairman