home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Handbook of Infosec Terms 2.0
/
Handbook_of_Infosec_Terms_Version_2.0_ISSO.iso
/
text
/
csspab
/
91-rpt.txt
< prev
next >
Wrap
Text File
|
1995-09-15
|
154KB
|
3,452 lines
1991 Annual Report
of the
National Computer System Security
and
Privacy Advisory Board
March 1992
TABLE OF CONTENTS
Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i
I. Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Board's Establishment and Mission. . . . . . . . . . . . . . . . . . . . . . 1
Board's Charter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Membership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
II. Major Issues Discussed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
NIST's Computer Security Program . . . . . . . . . . . . . . . . . . . . . . 3
OMB/NIST/NSA Computer Security Agency Visits . . . . . . . . . . . . . . . . 4
Digital Signature Standard . . . . . . . . . . . . . . . . . . . . . . . . . 5
Electronic Mail Privacy. . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Computer Emergency Response Capabilities . . . . . . . . . . . . . . . . . . 5
III. Advisory Board Correspondence . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Material Internal Control Weaknesses . . . . . . . . . . . . . . . . . . . . 6
Privacy of Electronic Mail Systems . . . . . . . . . . . . . . . . . . . . . 6
NIST's Information Security Program. . . . . . . . . . . . . . . . . . . . . 7
Exhibits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
IV. 1992 Advisory Board Workplan . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
APPROVED 1992 WORK ITEMS FOR CSSPAB. . . . . . . . . . . . . . . . . . . . . 39
Action Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Citizen Access to Government Electronic Records. . . . . . . . . . . . . . . 39
Data Encryption Standard (DES) Revalidation. . . . . . . . . . . . . . . . . 39
Public Key Cryptography. . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Computer Security Guidelines and Standards . . . . . . . . . . . . . . . . . 39
Security Evaluation Process. . . . . . . . . . . . . . . . . . . . . . . . . 40
Privacy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Changes in National Computer Security Policies . . . . . . . . . . . . . . . 40
Threat and Vulnerability Assessment. . . . . . . . . . . . . . . . . . . . . 40
Monitoring Activities. . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Security and Open Systems. . . . . . . . . . . . . . . . . . . . . . . . . . 41
Effective Use of Security Products and Features. . . . . . . . . . . . . . . 41
Computer Emergency Response Capabilities in Civil Agencies . . . . . . . . . 41
International Hacking. . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Local Area Network (LAN) Security. . . . . . . . . . . . . . . . . . . . . . 41
Information Security Foundation. . . . . . . . . . . . . . . . . . . . . . . 41
Implementation of the Computer Security Act. . . . . . . . . . . . . . . . . 42
Security and the Public Switched Network . . . . . . . . . . . . . . . . . . 42
Electronic Data Interchange (EDI) Security . . . . . . . . . . . . . . . . . 42
V. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Executive Summary
This Annual Report documents the activities of the National Computer System Security
and Privacy Advisory Board during 1991, its third year. The Board, which met four times
during the year, was established by Congress through the Computer Security Act of 1987
to identify emerging computer security issues. Dr. Willis Ware of RAND has served as
Chairman of the Board since July of 1989.
The Board formally identified four areas of emerging concern this year and has issued
letters containing the Board's positions and recommendations to appropriate Executive
Branch officials. These issues were:
- agency lack of compliance with the computer security requirements of OMB
Circulars A-130 and A-123;
- the need for users of federal electronic mail systems to be informed of the
level of privacy to be accorded their messages;
- specific program recommendations for improving NIST's Information Security
Program; and
- the lack of formalized computer emergency response capabilities at federal
agencies.
The Board also established a work plan for 1992 which identified candidate topics for in-
depth examination. These include:
- Data Encryption Standard (DES) Revalidation;
- Public Key Cryptography;
- Citizen Access to Government Electronic Records;
- Local Area Network (LAN) Security;
- Electronic Data Interchange (EDI) Security;
- Security and Open Systems;
- Threat and Vulnerability Assessment;
- Effective Use of Security Products and Features;
- Status of Computer Emergency Response Capabilities in Civil Agencies; and
- International Hacking.
The Board has expressed a desire to maintain a continuing interest in certain specific
aspects of the NIST program or to receive periodic briefings on various critical issues,
including:
- Computer Security Guidelines and Standards;
- Security Evaluation Process;
- Privacy;
- Changes in National Computer Security Policies;
- Information Security Foundation;
- Implementation of the Computer Security Act; and
- Security and the Public Switched Network.
With such a list of important topics to examine and reexamine, plus the ever growing
number of relevant new issues and public policy questions, it is clear that much work lies
ahead for the Board in 1992 and beyond. I. Introduction
Board's Establishment and Mission
The passage of the Computer Security Act of 1987 (P.L. 100-235, signed into law on
January 8, 1988 by President Reagan) established the Computer System Security and
Privacy Advisory Board. The Board was created by Congress as a federal public advisory
committee in order to:
identify emerging managerial, technical, administrative, and physical safeguard issues
relative to computer systems security and privacy.
Appendix A includes the text of the Computer Security Act of 1987, which includes
specific provisions regarding the Board. The Act stipulates that the Board:
- advises the National Institute of Standards and Technology (NIST) and the
Secretary of Commerce on security and privacy issues pertaining to federal
computer systems; and
- reports its findings to the Secretary of Commerce, the Director of the Office of
Management and Budget (OMB), the Director of the National Security
Agency (NSA), and appropriate committees of Congress.
Board's Charter
The Board was first chartered on May 31, 1988 and was rechartered on May 30, 1990 by
then U.S. Department of Commerce Assistant Secretary for Administration Thomas
Collamore. (See Appendix B for the text of the current charter.)
Consistent with the Computer Security Act of 1987, the Board's scope of authority extends
only to those issues affecting the security and privacy of unclassified information in federal
computer systems or those operated by contractors or state or local governments on
behalf of the federal government. The Board's authority does not extend to private sector
systems (except those operated to process information for the federal government) or
systems which process classified information or Department of Defense unclassified
systems related to military or intelligence missions as covered by the Warner Amendment
(10 U.S.C. 2315).
Membership
The Board is composed of twelve computer security experts in addition to the
Chairperson. The twelve members are, by statute, drawn from three separate
communities:
- four experts from outside the federal government, one of whom is a
representative of a small- or medium- size firm;
- four non-government employees who are not employed by or a representative
of a producer of computer or telecommunications equipment; and
- four members from the federal government, including one from the National
Security Agency of the Department of Defense.
Currently, Dr. Willis H. Ware, a senior researcher of the Corporate Research Staff of
RAND, serves as Chairman of the Board. He was appointed in July 1989 following
consultation with Congress which determined that it was inappropriate for a NIST official
to chair the Board. As of December 1991, the full membership of the Board was as
follows:
- Chairman
Willis H. Ware, RAND
- Federal Members
Bill D. Colvin, National Aeronautics and Space Administration
Patrick Gallagher, National Security Agency
Henry H. Philcox, Department of the Treasury, Internal Revenue Service
Cynthia C. Rand, Department of Transportation
- Non-federal, Non-Vendor
Chris R. Castro, SRI, Inc.
John A. Kuyers, Ernst and Young
Eddie L. Zeitler, Fidelity Security Services, Inc.
(vacancy)
- Non-federal
Gaetano Gangemi, Wang Laboratories, Inc.
Steven B. Lipner, Digital Equipment Corp.
Stephen T. Walker, Trusted Information Systems, Inc.
Lawrence L. Wills, International Business Machines Corp.
During 1991, the terms of Mr. Roger Cooper (Department of Justice), and Mr. Robert
Courtney, Jr. (RCI, Inc.), expired. One vacancy remains to be filled in the Non-federal,
Non-Vendor category.
NIST's Associate Director for Computer Security, Mr. Lynn McNulty, serves as the
Board's Secretary and is the Designated Federal Official (DFO) under the Federal
Advisory Committee Act. The DFO is responsible for ensuring that the Board operates in
accordance with applicable statutes and agency regulations. Additionally, the DFO must
approve each meeting and its agenda. Through the Secretariat, NIST provides financial
and logistical support to the Board as stipulated by the Computer Security Act of 1987.
II. Major Issues Discussed
The following section summarizes the discussions held by the Board in 1991. Additionally,
the Board accomplishes a lot of informal, non-decisional, background discussion and
preparation for meetings by electronic mail between meetings. The Board's activities also
complement the other activities of the Board's members, several of whom are quite active
in many aspects of these topics. Note that the minutes and agenda from the March, June,
September, and December meetings are included as Appendices C to F, respectively. The
required Federal Register announcement notices for the meetings are presented in
Appendix G.
The substantive work of the Board during 1991 was devoted to various topics related to
the security of federal unclassified automated information systems. Among the most
important were:
- NIST's Computer Security Program;
- OMB/NIST/NSA Computer Security Agency Visits;
- NIST's Digital Signature Standard;
- Electronic Mail Privacy; and
- Computer Emergency Response Capabilities.
NIST's Computer Security Program
During 1991, one item of continuing interest to the Board was NIST's computer security
program. In March, the Board was briefed by NIST as to its plans for 1991 and beyond.
The Board at that time informally noted its concerns with the scope and adequacy of the
program to meet NIST's responsibilities under the Computer Security Act. General
discussion indicated that the Board believed that too much of the program is driven by
externally funded taskings, drawing attention and resources away from other more
important projects. The Board also noted that many projects are understaffed and, as a
result, many tasks remain uncompleted and are carried over from year to year.
During the year, the Board issued a recommended program plan to NIST. The plan
consolidated the NIST plan into nine items and included the Board's view of the threat
environment which should drive NIST's program. (These recommendations, issued in two
parts, are included in Section III.) At the December meeting, the Director of NIST's
Computer Systems Laboratory, Mr. James Burrows, examined each of the Board's
recommendations one at a time, and explained why they could or could not be
implemented.
OMB/NIST/NSA Computer Security Agency Visits
As a followup to the computer security plan review process mandated by the Computer
Security Act, officials from OMB, NIST, and NSA have been visiting senior officials at
federal departments and agencies. The purpose of these visits is to discuss major agency
automation efforts, the risks to the agency's mission associated with those automation
plans, and the protection that the agency has acquired or is planning to by the
implementation of security measures.
Senior managers are asked to report on three of the agency's most sensitive systems,
including the kind of data processed by the systems, the potential threats to the systems
and what measures are being taken to reduce the risks to the systems.
At the March meeting, two panels were convened to discuss these visits. The first panel
consisted of representatives from OMB, NIST, and NSA who have been active
participants in the visits to federal agencies to review their computer security programs in
fulfilling the intent of the Computer Security Act. The panel members reported that
agencies have been candid in discussing their problems and that the visits have reinforced
the need for additional agency guidance, particularly in the area of networking and
laptops. The visits also served to let NIST and NSA know what they could do better to
help agencies meet their security requirements. The second panel of three federal agency
computer security program managers agreed that the visits were a success. However, all
three managers expressed their opinion that feedback from OMB was desirable.
An update of the agency visit program was presented at the June meeting. Agencies have
requested guidance on issues such as security of electronic data interchange applications;
application of electronic signature technology; and network security. A report on the visit
process is to be prepared and completed in the Spring of 1992.
In December the Board voted to send a letter to the Director of OMB noting that the
agency visit process has been a success thusfar and recommended that a summary report
be prepared of the visits. The Board also urged OMB to consider how the message of the
visits could be effectively delivered to major federal centers outside the Washington area.
Digital Signature Standard
In August of 1991, NIST proposed a draft Digital Signature Standard (DSS) as a Federal
Information Processing Standard. This issue has been of continuing interest to the
CSSPAB. The Board was afforded briefings regarding the technical specification of the
standard itself as well as a summary of the comments received by NIST (through
December) on the standard.
In December the Board formally expressed its grave concerns with the draft DSS and
directed the Chairman to discuss the Board's concerns with the Director of NIST.
Electronic Mail Privacy
The Board initially examined the issue of electronic mail privacy and security in 1990.
During 1991, the Board again considered the issue and agreed to send a letter to the
Director of NIST recommending that users of federal e-mail systems be advised of the
level of privacy to be accorded their messages.
Computer Emergency Response Capabilities
The ability of federal agencies to respond to computer emergencies, including virus
incidents, was raised as a concern among Board members in 1991. The Board convened a
panel of experts to discuss the current response system and requested that NIST contact
federal agencies to determine whether most agencies had formalized response capabilities
in place. Upon hearing that most did not, the Board formally recommended to OMB that
it advise federal agencies of the need to properly plan and organize for computer
emergencies.
III. Advisory Board Correspondence
During 1991, the Board issued letters reporting its findings on three important issues:
- material internal control weaknesses;
- privacy of electronic mail systems; and
- NIST's information security program.
Also, the Chairman prepared correspondence to the Office of Management and Budget
regarding computer emergency response capabilities and the need to properly plan and
organize for computer emergencies. The Board recommended that during the
forthcoming revision of the security appendix to OMB Circular A-130, existing contingency
planning requirements should be enhanced to include the need to plan for such computer
emergencies as viruses, malicious external attacks, and other similar events.
The Board also informed the Office of Management and Budget of its view of the
progress of the Computer Security Act agency visit program described in OMB Bulletin
90-08 and the positive comments from all of those involved in the visits. The Board
recommended that OMB build upon the successful formula that has produced the positive
results. The Board believes that the emphasis on underscoring management involvement
as a fundamental prerequisite for an effective computer security program is appropriate
and should be maintained in a subsequent initiative. The Board also urged OMB to
consider how this message can be effectively delivered to major federal centers and
activities outside of the Washington area.
Material Internal Control Weaknesses
On May 17, 1991, the Board issued a letter to the Director of OMB advising him of its
unanimous approval of a proposal to address agency lack of compliance with the
computer security requirements of OMB Circulars A-130 and A-123. The Board
recommended that OMB require that lack of compliance with certain of these
requirements be defined as "material internal control weaknesses" which should then be
required to be reported to the President and OMB under the Federal Managers Financial
Integrity Act.
Privacy of Electronic Mail Systems
On June 19, 1991, the Board issued a letter to the Director of NIST advising him that
users of federal electronic mail systems be informed of the level of privacy to be accorded
their messages. The Board recommends that NIST work with OMB to identify a suitable
means of implementation. Two approaches were suggested: 1) uniform government-wide
guidance or 2) agency-specific guidance to be developed by each agency. Each approach
has benefits and drawbacks. Uniform regulations, by definition, would be consistent across
the government, although their implementations could vary. On the other hand, individual
agency policies may be more appropriate for each agency's operating environment and
constituency. Whichever approach is taken, departments and agencies should be required
to inform users of the level of privacy which they can expect.
NIST's Information Security Program
The Board also issued its findings on August 22 and October 22, 1991, regarding NIST's
Information Security Program. In March, NIST presented its program consisting of
twenty-four items. The Board recommended its program of nine elements as appropriate
to the current and near-term threat environment, with the objective of improving the level
of federal computer security by focusing the NIST security program on critical areas in
which results are urgently needed.
Exhibits
The Board's correspondence and replies (when received) are included in the following
exhibits:
Exhibit I Letter from Chairman Ware to Director Darman of OMB on material
internal control weaknesses
Exhibit II Letter from Chairman Ware to Director Lyons of NIST on privacy of
electronic mail systems
Exhibit III Answer from Director Lyons of NIST to Chairman Ware
Exhibit IV Letter from Chairman Ware to Director Lyons of NIST on NIST's
Information Security Program
Exhibit V Answer from Director Lyons of NIST to Chairman Ware
Exhibit VI A second letter from Chairman Ware to Director Lyons of NIST on
NIST's Information Security Program
Exhibit VII Letter from Chairman Ware to Director Darman of OMB on computer
emergency response capabilities
Exhibit VIII Answer from Director Darman of OMB to Chairman Ware
Exhibit IX Letter from Chairman Ware to Director Darman of OMB on the
Computer Security Act agency visit program
(Reply anticipated in 1992.) Exhibit I
THE NATIONAL
COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD
MAY 17 1991
Honorable Richard G. Darman
Director, Office of Management and Budget
Old Executive Office Building
17th Street and Pennsylvania Avenue, NW
Washington, DC 20515
Dear Mr. Darman:
The Computer system security and Privacy Advisory Board was
established within the Department of Commerce by the computer
security Act of 1987, P.L. 100-235. The charter of the Board
establisheS a specific objective for the Board to advise the
National Institute of standards and Technology (NIST) on security
and privacy issues pertaining to federal computer systems. The
Board is also to inform the Office of Management and Budget
(OMB), the National security Agency, and appropriate
Congressional committees of our findings.
The purpose of this letter is to advise you of the unanimouS
approval of the Advisory Board of our proposal (enclosed) to
address agency lack of compliance with the computer security
requirements of OMB Circulars A-130 and A-l23.
We recommend that:
OMB require that lack of compliance with certain of these
requirement be defined as material internal control weaknesses"
which would then be required to be reported to the president and
OMB wider the Federal managers financial integrity Act.
We feel that this procedure will significantly raise the level of
compliance with established computer security requirements.
Implementing the recommendation will require coordination between
NIST and OMB; however, we have already coordinated our position
with NIST and OMB personnel who attended the Board meeting in
March.
Thank you for your consideration of our recommendation.
Sincerely,
Willis H. Ware
Chairman
Enclosure
Exhibit II
THE NATIONAL
COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD
Jun 19 1991
Dr. John W. Lyons
Director
National Institute of standards and Technology
Gaithersburg, MD 20899
Dr. Lyons:
As you know, the Computer system Security and Privacy Advisory
Board was established within the Department of Commerce by the
computer security Act of 1987, P.L. 100-235. The charter of the
Board establishes a specific objective for the Board to advise
the National Institute of standards and Technology (NIST)
and the Secretary of Commerce on security and privacy issues
pertaining to Federal computer systems.
The purpose of this letter is to advise you of the unanimous view
of the Advisory Board that users of federal electronic mail
systems be informed of the level of privacy to be accorded their
messages. To accomplish this, the Board recommends that NIST
work with OMB to identify a suitable means of implementation.
In the discussions with OMB, we suggest that careful
consideration be given whether such guidance should be uniform
across the government or developed and issued by individual
departments and agencies. Each approach has benefits and
drawbacks. Uniform regulations, by definition, will be
consistent across the government, although their implementations
may vary. On the other hand, individual agency policies may be
more appropriate for each agency's operating environment and
constituency. Whichever approach is taken, departments and
agencies should be required to inform users of the level of
privacy which they can expect.
Since computer system administrators and system programmers
commonly have access to all data in the machine, the Board
believes that every agency or department should establish a
policy prohibiting casual reading of electronic mail by such
individuals. Access to mail records should be permitted only as
required by emergency or system failure circumstances.
On the other hand, management personnel can also have access to
the mail of others, and it is not clear what the appropriate
policy should be. Each agency and department must examine this
aspect with regard to its own management attitudes and
philosophy, and establish an appropriate policy.
Without a full understanding of the legal and regulatory
environment which may apply, (e.g., the Freedom of Information
Act), the Board cannot take a position as to what level of
privacy should or can be, only that it be developed and users
fully informed. However, we observe that much e-mail traffic is
in the nature of interoffice mail and as such is related to the
business of the organization. In this case, the individual
sending or receiving electronic messages should have no
expectation of privacy unless the organization has taken specific
steps to assure it.
In addition to our concern for the privacy of electronic mail, we
believe federal agencies should also address its security
aspects. In particular, the positive authentication of message
originators and the confidentiality of electronic messages while
in transit and in computer systems are major concerns. Security
technology is already available which agencies should be
encouraged to utilize now. An important new capability will be
the digital signature standard which NIST intends to propose
shortly and which will address the user authentication matter.
Thank you for your time and consideration of our recommendation.
I am available to discuss this with you at your convenience.
Sincerely,
Willis H. Ware
Chairman
Exhibit III
UNITED STATES DEPARTMENT OF COMMERCE
National Institute of Standards and Technolgy
Gaithersburg, Maryland 20899
OFFICE OF THE DIRECTOR
JUN 26 1991
Dr. Willis H. Ware
Chairman, The National NIST Computer System
Security and Privacy Advisory Board
The Rand Corporation
1700 Main Street
Santa Monica, CA 90406-2138
Dear Willis,
Thank you for your letter from the Advisory Board on the subject
of the security of electronic mail. I, as a user, am keenly
aware of the problem and am grateful to you for pointing out that
we should do something about this.
Please be assured we shall address this matter.
Sincerely,
ORIGINAL SIGNED BY
JOHN W. LYONS
John W. Lyons
Director
Exhibit IV
THE NATIONAL
COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD
AUG 22 1991
Dr. John W. Lyons
Director
National Institute of Standards and Technology
Gaithersburg, MD 20899
Dear Dr. Lyons:
As you know, the Computer System Security and Privacy Advisory
Board was established within the Department of Commerce by the -
computer Security Act of 1987, P.L. 100-235. The charter of the
Board establishes a specific objective for the Board to advise
the National Institute of Standards and Technology (NIST) and the
Secretary of Commerce on security and privacy issues pertaining
to Federal computer systems.
The purpose of this letter is to provide you with the Advisory
Board's recommendations (enclosed) for improving NIST's
Information Security Program. Our proposal begins with a
discussion of the current and near-term threat environment,
thereby providing the context for the plan which follows. In
contrast to the twenty-four items in NIST's program (as presented
to us in March), our recommended program has nine elements. The
Board believes that these nine items can contribute in a very
significant way toward improving the level of federal computer
security by focusing the NIST security program on critical areas
in which results are urgently needed.
You should be aware that we have already discussed our recommendations
with Mr. James Burrows at our meeting in June. He indicated that NIST
would be prepared to respond to our proposals at the September Advisory
Board meeting.
Thank you for your time and consideration of our recommendation. I am
available to discuss this with you at your convenience.
Sincerely,
Willis H. Ware
Chairman
Enclosure
A PROPOSED NIST INFORMATION SECURITY PROGRAM
INTRODUCTION
The following material is a plan devised by the Advisory Board for
presentation to NIST as the Board's suggestions for improving the NIST
information security program.
This plan does not have the highly detailed structure which NIST
brought to the March CSSPAB meeting, nor is that necessary for the
immediate purpose of presenting a wholly different plan. The current
NIST program has twenty-four line items. The one proposed here has
nine. These nine items are not consolidations of the twenty-four.
They are nine discrete items which can contribute in a very meaningful
way to the safety of our rapidly increasing dependence on computer-
based systems.
Throughout this document, the word security, without modifiers, should
be read to mean information security.
THE CURRENT AND NEAR-TERM THREAT ENVIRONMENT
In support of the recommendation of a specific NIST information
security program, it is necessary to describe the security environment
on which recommendations are based. The quite diverse array of
experience encompassed by the members of the CSSPAB permits the board
to describe a threat environment on which NIST can safely base its
security program provided only that it maintain an awareness of any
emerging and unanticipated problems.
The CSSPAB believes the following statements to accurately describe the
general threat environment and related considerations on which NIST
should base its security program.
1. The Absence of Significant Discontinuities in the Threat
Environment. Over the past twenty years and continuing until today, the
distribution of loss to computer security incidents among several
general categories has remained fairly constant. There have been no
major and abrupt changes' wholly out of keeping with long term, clearlY
discernible trends.
The most significant changes in the threat complement have been
viruses, attacks on the public switched networks, and opportunities for
harm presented by a worldwide Internet spanning multiple countries and
organizations. None of these relatively new problems have generated
losses exceeding 1% of the total cost of our' security-related losses
in the information systems environment. The inclusion of the security
losses associated with IANs will still not top the 1% mark. (The
source of the data supporting the 1% figure is described later in
paragraph 3.)
It is doubtful that viruses would be a meaningful problem had the
microcomputer not been introduced. The penetrations into the public
switched networks are directly attributable to the broadly-based
assimilation of computer-based Switches into those networks. These two
instances and the problems posed by the Intern et are but the most
recent of a long series of security problems that have been encountered
because we failed to consider carefully the security implications of
many advances in data processing technology before putting them to t:se
without adequate Safeguards.
In general, threats do not create Vulnerabilities. The inverse is more
commonly true. We build into our systems vulnerabilities to avarice,
malice, carelessness, loyalties to other countries or organizations of
persons with access to our systems, poorly trained and poorly motivated
employees, technical show-offs, and irresponsibly directed curiosity.
Those unfortunate characteristics of human nature, coupled with
vulnerabilities to fires, floods, earthquakes, equipment failure and
the many other similar and unfortunate things which can happen, are the
origin of most security problems. Thus,' more often than not, the
Vulnerabilities have the effect of encouraging specific threats. Our
weaknesses are often the opportunities for others once they are aware
of them.
It is generally true that it is very easy to design a system which,
after it is built, is very difficult if not impossible to secure in an
economically feasible way. It is also true, however, that it is
usually not difficult to design a system providing the needed
functionality but which is adequately secure if security is among the
initial and basically coequal functional objectives. Thus, it is
usually unnecessary, but nevertheless common, to invite threats through
the incorporation of vulnerabilities into our designs.
Many of the systems which pose the more severe security challenges are
those which evolved, Topsy-like, a component at a time, until it was
belatedly recognized that the result was a complex difficult, if not
sometimes impossible, to secure.
Concern for the ability to secure, after the fact, systems which were
developed with little or no concern. . for security must be a major
consideration in fur design of security controls. However, the
security needs of such systems must not be allowed to wholly dominate
the programs to devise means for achieving security. Even though some
of the more severe challenges are in existing systems, this should not
be allowed to detract, by diversion of resources, from the drive to
achieve adequate, economically feasible Security.
2. The Relative Importance of Threats.- It is not a simple task to
rank threats in accord with their relative importance. It is improper
to assign relative Importance to threats except in terms of both the
consequences the': produce and their probability of occurrence. Both
the consequences and the probabilities of the realization of specific
threats are clearly system unique.
Threats cannot be weighed by just tee severity of their consequences,
because to do that is to ignore their probabilities of occurrence. Some
of the most severe threats have probabilities of occurrence so low as
to justify accepting the risks they present. If in the past we had
ignored the probabilities of occurrence and weighed only the
consequences, we would all now be wondering what to do with the few
million bomb shelters in our back yards.
The relative severity of threats clearly varies as a function of the
attractiveness of the target systems, their geographic locations, and
other factors often including the perceived quality of the security
provided them.
Threats should not be ranked by the number of security incidents
attributable to a particular threat. If that is done, the incidents
encountered or anticipated could then include huge numbers of
relatively unimportant things while Illinois Bell's Hinsdale fire would
be only one instance even though the cost to its customers exceeded
$500 million.
If threats are assessed in terms of the economic consequences, we have
a workable basis for ranking them. No other basis has been shown to be
workable in the information security environment. A major problem with
ranking by economic consequences is the difficulties in costing social
consequences, including loss of national security.
It is commonly argued that we cannot put a price tag on such matters as
personal privacy or national security when, in reality, we do it quite
routinely though haphazardly. Quite often we draw a line at what we
are willing to spend, in dollars or inconvenience, to protect a
facility or a system of records even though we know that there is
residual vulnerability which can be eliminated by paying a higher
price. In protecting against hard-to-quantify losses, the line is more
often drawn at what we can afford, what is politically acceptable, or
what we want to spend than it is related to the magnitude of' the
unfortunate consequences if the security is compromised.
3. Threat Rankings - A survey of several hundred public and private
sector organizations in the United States, Canada, and in seven western
European countries reveals remarkable consistency in the relative
importance or cost of the information security problems they encounter.
Further, these rankings have remained quite stable over a period of
thirteen years. Not only have their relative positions remained
unchanged, so.have the percentages of loss attributable to each problem
category remained almost unchanged. For this reason, we should rely on
these rankings until we have data indicating the need for change in
them. These data indicate clearly that there is no basis for
anticipation of an abrupt shift in the problem environment unless a
specific cause for that shift can be identified.
The categories into which the problems have been placed and the
percentages of economic loss attributable to each are these:
- 65% errors and omissions
- 13% dishonest employees
- 6% disgruntled employees
- 8% loss of supporting infrastructure, including power,
communications, water, sewer, transportation, fire, flood,
civil unrest, strikes, etc.
- 5% water, not related to fires and floods
- <3% outsiders, including viruses, espionage, dissidents and
malcontents of various kinds, and ex-employees who have
been away for more than 6 weeks.
It might seem that minor variations in such a major category as
errors and omissions would make the percentages attributable to
the other categories highly unstable, but such has not been the
case. For example, the factors which raise or lower.losses to
errors and omissions, often have similar effects on losses to
dishonest and disgruntled employees. For this reason, even
though the size of the total losses may change, the apportion
among the categories has been fairly stable
Again, these apportionments do not so much reflect' the magnitude
of the threats as they do the generality of the security
weaknesses encountered in a large system population.
The data supporting the apportionments were derived from a study
of 1,347 incidents, exclusive of errors and omissions, over a
period of three years ending February 1991. Similar data
extending back over thirteen years are also available. The data
on errors and omissions were obtained from 442 organizations over
that sane three-year period and from 2404 organizations over the
thirteen year period.
Voluminous questionnaires were used in gathering the data, but
they were completed by 'investigators during on-site visits. For
example, the one for incidents of computer related employee
dishonesty has fifty-one pages.
One criticism which might be made of these data will come from
the assertion that those are just about the same numbers that we
have seen for years". That is true and it is also the reason why
they should be used. They clearly demonstrate the relative
stability of the problem environment and provide justification
for not anticipating seriously disruptive discontinuities in the
threat environment until we have identified a credible cause for
them.
4. New Threats.- The continued rapid expansion in our dependence
on computer-based systems and the continued increase in the
complexity of such systems bring with them, as they have for the
past two decades, the need for new security measures, both
technological and procedural, to counter the threats which result
from their introduction.
Twenty years ago the needed measures included such elemental
things as write verification and protection against improper disk
pack swapping. The then current security design deficiencies
include such things as designs that required the operators at the
consoles to enter the users passwords. We continue to add
measures and, now as then, only after problems have been
encountered and we suffer losses. There was then and there is
now a need to consider the security implications of technical
advances when we reduce those advances to practice and not later
after we have been hurt.
The greatest single change in the nature of data processing, with
the exception of the microcomputer explosion, is the rapid
increase in the communication of data among networked computers.
Considerable unnecessary concern has been generated as a
consequence of postulating dire threats resulting from this still
increasing networking even though there are no signs of abrupt
changes in the nature or magnitude of the associated threats.
There is a real possibility that the greatest threat to the
continue evolution of economically feasible, highly useful
networks will be over-reaction to relatively minor security
incidents. Indeed, it is not unreasonable to suggest that the
real damage done by the Interneworm will be to the ease of use of
that complex by those who would secure it. The overselling of
security threats can itself be a problem often as threatening as
the postulated problems.
There is still a widespread fear in the public and private
sectors that cryptographic techniques impose unacceptable
complexity on a system and greatly increase the serviceability
problems. Because of this, many organizations have not bothered
to find that cryptography is not nearly so complex and not nearly
so expensive as they believe it to be and, because it is not
expensive, is an economically feasible way for protecting the
integrity and confidentiality of communications.
The rapidly evolving networking of systems clearly requires the
continued rapid development of cryptographic systems which can
accommodate the security needs of these complex systems. It is
anticipated that this requirement will be reflected in the
product-level standards and guidelines which are recommended
below.
Certainly a significant threat to the confidentiality of
proprietary data held by multinational corporations and ranking
immediately after that of departing employees, is communications
intercept on satellite links. In spite of that, typically there
is a lack of familiarity with and a fear of using commercial
cryptography, and together they remain a real barrier to
countering the threat.
Exhibit V
UNITED STATES DEPARTMENT OF COMMENCE
National Institute of Standards and Technology
OFFICE OF THE DIRECTOR
September 9, 1991
Dr. Willis H. Ware
Chairman
The National Computer System Security
and Privacy Advisory Board
Gaithersburg, MD 20899
Dear Willis:
Thank you for your letter of August 22 and the enclosed recomendations.
I have gone through it and marked it up in several places and will be
reviewing it with Jim and his team. With Ray Kammer's departure I have
to rethink our working relations with other Federal agencies; your
comments should help me with that too.
Thank you for the report.
Sincerely,
John W. Lyons
Director
cc: JHBurrows
Exhibit VI
THE NATIONAL
COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD
OCT 22 1991
Dr. John W. Lyons
Director
National Institute of standards and Technology
Gaithersburg, MD 20899
Dear Dr. Lyons:
Enclosed herewith is a second document which sets forth the
Advisory Board's context for the conduct of the CSL research
program. Actually this and our July letter are two parts of one
document but have been sent you in reversed order. If you will
please put the enclosed item on top of the prior one, the two
together will become a coherent treatment of the Board's concerns
about the program as previously presented to us.
The Board was particularly concerned and sensitive to the question
of the boundary between the FIPS which NIST will publish for secure
computer systems and the Criteria which NCSC has published and may
revise. We feel it especially important that the vendor industry
not have to market different products conforming to the requirements
of your FIPS but separately to the NCSC Criteria.
Our best attempt to express our concerns is the fourth paragraph of
section four on page two. We think it might well for your off ice
to maintain some visibility over the NCSC/CSL interaction and the
FIPS/Criteria interface to assure the best interests of the country
are served.
We are available to discuss these two documents at your request.
Sincerely,
Willis H. Ware
Chairman
Enclosure
A CONTEXT FOR THE NIST SECURITY PROGRAM
I. POLICIES, POSITIONS AND RELATIONS.
1. NIST SECURITY Program Orientation - The principal thrust of
the NIST/CSL security program should be to establish NIST/CSL as
the preeminent authority to which the agencies of the federal
government and, less directly, state and local agencies and the
private sector look for leadership in information security.
While NIST/CSL This often asked to perform consulting roles for
agencies dealing with unclassified information, it should do so
only to the extent that it does not limit the accomplishment of
its principal thrust.
NIST/CSL must issue such standards and guidelines in information
security as will benefit a broad segment of its constituency. As
noted below, it should take an aggressive stance in advancing the
interests of both the civil agencies and the U.S. vendor
community by devising workable and potentially acceptable
proposals for cooperating with European security initiatives.
2. Selling the NIST/CSL Program - NIST/CSL should aggressively
sell the benefits to the federal government of its security
activities. Too many members of Congress, congressional and OMB
staffers, and many others in the government consider information
security to be no more than protection of data against
unauthorized disclosure (confidentiality).
The principal justification for funding the NIST/CSL security
program should be the obvious benefits to the federal government,
to state and local governments and to the private sector of
having. data which have, as appropriate, the characteristics of
accuracy, timeliness, completeness, and confidentiality. The
decision makers need to understand that money spent enhancing
these characteristics of data is money returned several fold in
increased effectiveness and reduced cost of government.
Unless the visibility of NIST/CSL's activities in computer and
communications security is raised, there seems little reason to
expect the major increases in funding needed to let NIST/CSL do
what is really needed of it - and no one is able to raise its
profile but NIST/CSL itself and, to a very limited extent, the
Advisory Board.
3. NIST/CSL-NSA Relations - By both law and executive order,
NIST/CSL and NSA perform significantly different functions in
support of different though overlapping constituencies. The
challenge for both agencies is to cooperate where necessary and
appropriate without engaging in a burdensome and potentially
endless process of coordination. Because the resources available
to NIST/CSL are much smaller than those of NSA, the potential
loss of productive effort is of much more concern to NIST/CSL.
There are, however, areas where NIST/CSL and NSA must either
coordinate their efforts or clearly delineate the boundaries
between their activities. In the area of cryptography, where
certain responsibilities have been given to NSA by both law and
presidential directive, there is a need for a high level of
cooperative activity. While both agencies are active in the area
of operating system ("trusted system") computer security, a
delineation of responsibilities such as proposed in section 4
below is desirable.
Cooperative endeavors should not be rejected out of hand, but
neither can cooperation be a forced goal for its own sake. It
must be, rather, a basis for a mutually beneficial exchange of
information.
As it is charged to do by P.L. 100-235, NIST/CSL must maintain
awareness of pertinent technical developments within NSA which
might benefit-the constituency of the NIST/CSL security program
and incorporate into' the NIST/CSL program those developments
appropriate to the program.
4. NIST/CSL and NSA Roles re Evaluation Criteria - It should be
anticipated that most or all vendors will, in time, enhance the
basic design of their operating systems and the supporting
hardware to the end that C2 or Bl capabilities will be uniformly
available and no longer optionable by the customer except to the
extent that such things as access control or individual
accountability may have no meaning in specific applications and
are not then imposed.
NIST/CSL, with support from NSA, should take responsibility for
the development and promulgation of criteria in the form of FIPS
for what has until now been ref erred to as C2/BI of the DoD
Trusted Computer Security Evaluation Criteria. Testing and
evaluation of systems which meet these criteria should be
conducted under the auspices of the National Voluntary Laboratory
Accreditation Program
NSA, with support from NIST, should continue to develop and
promulgate criteria for B2 and higher levels of trust and to
conduct evaluations as appropriate for these levels.
There will likely be a tension between the desire for compatibility
and continuity of the NIST/CSL criteria with those of NSA. NIST/CSL
and NSA should each weigh carefully the needs of users, the security
threats to be addressed, the needs of suppliers, and the desire for
compatibility with other criteria (e.g., the European ITSEC) in
determining what level of compatibility and continuity is
appropriate. Draft criteria should be subject to trial use on
systems of real-world scope and complexity, and the trial use
experiences documented before the criteria are finalized. It is
desirable that there be compatibility and continuity of the NIST/CSL
criteria with those of NSA.
5. Other Agency Activities - NIST/CSL should undertake outside
funded activities when they are consistent with and contribute toward
the accomplishment of NIST/CSL's principal thrust.
NIST/CSL should perform a careful review of its outside activities
for FY92 and beyond and seek to terminate in an appropriate and
timely manner those which do not directly support its basic goals and
obligations.
6. Crptography - NIST/CSL must continue its essential role in
support of suitable cryptographic protection for the civil agencies
and the private sector. Specific product-level activities, are a
subset of paragraph 11.5 of the document: "A Proposed NIST R&D
Information Security Program."
There is need for continued pursuit of exportable algorithms. The
current arrangement is seriously inadequate to the security needs of
many organizations needing secure trans-border communications. Such
security is essential to the national security even though the data
are not those usually recognized as "national interest" data. The
economic well-being of the U.S. business community is an extremely
important national interest matter.
7. CERTS - NIST's activities in this aspect of the program should
be, limited to coordination and facilitation of federal agency
activities. NIST should undertake no responsibilities that properly
belong in operational agencies.
Exhibit VII
THE NATIONAL
COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD
January 7, 1992
Honorable Richard Darman
Director, Office of Management and Budget
Old Executive Office Building
Washington, DC 20503
Dear Mr. Darman:
As provided by the Computer Security Act of 1987, I would like to
take this opportunity to report to you that the Computer System
Security and Privacy Advisory Board has reached consensus on an
emerging issue effecting the security of federal computer systems.
The problem that we bring to your attention is the apparent lack of
formalized computer emergency response capabilities on the part of
most federal agencies which operate unclassified computer systems and
networks. The need for formalized, structured emergency response
capabilities was underscored at the time of the malicious software
attack on the INTERNET in November. 1988.
As a result of that event the Department of Defense established the
Computer Emergency Response Team at Carnegie Mellon University. The
value of the activity has been proven.repeatedly over the past few
years, and its success has led to the creation of eleven similar
centers within the Department of Energy, the National Aeronautics and
Space Administration and the military services.
During our September 1991 meeting, the Board requested that personnel
from the National Institute of standards and Technology informally
survey the federal community for the purpose of identifying other
organized computer emergency response structures. -This informal
survey identified no additional formally structured computer
emergency response entity that could be activated in the event of a
significant computer and/or telecommunications network emergency.
Although we note that most agencies appear to be dealing effectively
with localized incidents of computer viruses, this approach may not
be adequate to enable them to respond to a highly sophisticated or
large scale attack.
We believe that the establishment of such a structured response
capability within most agencies to be highly desirable. The public
interest will be best served with the creation of organized computer
emergency response capabilities. Proper planning, together with
comprehensive management procedures and oversight may well produce
cost savings when compared to uncoordinated, ad hoc attempts to
respond to computer emergencies.
Accordingly the Computer System Security and Privacy Advisory Board
urges that the Office of Management and Budget undertake the
following actions:
- Promptly advise Federal agencies of the need to properly
plan and organize for computer emergencies. A new NIST
publication, "Establishing a Computer Security Incident
Response Capability," should be useful to agencies in the
development of these capabilities.
- During the forthcoming revision of the security appendix
to OMB Circular A-130, existing contingency planning
requirements should be enhanced to include the need to
plan for such computer emergencies as viruses, malicious
external attacks, and other similar events.
We believe that the lack of an adequate computer emergency response
capability within federal agencies is a significant vulnerability
that can be reduced through the recommended actions.
I appreciate the opportunity to express the recomendations of
the.Computer System Security and Privacy Advisory Board. You can
reach me through the RAND Corporation, 1700 Main Street, P.O. Box
2138, Santa Monica, CA 90406-2138.
Sincerely,
Willis H. Ware
Chairman
Exhibit VIII
EXECUTIVE OFFICE OF THE PRESIDENT
OFFICE OF MANAGEMENT AND BUDGET
WASHINGTON, D.C. 20503
Feb 6, 1992
Dr. Willis R. Ware
Chairman, national Computer System
Security and Privacy Advisory Board
National Institute of Standards and
Technology Building
Gaithersburg, MD 20899
Dear Dr. Ware:
Thank you for your letter of January 7, 1992 to Director Darman
concerning the need for Federal agencies to establish computer
emergency response capabilities.
As You know, the Office of Management and Budget (OMB) has long had
an interest in assuring the adequate security of Federal computer
systems. In our view, security includes not only efforts to prevent
incidents, but also the ability to detect and recover from them
should they occur. Integral to recovery is planning and organization
for such contingencies.
In accordance with the Board's recommendation, I recently forwarded
copies of the National Institute of standards and Technology
publication, "Establishing a Computer security Incident Response
Capability," to senior information resources management officials
representing Federal departments and agencies and asked them to
consider establishing such programs. additionally, I can assure you
that we will give great weight to the Board's recommendation that we
include an explicit emergency response requirement in our forthcoming
revision to Appendix III of 0MB Circular No. A-l3O.
As always, it is a pleasure to hear from you and the Board.
look forward to our future opportunities to work together.
Sincerely,
James B. MacRae, Jr.
Acting Administrator and
Deputy Administrator
Office of Information and
Regulatory Affairs
Exhibit IX
THE NATIONAL
MPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD
January 9, 1992
Honorable Richard Darman
Director, Office of Management and Budget
Old Executive Building
Washington, DC 20503
Dear Mr. Darman:
As provided by-the Computer Security Act of 1987, I am pleased
to it the following report from the Computer System Security
and Advisory Board for your consideration.
During the last three Advisory Board meetings we have reviewed
the progress of the Computer Security Act agency visit program
described in OMB Bulletin 90-08. In accomplishing this project
we have heard from a wide variety of federal employees involved in
various aspects of this effort. These individuals have , included
members of the OMB staff responsible for planning and executing the
visit program; agency computer security officials and senior
information management executives, and participants from the
National Institute of. standards and Technology (NIST) and the
National. Security Agency (NSA).
I am very pleased to state-that we have heard nothing but positive
comments from all of those involved in the agency visit program. We
have been particularly impressed with the enthusiastic reactions of
agency participants, who have advised the Board that visits to their
agencies have resulted in.greater awareness of computer security
issues on the part of senior officials in their organizations.
This, in turn, has resulted in enhanced management support for
agency computer security programs.
The Board notes that within the next few months OMB/NIST/NSA
representatives will have completed visits to all of the agencies
included in the initial Bulletin 90-08 program. We believe that it
would be very beneficial if a summary report documenting the results
of this activity were prepared and shared with concerned agency and
Congressional officials, as well as interested private citizens.
The pending conclusion of visits projected in Bulletin 90-08 will
require OMB officials to plan for additional activities designed to
sustain the spirit and intent of the Computer Security Act of 1987.
In planning these future activities, our Advisory Board recommends
that OMB build upon the successful formula that has produced the
positive results noted above. We believe that the emphasis on
underscoring management involvement as a fundamental prerequisite
for effective computer security program is appropriate and should be
maintained in a subsequent initiative. The Board also urges OMB to
consider how this message can be effectively delivered to major
Federal centers and activities outside of the Washington area.
I appreciate the opportunity to express the views of the Computer
Security and Privacy Advisory Board.
I look forward to your response. You can reach me through the RAND
Corporation, 1700 Main Street, P.O. Box 2138, Santa Monica, CA
90406-2138.
Sincerely,
Willis H. Ware
Chairman
IV. 1992 Advisory Board Workplan
I. INTRODUCTION
This section sets forth the proposed 1992 work plan for the
Computer System Security and Privacy Advisory Board (CSSPAB).
This document, approved by the Advisory Board, is intended to be
used as a planning guide for the Board's 1992 activities. The
Board recognizes that other subjects not previously identified in
this planning document may arise during 1992. The Board reserves
the right to address any matter that pertains to its fundamental
missions and may modify its program plan to meet evolving
situations and changing priorities.
II. APPROVED 1992 WORK ITEMS FOR CSSPAB
A.Action Items. The Board will examine the following new topics
during its 1992 program year:
A.1.Citizen Access to Government Electronic Records. There is
considerable discussion underway concerning this issue. A
legislative proposal, S. 1940, "Electronic Freedom of Information
Improvement Act of 1991," was recently introduced for
Congressional consideration. The Board will examine the
information system security and related privacy issues inherent
in this important public policy debate.
A.2.Data Encryption Standard (DES) Revalidation. The DES will
come up for revalidation in early 1993; however, the public
policy issues underlying any decision to revalidate DES or move
to another encryption standard will be decided during 1992. The
Advisory Board may be the only public forum, outside of the
Congress, where this matter can be discussed in a dispassionate
manner by knowledgeable individuals from the public and private
sectors. The Board will review developments in this subject area.
A.3.Public Key Cryptography. The Board will review the progress
in developing a digital signature standard for use by the
unclassified segment of the federal government. Of equal
importance will be an examination of the infrastructure issues
related to the use of public key cryptography by federal
agencies. Regardless of the algorithm to be selected as the basis
for the standard, it is important that critical policy and
technical alternatives be identified for managing the issuance
and distribution of certificates. Which organizational entities
of the government should have operational responsibilities for
the infrastructure?
A.4.Computer Security Guidelines and Standards. The Board will
monitor NIST and NSA plans and programs for the international
harmonization of computer security requirements as well as their
experiences and plans for guidelines, standards, and
interpretations. The Board will pay particular attention to the
NIST/NSA Work Plan on Trusted System Technology. NIST program
updates should be scheduled in March 1992 and September 1992. NSA
program updates should be scheduled for June and December 1992.
Each briefing should contain an update on the NIST/NSA Work Plan.
The Board should prepare an interim report of its findings and
recommendations by September 1992 and a final report by December
1992.
A.5.Security Evaluation Process. The Draft NIST/NSA Work Plan on
Trusted System Technology identifies the possibility of NSA
focusing on the higher levels of trust (B2 and above) and NIST
picking up the lower levels of trust (C2 and B1), perhaps under
the auspices of the National Voluntary Laboratory Accreditation
Program (NVLAP). This suggestion may help increase the
availability and timeliness of evaluated products at all levels
by focusing attention and increasing resources available to
specific areas. The Board will review the possibilities of this
development through discussions and briefings from NSA, NIST, and
civilian and defense organizations that would be affected by this
split of responsibilities. One model for such an evaluation
program might be the FIPS 140-1 cryptographic module product
evaluation process. The Board will review this evolving process
as part of its overall examination. This area should be a topic
of discussion at each of the Board meetings. The Board should
issue its recommendations on this topic in initial form in June
1992 and final form in December 1992.
A.6.Privacy. There is a renewed interest in privacy issues in
the public press with mixed signals coming from the public at
large, concern for privacy but unwillingness to pay for
protection/be inconvenienced. The Board should review the
measures that are needed/being taken by the Government to protect
privacy in federal programs and issue recommendations on what
NIST and others should be doing to encourage protection of
privacy information. Specific briefings from agencies involved in
handling privacy information should be scheduled early in the
year. The Board should report on its recommendations by September
1992. The scope of this activity will also include monitoring
developments in European privacy regulations to assess their
potential impact upon U.S. entities.
A.7.Changes in National Computer Security Policies. The Board
should continue to receive written updates and briefings from the
Executive Secretary on any pending or proposed changes in
national computer security policies. This activity will include
the revision to Appendix III, OMB Circular A-130 which the Board
recognizes as being a critical component in the security policy
foundation for the Government's unclassified systems.
A.8.Threat and Vulnerability Assessment. The Board will compare
and contrast developments in the national security community in
the area of threat assessment and vulnerability reporting with
existing capabilities for the unclassified community.
Specifically, the Board will hear about the DCI Threat IV project
and the USAF Vulnerability Reporting Program. Are similar
functions needed to support the unclassified community? If so who
should provide them?
B.Monitoring Activities. The Board has expressed a desire to
maintain a continuing interest in certain aspects of the NIST
program and to receive periodic briefings on various critical
issues. The Board may choose to exercise its statutory reporting
responsibilities if it believes that a specific issue has become
sufficiently important to warrant such action.
B.1.Security and Open Systems. A major segment of the NIST
Computer Systems Laboratory program is directed to achieving the
concept of open systems. The Board will review the current status
of security within the open systems context and seek to identify
any critical areas where security issues may impede the full
utilization of open systems. One frequently voiced problem area
involves the lack of an adequate public key based cryptographic
key distribution standard. Is this a valid concern and are there
other security gaps that need to be addressed by NIST and other
standards entities?
B.2.Effective Use of Security Products and Features. A study
conducted by the President's Council on Integrity and Efficiency
indicated that many security functions and features were either
unused or misused by system administrators and users. The
experience of emergency response teams further bears this out.
The Board would like to examine what must be done to change this
and whether better guidelines, training etc. needed on how to use
basic security tools and features designed into existing
products.
B.3.Status of Computer Emergency Response Capabilities in Civil
Agencies. The Board has heard from several sectors of the US
Government that have organized highly effective emergency
response teams and centers. How well prepared are other agencies
such as HHS, HUD etc. to handle computer emergencies? Is there a
requirement for such agencies to establish such a capability?
Periodic briefings on the use of a Computer Security Incident
Response Capability (CSIRC) and what lessons can be learned to
improve security would be useful. Since most incidents occur
because accepted routine security practices are not followed,
should this not be well publicized as an awareness or training
tool?
B.4.International Hacking. Cases of international hacking such
as those that Cliff Stoll documented seem to keep occurring.
Hackers continue to exploit the same old vulnerabilities that
Stoll and many others have documented. Where is the
accountability for taking care of known problems? Also, there
appears to be continuing organizational confusion on the
international hacking problem (i.e., who in the Government, if
anyone, is or should be responsible?).
B.5.Local Area Network (LAN) Security. Federal agencies are
experiencing significant security problems with the utilization
of LAN technology. The pace of the installation of this
technology, combined with the security exposures resulting from
the use of LANs has created a new level of risk for federal
information systems. Another aspect of this issue will be the
potential explosive growth in the installation of wireless LAN
technology over the next few years. The Board will examine the
LAN issue to determine what can be accomplished to improve the
security of installed LANS and what research, policy and/or other
initiatives must be undertaken to effect a long term improvement
in LAN security.
B.6.Information Security Foundation. The Board will monitor
developments in this area and offer appropriate comments/guidance
as needed.
B.7.Implementation of the Computer Security Act. Subsumed under
this heading are the various related issues the Board would like
to address in 1992. These include an examination of Office of
Management and Budget policies, including the anticipated rewrite
of OMB Circular A-130. Also of interest is the role of the
Inspector General in computer security. Computer security
training and its effectiveness are also to be studied. Lastly,
the Board would look into the status of OMB/NIST/NSA security
planning agency visits. What lessons have been learned? What are
the plans for a followup activity?
B.8.Security and the Public Switched Network. A number of
studies have highlighted the vulnerabilities of the public
switched network. At the moment, much activity is taking place
behind closed doors on this issue, particularly in the National
Security Emergency Preparedness arena. At some point, this issue
needs to be surfaced and examined by the Board.
B.9.Electronic Data Interchange (EDI) Security. Many federal
agencies are about to launch ambitious automation programs that
will make extensive use of EDI technology. There are significant
security policy and technical issues that must be addressed to
assure that the use of EDI complies with the spirit and intent of
the Computer Security Act and other existing computer security
government directives. The Board will address this issue both
from a policy and technology perspective.V. Conclusions
During its third year, the Board continued to build the
foundation toward progress in the years ahead. It developed a
work plan and established its priorities for 1992. The Board has
begun to examine those issues which it should study further and
has heard from a number of agencies and organizations as to its
role and duties. While the Board has initiated an action plan to
identify emerging computer security and privacy issues, much
remains to be accomplished in successfully addressing the
challenges of the 1990s.
APPENDIX A
Computer Security Act of 1987
See Separate File APPENDIX B
Charter of the
COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD
See Separate File APPENDIX C
AGENDA
Meeting of the
Computer System Security and Privacy Advisory Board
March 19-20, 1991
Stouffer Harborplace Hotel, Baltimore, Maryland
Tuesday March 19, 1991
9:00 Meeting Overview
Lynn McNulty
Executive Secretary
9:10 Remarks from the Chair
Willis Ware
Chairman
NIST's Computer Security Program - Current and Future Activities
9:15 Setting the Stage: Findings from FMFIA Submissions
Lynn McNulty
9:30 1991 NIST Computer Security Activities James Burrows
Director, Computer Systems Laboratory (CSL), NIST
and
Stu Katzke, Chief, Computer Security Division, NIST
10:15 Break
10:30 Continue
11:45 Status Report - Computer Security Handbook
Lynn McNulty, NIST
12:00 Lunch
Afternoon Closed Session
1:30 Presentation of Out Year Plans and Budgets Stu Katzke
2:30 Discussion
3:00 Break
3:15 Future Plans & Initiatives - ITSEC & Criteria
5:00 Close
End Closed Session
Wednesday, March 20. 1991
Implementation of the Commuter Security Act
9:00 Status of OMB Policies
Robert Veeder
Acting Director, Information Policy Branch
Office of Management and Budget
9:30 View from the Hill
Barbara Kirsch
House Science, Space and Technology Committee
9:40 Perspectives on Success of On-going Agency Visits
Robert Veeder & Edward Springer
Office of Management and Budget
Irene Gilbert
Computer Security Division
National Institute of Standards and Technology
Paul Peters
National Computer Security Center
National Security Agency
10:20 Break
10:35 OMB Bulletin 90-08 Visits - Agency Perspectives
Jules Romagnoli
U.S. Dept. of State
John Tressler
U.S.Dept. of Education
Richard Carr
National Aeronautics and Space Administration
11:10 Discussion
Pending Board Topics
11:30 Computer Security Professionalization Issue
Arthur F. Chantker
U.S. Marshals Service
12:00 Lunch
1:30 Discussion - E-Mail Privacy Revisited
2:00 Data Categorization Steve Lipner and Eddie Zeitler
2:30 Improving Security in Federal Computer Systems
Bill Colvin
2:45 Draft Annual Report
3:00 Public Participation (as required)
3:20 Discussion of June Meeting Agenda
3:30 Close
Next Meeting
June 12-13, 1991
Sheraton Reston International Hotel
Reston, Virginia
FINAL MINUTES OF THE
MARCH 19-20, 1991 MEETING OF THE
COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD
March 19, 1991
Call to Order
Dr. Ware, Chairman of the Board, called the meeting to order at
9:00 a.m. at the Federal Hill Room of the Stouffer Harbourplace
Hotel in Baltimore, Maryland. He reviewed the reference materials
provided to the members. In response to a question, he announced
that no news was available regarding approval of new Board members.
Mr. Wills indicated that the Board has had vacancies since
September 1990 and would soon be crippled by the lack of members.
Dr. Ware, Board Chairman, indicated' that he had no additional
information on whatever bottlenecks may be delaying the approval of
new members. Mr. Burrows said that he could go back to the Director
of the National Institute of standards and Technology (NIST) and
alert him of the problem. (ACTION - Mr. Burrows) Due to a late
arrival, the formal approval of the minutes was delayed to allow
for a quorum to be present. (The late member arrived soon
thereafter.)
Review of NIST's Commuter security strategic Plan
Mr. McNulty opened the discussion by providing a brief summary of
the 1990 reports to the president by federal agencies and
departments under the Federal Managers Financial Integrity Act.
(See Attachment A.) A brief discussion ensued which covered the
status of the revised ITSEC and NIST's digital signature standard
efforts. Dr. Ware -inquired whether the standard to be proposed
would be in concert with S. 266's sense of the Congress statement
regarding the availability of plaintext. Mr. Burrows responded that
the standards would be for signature and hashing only.
Dr. Katzke, Chief of the Computer security Division of NIST's
Computer Security Laboratory, proceeded to review the Division'S
FY- 1991 Computer security strategic Plan. He was accompanied by
his group leaders, who were available to provide detailed program
descriptions. He began with an overview of recent international
and national events and trends. Next he described the logical
organization of the plan, which is divided into six components:
- National Computer security Leadership Activities
- Computer security Management
- Computer security Technology and standards
- Agency Support and Assistance
- Open Systems Environment standards
- Other Agency Projects
Within these six components are eight major projects on which NIST
will focus. These are:
- Computer Security Handbook and Framework
- Open Systems Environment
- Information Technology Security Criteria
- Advanced Authentication Technology
- Cryptographic Family of Standards
- Computer Emergency Response
- Testing and Evaluation
- Agency Support and Assistance
The Board discussed the majority of these to some extent. The
Advisory Board, in its general discussion, voiced concern about the
scope and adequacy of the program to meet responsibilities of P.L.
100-235. There is a general feeling that too much of the program
is driven by external tasking that is not necessarily in the direct
interest of P.L. 100-235 obligations, and that many of the projects
are understaffed, and as a result are carryovers from years prior
to the enactment of P.L. 100-235. No formal recommendations were
adopted by the Board regarding the NIST Computer Security Program
Plan.
Closed Session
During the afternoon session, which was closed to the public, the
Board discussed possible NIST plans and initiatives for out-years.
Specifically, the Board's discussions focused upon possible
approaches to the development of computer security standards and
guidelines in their joint, multi-year effort with the National
Security Agency. The Board took no actions during the closed
session.
March 20, 1991
Commuter Security Personnel
Mr. Arthur Chantker of the U.S. Marshals Service, on detail to
NIST, provided a briefing to the Board on a NIST project to examine
the staffing of computer security positions in the federal
government. (See Attachment B.) While the study is continuing to
gather data, it is clear that there is no uniformity to what series
are used by agencies for staffing these positions. Mr. McNulty
agreed that NIST would work to collect the number of positions
currently staffed and provide that material to the Board when it
was available. (ACTION - Mr. McNulty) In discussions which
followed, the Board agreed to look more closely at this issue at
the June meeting. Mr. Courtney volunteered to lead a discussion at
the next meeting on how to best utilize computer security talent.
(ACTION Mr. Courtney)
Congressional Update
Next, Ms. Barbara Kirsch, a General Accounting Office employee on
detail to the House Science, Space and Technology Committee,
presented her personal views of the current status of relevant
events in the Congress. The Transportation, Aviation and Material
Subcommittee, which has traditionally sponsored the computer
security hearings (most recently in July 1990), has been merged
into the Technology and Competitiveness Subcommittee. Computer
security hearings are tentatively set for the May or June timeframe
of this year. No further details were available about the planned
hearings.
Regulatory Update
Robert Veeder, Director of the Information Policy Branch of the
Office of management and Budget (OMB), followed with an overview of
the success of the OMB/NIST/NSA agency computer security visits and
related matters. He expressed the opinion that the Privacy Act of
1974 does not appear to work very well in the contemporary
electronic environment and may require modifications. Senator Leahy
is about to introduce an Electronic FOIA bill which will also
address the issue of what a record is. A proposed revision to the
Computer Privacy and Matching Act is being developed at OMB as
well. OMB Circular A-130 is also under revision. In response to a
question from Dr. Ware, Mr. Veeder indicated that better
enforcement may be necessary for certain aspects of the Circular.
Dr. Ware expressed the Board's desire to maintain a dialogue with
OMB on these issues.
Approval of the Minutes
Prior to proceeding with the panel sessions, with a quorum present
and in open session, the Board approved the minutes of the
December, 1990, meeting.
Computer Security Agency Visits
The first panel consisted of representatives of OMB, NIST, and NSA
who have been active participants in the visits to federal agencies
to review their computer security programs in fulfilling the intent
of the Computer Security Act. The panel included Mr. Robert Veeder
and Mr. Edward Springer of OMB, Mr. Patrick Gallagher, Director of
the National Computer Security Center, and Ms. Irene Gilbert of
NIST's Computer Security Division. Eight meetings with agencies
have taken place so far. Four additional agencies have been
scheduled; approximately forty remain unscheduled. A visit to the
Department of Defense was scheduled but was delayed due to the
Middle East War.
Mr. Veeder emphasized that the purpose of the meeting was to meet
with management personnel - not technical staff. Mr. springer said
the visits had two purposes: 1) to raise awareness of computer
security and 2) to change behavior. The concept of "insurance"
(vice computer security) came up frequently at the meetings as it
was a concept familiar to managers. OMB will be developing a
report of the visit process. Agencies have been candid in
discussing their problems. Ms. Gilbert said that the visits have
reinforced the need for additional agency guidance, particularly in
the area of networking and laptops. Mr. Gallagher noted that the
visits also served to let NIST and NSA know what they could do
better to help agencies meet their security requirements.
Next a panel of three federal agency computer security program
managers was convened. The panel consisted of Mr. Richard Carr of
the National Aeronautics and Space Administration (NASA), Mr. John
Tressler of the Department of Education and Mr. Romagnoli of the
Department of State.
At the State Department, the OMB/NIST/NSA visit was considered a
success. A number of planning meetings held with Deputy Assistant
Secretaries was very useful to explain the security program and
raise awareness of its activities. Internal relationships within
the Department are greatly improved with a higher level of
cooperation and easier access to management officials. Mr.
Romagnoli did recommend that a follow-up letter be sent from OMB to
the Department. Overall, the visit was much more useful than the
plan submission process, which was termed a "fiasco."
Mr. Tressler began by reviewing the decentralized program in place
at the Education Department. His was also the first agency to be
visited and was considered a learning experience by both the
Department and the OMB/NIST/NSA team. A summary of the fifty
sensitive Education systems was developed and presented to
management for a decision as to which three would be selected for
the meeting. As a result of the meeting, the. level of security
awareness has increased. Overall, the process went well; however,
it would be useful to have a follow-up and to get management more
involved in security matters.
Mr. Carr also emphasized the positive results of the agency visit.
At NASA, approximately forty people attended the meeting, which
indicated the seriousness of the visit. He also echoed the
desirability of feedback from OMB as to their reactions to the
meeting. Mr. Colvin interjected that NASA holds agency-wide
meetings every six months on these matters and the Administrator is
briefed as to findings of the vulnerability studies. Dr. Ware
asked the panel if there was a group through which those agencies
which have been visited could share their experiences so that other
agencies could know what to expect. Mr. Tressler replied that the
Federal Computer Security Program managers Forum, chaired by Mr.
McNulty, was an ideal vehicle for such information sharing.
Approval of Annual Report
Prior to breaking for lunch, with a quorum present and in open
session, the Board unanimously adopted its draft 1990 Annual
Report. Dr. Ware will forward the document to NIST for appropriate
distribution.
After lunch, Dr. Ware informed the Board that Mr. Roback would
serve as the Designated Federal Official for the remainder of the
meeting in Mr. McNulty's absence.
Computer Security Reporting Under FMFIA
Mr. Colvin reviewed his proposal that the lack of compliance with
certain requirements of OMB Circular A-130 and A-123 be designated
!'material internal control weaknesses." These weaknesses have to
be reported to the President under the Federal Managers Financial
Integrity Act. It would be left to NIST and OMB to decide
specifically which deficiencies (e.g., lack of a tested contingency
plan) would be defined as weaknesses. Such a new procedure would
result in a more accurate reporting process and reduce the level of
subjectivity across agency reporting. It would also give the heads
of agencies more information as to the status of security in their
organization. Additionally, it would provide OMB and NIST with more
knowledge about the status of computer security across the
government. He recommended that the Board avoid micromanagement and
let OMB identify the specific weaknesses to be reported. He also
stressed the need for speedy action as OMB was in the process of
rewriting OMB Circular A-130. Mr. Cooper stated that this item
looked like a "real winner." With a quorum present and in open
session, the Board unanimously adopted the recommendation. (See
Attachment C.) The secretariat was asked to prepare a transmittal
letter to the Director of NIST. (ACTION - Secretariat)
E-Mail Privacy
The Board briefly discussed e-mail privacy as a follow-up to its
discussion in December 1990. It was agreed that it was desirable
to have a position paper with recommendations drafted for
discussion at the June meeting. Dr. Ware agreed to work with the
secretariat to prepare the document for discussion and coordinate
it via e- mail. (ACTION - Dr. Ware/Secretariat)
Data Categorization
Messrs. Lipner and Zeitler handed out a concept paper on data
categorization. (see Attachment D.) During a short discussion,
Mr.Walker suggested that a legislative solution was necessary; only
a top-down approach could be successful. While no conclusions were
reached during the discussion, it was the sense of the Board to
defer further action on this item.
Public Participation
No members of the public wished to speak.
June Meeting Agenda
The Board agreed that the following topics would be included on
the June agenda:
- Vulnerabilities of the Public Switched Network (1/2 hour)
- Computer Security Personnel
- NIST Update and
- Utilization of Existing Talent (Mr. Courtney)
- E-Mail Privacy - Discussion of Draft Letter
- FOIA/Privacy Act/Sensitive Information (OMB)
- Update of Agency Visits (Dr. Katzke)
- Update on EC Meetings
- NIST Report on Criteria Progress
- Information Security Foundation (Mr. Walker)
Close
The meeting was adjourned at 3:15 p.m.
Lynn McNulty
Secretary
CERTIFIED as a true and
accurate summary of the meeting
Willis Ware
Chairman
AGENDA
Meeting of the
Computer System Security and Privacy Advisory Board
June 12-13, 1991
Sheraton Reston Hotel, Reston, Virginia
Reminder - Under the Federal Advisory Committee Act, all Board
documents discussed at Board meetings in open session are available
to the public.
Wednesday June 12, 1991
I. Introduction
9:00 Meeting Overview & News Update
Lynn McNulty
Executive Secretary
9:10 Remarks from the Chair
Willis Ware
Chairman
II. Federal Information Policy Developments
Note: OMB Offered at the March to provide the Board
with a review of the current governmental regulatory
environment. This is anticipated to be the first in a
series of briefings to the Board.
ACTION - Agreement on Future Actions
9:15 Federal Electronic RecordkeepiPg
Ken Thibodeau
Director, Center for Electronic Records
National Archives and Records Administration
10:15 Break
10:30 Discussion
III. NIST Update
During this session, NIST will present an update of
their recent agency visit activities.
10:45 Update of Agency Visits
Irene Gilbert
IV. Review of Draft Board E-Mail Privacy~& Security Position
ACTION - Review/Accept Draft Letter
11:00 E-Mail Privacy
Willis Ware
V. Public Switched Network Issues
Note: At the March meeting the Board agreed to briefly
look at this topic by discussing the publicly available
NSTAC report.
REMINDER: Please have reviewed the NSTAC report
previously provided.
ACTION - Determine if this is an area the Board wishes
to examine in greater detail.
11:30 Discussion of Public Switched Network Issues
12:00 Lunch
Closed Session
VI. Discussion of NIST's Lone Range Commuter Security Plans
Note: At the last meeting, the Board was provided an
overview of the NIST five year computer security
strategic plan.' During this session, the Board may
also wish to examine 'the, draft NIST/NSA Trusted
Systems Technology workplan. This session will focus
upon Advisory Board,, reaction to,NIST's long-range
plans.
ACTION - As Required by Discussion
Note: All recommendations itist be adopted in open
session.
1:30 Advisory Board Reaction to the Plan
2:00 Break
2:15 Discussion
VII. Government Commuter Security Research Programs
Note: NSA has been invited to present their long-range
unclassified research program.
4:00 NSA's Long Range Research Program
Terry Ireland
Deputy Chief, INFOSEC Research and Technology National
Security Agency
4:45 Discussion
5:00 Close
End of Closed Session
Thursday, June 13. 1991
VIII. Information Security Foundation
Note: At the last meeting, Mr. Walker asked that the
Board discuss the Information Security Foundation.
Other interested individuals have been assembled to
give their views as well.
ACTION - As required by discussion
9:00 Information Security Foundation - Panel Discussion
Steve Walker
Trusted Information Systems, Inc.
Board Member
Doug Jerger
Vice-President
American Software Association, ADAPSO
Ed Burke
Director, Advanced Systems
MITRE
10:15 Break
IX. NIST Computer Security Program
This session will allow time for the Board members to
followup on their discussions held during closed
session and, as appropriate, adopt recommendations open
session.
10:30 Discussion
12:00 Lunch
X. Commuter Security Staffing
Note: This session continues the discussion from the
last meeting on the staffing of federal computer sec
urity positions and the professionalization of the
discipline.
1:15 Computer Security Personnel Study - Update, Lynn McNulty
XI. Wrap-up
1:30 Final Consideration of Recommendations (as necessary)
2:00 Public Participation (as necessary)
2:30 September Meeting Agenda Discussion
ACTION - Develop topics and proposed speakers for September
3:00 Close
Next Meeting
September 18 - 19, 1991
(location TBD)
MINUTES OF THE
JUNE 12-13, 1991 MEETING OF THE
COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD
JUNE 12, 1991
Call to Order
Dr. Willis Ware, Chairman of the Board, called the meeting to
order at 9:00 a.m. at the Sheraton Hotel in Reston, Virginia.
Dr. Ware asked the Board Secretary to brief the Board members
regarding any organizational developments which had occurred
since the last meeting. Mr. McNulty stated that he was pleased
to announce that the formal appointment letters for Messrs.
Gallagher, Walker, and Kuyers had been sent from the Director of
the National Institute of Standards and Technology (NIST). He
remarked that since the March meeting, he also responded to a
Congressional inquiry about the delay in processing Board
nominations outstanding for six to eight months. Mr. McNulty
concluded his opening remarks by reviewing several other
administrative and procedural matters.
Federal Information Policy Developments--Electronic Record
Keeping
Mr. NcNulty then introduced Mr. Ken Thibodeau, Director, Center for
Electronic Records of the National Archives and Records
Administration (NARA). Mr. Thibodeau's presentation is part of an
on-going series of Office of Management and Budget (OMB) sponsored
briefings for the Board on federal information policy issues.
Mr. Thibodeau briefly described NARA's mission and method of
operation. He stressed.that the permanent preservation of
government records is an important part of the accountability
concept which underlies-our form of government. However, the
federal record keeping environment is changing from paper to
electronic, and this in turn is having an impact upon NARA. One of
the fundamental issues confronting NARA is what constitutes an
"official" electronic record. Other related issues include the
handling of relational data bases, lack of standards for submission
of electronic records to NARA, and retention periods for records
stored on electronic media. It is anticipated that between 1991
and 1995 over one thousand electronic data bases will be
transferred to NARA.
The security and privacy related issues that NARA must confront as
it becomes more deeply involved in preserving electronic data bases
include: (l) the desire for on-line public access to these records;
(2) preservation of individual privacy; and (3) assuring the
integrity of electronic records in the custody of NARA.
Mr. Thibodeau also discussed the new NARA facility that is
nearing completion on the University of Maryland campus in College
Park. He stated that computer systems to be installed at this
complex will process many of the electronic data bases in the
custody of NARA. There are plans to have extensive local and
remote public access to these electronic records. At the
conclusion of his presentation, the Chairman thanked Mr. Thibodeau
for his very informative briefing.
Update on the OMB/NSA/NIST Agency Visit Program
Ms. Irene Gilbert of the MIST Computer Security Division briefed
the Board on the current status of the agency visit program being
accomplished in accordance with the provisions of OMB Bulletin 90-
08. She briefly Summarized the activities that have occurred since
the Board discussed this activity at its March meeting. Ms. Gilbert
was asked by a Board member what types of guidance federal agencies
have requested during these meetings. She stated that agencies
have requested guidance on issues such as security of electronic
data interchange applications; application of electronic signature
technology; and network security. Mr. Walker raised the question
about whether or not there is a long term plan on what will follow
the completion of this series of visits. Thusfar, there has been
no formal overall analysis of the results of the agency visits nor
have the results been correlated with the NIST/NSA Joint Strategic
Plan effort. The Board raised, but did not settle, the question of
whether agency visits should be continued on a periodic basis.
After some discussion, it was agreed that the Chairman and the
Board Secretary would discuss this matter with appropriate OMB
officials and report to the Board at the next meeting. (ACTION:
Dr. Ware and Mr. McNulty)
Electronic Mail Privacy
The discussion held during this segment of the Board meeting
focused upon confidentiality and privacy concerns related to the
Board's use of the NIST Computer Systems Laboratory electronic mail
system. It was agreed that Board members should have a fundamental
understanding that this e-mail application provides no security and
that members using this service be guided by this fundamental
principle. The Board agreed, in open public session, to send a
letter to the Director of MIST to relay the Board's concerns that
users of federal e-mail utilities be informed of the level of
privacy to be accorded their messages. The letter also recommends
that NIST work with OMB to identify a suitable means of
implementation. (See Attachment #1.) The Board Chairman requested
NIST to prepare a short security policy statement that could be
disseminated to all present and future Board members.
(ACTION: NIST)
Public Switched Network
The Board conducted an informal discussion of the security issues
related to the Public Switched Network (PSN). (Note: The members
had been provided a copy of the publicly available December 1990
report issued by the National Security Telecommunications Advisory
Committee in a mailing prior to the March meeting.) It was agreed
that with the fundamental changes that have occurred in switch
technology over the past decade, significant "computer security"
issues now confront the telecommunications industry. Fundamental
problems related to operating systems security, access control,
user identification/authentication, and other generic computer
security concerns are present in the PSN. Mr. Walker summarized
the issue by stating that the security problems confronting the PSN
appear to be "a classic case of vulnerability induced threat." The
Board concluded its discussion of this matter by agreeing that the
security concerns related to the PSN were indeed significant, but
that the problem was being addressed in other government sponsored
forums. Consequently, there was no requirement at this time to
become involved in this issue. It was also observed that
discussion of such vulnerabilities (of a non-federal system) in
open session was not desirable.
Discussion of NIST'S Long Range Strategic Computer Security
Program Plan I
During the afternoon session, the Board discussed the multi-year
program plan for the NIST computer security program, including its
out-year budgets. (Although the agenda indicated that the session
would be closed, the Secretary announced that the afternoon session
on the NIST plan would be open to the public. Only the NSA briefing
would be closed.) The NIST long-range program plan had been briefed
to the Board at its March meeting. In the intervening period, the
Board members conducted considerable informal discussions on the
general directions and specific components of this plan. The
principal discussions held during this period focused upon a
recommendation of an alternate NIST computer security program which
had been prepared by Mr. Courtney. The document he presented to
the Board consisted of three major sections: background/threat
environment, Part A (program context), and Part B (program
recommendations). The Board considered the proposal and accepted
he initial draft. However, after extensive discussion, the matter
was deferred to the following day on a motion to reconsider.
National Security Agency (NSA) Commuter Security Research Program
During the final hour of day, a closed session was held at which
the Board received a briefing on the long term NSA computer
security research program. This was provided by Mr. Terry
Ireland, Deputy Chief of the INFOSEC Research and Technology Group.
Mr. Ireland described NSA's multi-year work plan in a number of
areas related to the security of computers and networks. The Board
found this to be a highly useful presentation as it allowed for a
useful comparison with the NIST strategic program plan currently
under review.
- The meeting was recessed for the day at 5:00 p.m.
June 13, 1991
Information Security Foundation
The initial session of the day was devoted to a discussion
of the developments concerning the formation of an Information
Security Foundation (ISF). Mr. Walker opened the discussion by
providing a background briefing on the evolution of the ISF
concept recommended in the December 1989 report, Computers at
Risk, prepared under the auspices of the National Research
Council under sponsorship by the Defense Advanced Research
Projects Agency. Mr. Walker advised the Board that the study
committee had come to the conclusion that something like an ISF
was needed to perform the advocacy and supporting services
functions needed to fully address the fundamental issues raised
by Computers at Risk. Mr. Walker further advised the Board that
the proposal for an ISF was placed in the document without any
specific concept of how such an entity would be established.
Since the publication of the document, several groups have come
forward and have expressed an interest in serving as the catalyst
for the ISF.
Mr. Doug Jerger, Vice President of the American Software Association
(a division of ADAPSO), discussed his groups interest in creating an
ISF. He stated that ADAPSO would be sponsoring a meeting on June 25
to bring all of the parties interested in establishing an ISF together
and initiate discussion on how this concept can be translated into a
viable group.
Mr. Edmund Burke of the MITRE Corporation gave the last presentation
of this session. He stated that his organization has studied the
prospects for an ISF and supports the concept of such an organization.
MITRE believes that it is well suited to serve as the sponsoring
organization and is willing to fulfill such a role. Mr. Burke
emphasized that MITRE is particularly interested in the testing and
evaluation aspects of any ISF that may be established.
Discussion of NIST's Long Range Strategic Computer Security Program
Plan II
While this session was a continuation of the subject matter initiated
during the previous day, the discussions primarily focused upon
recommendations for the NIST program plan.
There was considerable discussion among the Board members on the
desirability of including "Part A" in the final version of the
document to be sent to the Director of NIST. After some discussion,
it was agreed that. "Part A" would not be included in the final
version but would be deferred for additional. consideration.
The Board voted to approve the document in substance (without Part A).
Those voting in favor (of the introduction/threat and Part "B"
document) include: Courtney, Zeitler, Wills, Kuyers, Lipner, Walker,
and Colvin. Those opposed: Gallagher' and Mancher. Reasons for
opposing" the recommendation included the argument that the Board had
insufficient time to review the proposal. Additionally, the Board
authorized the Chairman to make language changes to the approved
document before being formally transmitted to' NIST senior management.
(See Attachment #2.)
Following this discussion, Mr. Walker expressed a concern regarding
the procedures underlying the preparation, presentation, and approval
of this document. He expressed the opinion that the Board members who
had not participated in the. preparation of this. document had been
given little time to study the paper before it was presented for a
formal vote. Mr. Walker stated that he believed that in matters of
such consequence as far reaching recommendations regarding the overall
NIST program. Board members should be afforded more time to review
such documents.
Mr. Gallagher supported Mr. Walker's comments and further stated that
he was very concerned by the lack of established Board procedures
which governed the dissemination and review of such position papers.
Mr. Gallagher proposed a formal motion that the Board Secretary
prepare a set of written procedures prior to the next meeting for
handling such actions as the coordination of Board position papers.
The Board agreed with this motion. (ACTION: Board Secretary)
Commuter Security Staffing
Mr. McNulty provided the Board a short summary of the progress made
since the March meeting on studying the job classification of
individuals performing computer security duties in the federal
government. He presented the Board with copies of a draft study
and requested their comments on the report. It was the consensus of
the Board that no further action was required on this matter in the
foreseeable future.
Public Participation
No members of the public in attendance at this meeting accepted the
Chairman's invitation to address the Board on matters related to the
security and privacy of federal computer systems.
Fiscal Year 1992 Work Plan
The Chairman noted that it was time to develop a work plan for FY-92.
He requested volunteers to-serve as an informal committee to develop a
work plan for the Board's consideration. The following individuals
volunteered to serve on this committee: Messrs. Lipner, Gallagher,
Walker, and Zeitler. The Board Secretary was basked to make the
appropriate arrangements so that the Work Plan committee could meet
and develop its suggestions for presentation at the September Board
meeting. (ACTION - BOARD SECRETARY)
September Meeting Topics
A brief discussion was held to determine topics which would be
desirable for the September meeting. Those mentioned included: NIST
reaction to the Board's recommendations regarding the NIST strategic
plan, ITSEC update, NSA/NIST trusted systems criteria work, software
engineering and reliability, CERT program briefing, and the draft
digital signature standard.
Closing
The meeting was adjourned at 2:45 p.m.
Attachments:
l) E-Mail Letter
2) NIST Program Letter
Lynn McNulty
Secretary
CERTIFIED as a true and accurate
summary of the meeting
Willis Ware
Chairman
AGENDA
Meeting of the
Computer System Security and Privacy Advisory Board
September 18-19, 1991
Stouffer Harborplace Hotel, Baltimore, Maryland
Wednesday September 18, 1991
1. Opening Remarks
9:00 Welcome
Lynn McNulty, Board Secretary
9:10 Remarks from the Chair
Willis Ware, Chairman
9:15 Review and Approval of Proposed Rules Willis Ware
11. Privacy Issues
9:20 European Privacy Initiatives
Wayne Madsen
CSC Inc.
9:45 EC Privacy Initiative and the Impact upon International
Businesses
Bill Whitehurst
IBM, Inc.
10:15 Break
10:30 A U.S. Data Protection Board?
Bob Gellman
Sub on Information, Justice and Agriculture House
Government Operations Committee
11:15 Discussion
12:00 Lunch
111. NIST Update & Response
1:30 Response to the Board's Recommendation (Part B)
Stu Katzke
2:00 Digital Signature and Handbook Updates
Lynn McNulty
2:15 Agency Visit Updates
Jon Arneson
NIST
2:30 NIST/NSA Joint Strategic Plan
Stu Katzke (NIST), Gene Troy (NIST), and
Col. Ron Ross (NSA)
3:00 Discussion
3:30 Break
III. Board's Recommendations - NIST Program Plan
3:45 Review of "Part A" - Board's Recommendations Regarding
the NIST Strategic Program Plan
5:00 Recess
Thursday, September 19, 1991
V. Information Security Foundation
9:00 Information Security Foundation Update Lynn McNulty
VI. Emergency Response - Part I
9:10 Overview
NIST's Role
Stu Katzke
9:15 CERT System - Panel Discussion
Rich Pethia
Carnegie-Mellon University
Gene Schultz
Lawrence Livermore National Laboratory
John Wack
NIST
10:30 Break
VII. Federal Technology Forecast
10:45 Robin Rather
Information Strategies Group, Inc.
11:45 Discussion
12:00 Lunch
VIII. Board's 1992 Work Plan
1:15 Report of Drafting Committee Steve Walker
Public Participation (as required)
2:45 Agenda for December Meeting
2:55 Closing Remarks
3:00 Close
Next Meeting
December 10-11, 1991 (Tue./Wed.)
Marriott Hotel
Gaithersburg, Maryland
MINUTES OF THE
SEPTEMBER 18-19, 1991 MEETING OF THE
COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD
Wednesday, September 18, 1991
Call to Order
Dr. Willis Ware, Chairman of the Board, called the meeting to
order at 9:00 a.m. at the Stouffer Harbourplace Hotel in
Baltimore, Maryland. Members present were: Messrs. Cooper,
Gallagher, Zeitler, Colvin, Kuyers, Lipner and Walker. Mr. Lynn
McNulty, Board Secretary, announced that since the Board's last
meeting in June, Ms. Rhoda Mancher has resigned from the Board.
In consideration of the June Board minutes, Mr. Cooper moved that
they be accepted, which was seconded by Mr. Lipner. With no
objections, the minutes were approved. The Board then considered
adoption of draft operating procedures for bringing items to the
attention of the Board. (See Reference #1.) Mr. Zeitler moved
for their approval, which was seconded by Mr. Courtney. No
objections were interposed and the procedures were passed
unanimously.
Privacy Issues
Mr. Wayne Madsen of the Computer Sciences Corporation (NJ) and
author of a soon to be published book on privacy issues addressed
the Board on privacy developments worldwide. The views expressed
were his own and not necessarily those of his employer. (See
Reference #2.) He indicated that it is anticipated that all
members of the Council of Europe will pass privacy legislation by
1993. The use of identification numbers has caused a great deal
of grief and hesitation among European countries, particularly
those in Eastern Europe. In 1990, EC's Directorate General XIII
prepared a draft directive on personal data, which stated .that
people own data about themselves. Businesses, therefore, cannot
share this data with each other. Much has been picked up by the
United Nations' draft guidelines for the regulation of
computerized personal datafiles. Mr. Madsen also reviewed
statutes and pending legislation in various other countries.
Finally, he discussed his recommendations for a U.S. data
protection authority.
Mr. William Whitehurst, Director of Data Security Programs, IBM,
presented an international business perspective on the EC
proposal. He began with an overview of the differences in
approaches to privacy of the U.S. vis-a-vis the EC. Next, the
goals and intent of the EC proposal and a spectrum of the types
of individual consent (from no consent through "opting out," to
specific written consent for each use) were presented. Mr.
Whitehurst displayed a Direct Marketing Association brochure for
Board review. The Electronic Mail Association has also recently
issued mail privacy guidelines for member organizations.
Consequences for businesses
and individuals, including inefficiencies and higher prices, also
were discussed. He stressed the need to balance society's
legitimate needs and individual privacy. Lastly, he Presented
various approaches which have proven effective, including codes
of conduct, ethical behavior, competition, sectoral guidelines,
and voluntary guidelines.
Next, Mr. Bob Gellman of the Subcommittee on Information, Justice
and Agriculture, House Government Operations Committee, addressed
the Board. The views expressed Were his own. Jurisdiction of
the Subcommittee extends over the Freedom of Information Act of
1974 and the Privacy Act of 1974. His primary concern is that
people should have some control over the use of their personal
information. The Subcommittee has introduced H.R. 685, the Data
Protection Act of 1991, which would establish a permanent,
independent, non-regulatory Data Protection Board (DPB). The DPB
would be comprised of three individuals and a staff of fifty,
minuscule by federal bureaucracy standards.
The DPB's jurisdiction would extend over three major areas: (1)
the federal government's own records, (2) private sector in an
"advisory only" capacity, and (3) international data protection
issues. The DPB could also be used for new technologies (e.g.,
video rentals). (See Reference #3 for the floor the statement by
Congressman Wise upon Introduction of the bill.) The DPB would
also be very useful in dealing with its European counterparts.
Mr. Gellman also noted that this is the first year that the U.S.
has sent a representative to the annual European meeting of data
protection commissioners.
A sunset provision is included in H.R. 685. However, it was
noted that there is virtually no chance of the bill's passage; it
is simply too controversial.
Mr. Gellman observed that while many companies have agreed to
follow the OECD privacy guidelines, there have been no changes in
firms' behavior. In fact, officials at many firms that have
signed the guidelines now disclaim knowledge of their firm's
approval. The Europeans are well aware of the need for
enforcement in this area. He believes that our privacy laws are
out-dated and that someone needs to champion this issue.
It now appears that the EC directive will be enforced through
contract provisions. This could lead to European initiated
"privacy audits" of U.s. firms.
Another bill before Congress is H.R. 2443 which is a series of
ten proposed amendments to the Privacy Act. One of these would
extend the Act's protections to foreigners, who are currently
excluded.
A discussion as to what the Advisory Board might contribute in
this area was held. No consensus emerged regarding the Advisory
Board's
role in this issue. The Board will, however, continue to monitor
developments.
NIST Update & Response
The Board then turned its attention to the NIST security program.
Dr. Stuart Katzke, Chief of the Computer Security Division of
NIST's Computer System laboratory, provided a response to the
Board on its recommendations, approved at the June meeting and
transmitted to Dr. Lyons, to refocus the computer security
strategic plan. He began with a brief introduction of the NIST
plan and the Board's recommended plan. He next reviewed each of
the Board's recommendations in turn and those elements of NIST's
plan which correspond to those recommendations. See Reference #4
for Dr. Katzke's briefing materials. He also reviewed two areas
in which the Board had made no recommendation in June: 1) CERT
(now FIRST) and 2) Agency support and Assistance.
Mr. Lipner stated that while it was good that NIST has identified
with the Board's objectives, he was concerned that the existing
program plan has been forced into the Board's framework. He
would encourage NIST to sign up to the spirit of the Board's
recommendations. If that means shelving some tasks, so be it.
He indicated the need for NIST to look at the intent of the
Board's recommendations.
Next, Mr. McNulty provided the Board with an overview of the
draft Digital Signature standard (DSS). See Reference #5 for a
copy of his presentation materials. The Board expressed interest
in receiving a briefing as to NIST's plans for the supporting
infrastructure for the standard. (ACTION - SECRETARY)
Mr. Arneson provided the Board with an update of the agency
computer security visits by OMB, NIST, and NSA. Little activity
has taken place since the briefing to the Board in June. The
Board expressed the desire to receive a copy of a typical letter
from OMB to the agency informing them of the upcoming visit.
(ACTION - SECRETARY) Dr. Ware suggested that agency visits be
held every two years.
Next, Dr. Katzke introduced Col. Ron Ross of NSA and Mr. Gene
Troy of NIST who presented a briefing on the Joint INFOSEC
Criteria effort. (See Reference #6.) Mr. Walker indicated that
their plan was a good crystallization of a program plan. Mr.
Gallagher asked if the Board would follow plan's implementation
to see how tasks measured up to the promised milestones. Mr.
Walker asked for the fall 1991 products to be sent to the Board
prior to the December meeting and an update in December. (ACTION
- SECRETARY) It was agreed that they would be provided to the
Board prior to the December meeting if completed for public
review by that time. The Chairman noted the Board's generally
positive preliminary response to the program plan.
The Board then continued with its discussion of the draft document
"A Context for the NIST Computer Security Program," referred to as
"Part A." A long discussion was held over the last paragraph of
section four. Mr. Lipner stated that there was a lot of discussion
via electronic mail regarding the need for a smooth seam between BI
and B2, i.e., the NIST and NSA areas of responsibility,
respectively. The Board discussed the need for such compatibility.
After more discussions, substitute language was proposed. Mr.
Lipner motioned to accept the substitute language. No objections
were raised and the draft recommendation was amended. Mr. Walker
moved to accept the entire document and forward it to Dr. Lyons. Mr.
Zeitler seconded the motion, which passed unanimously. (See
Reference #7.)
The Board recessed for the day.
Thursday, September 19, 1991
Information Security Foundation
With a quorum present, the Board opened its business at 9:00 a.m.
with a update report from Mr. McNulty on the creation of the
Information Security Foundation (ISF). The creation of the ISF was
recommended by the National Research Council report, Computers at
Risk. A meeting, coordinated by ADAPSO, was held on June 25, 1991
and attended by 20-25 people. Organizations in the forefront of
this activity include: SRI, ADAPSO, MITRE, and ISSA. A number of
subcommittees were formed to look at each of the report's chapters.
The next meeting will be held on September 30, 1991 to examine the
subcommittees recommendations. It was noted that there does not
appear to be a formal agreement to proceed any further at this
point.
Dr. Ware inquired as to NIST's view-of the ISF. Mr. Burrows
indicated that it was not viewed as a competitor and that there was
little chance of it receiving government funding. One major problem
in getting the ISF up and running is that users are not willing to'
pay up-front costs far security. A discussion of the necessity of
the ISF vis-a-vis the NIST criteria effort ensued. Mr. McNulty
asserted that the ISF has not yet reached critical mass.
Emergency Response
A panel, composed of Mr. John Wack of NIST, Mr. Eugene Schultz of
Lawrence Livermore National Laboratory, and Mr. Rich Pethia
(Carnegie-Mellon University) addressed activities in the CERT arena,
now called Forum of Incident Response and Security Teams (FIRST)
Mr. Wack reviewed NIST's central coordination role under FIRST. (See
Reference #8.) Next, Mr. Rich Pethia of the CERT Coordination Center
at Carnegie-Mellon University which serves the Internet Community,
addressed the Board. Internet now has over 500,000 hosts, is
growing at 10% per month, and is international in scope. His review
of security incidents stressed that while the actual frequency of
incidents may not be up, the reporting rate has clearly increased.
A lot of the problems seen by the CERTs would be corrected by two
things: l) better account management, and 2) better out-of-the-box
system configurations by vendors (i.e., systems automatically set in
the most secure, rather than the least secure mode). Dr. Ware asked
about the apparent lack of civil government presence in the FIRST
effort. Mr. Pethia stated that NIST is ideally situated to prod
civil agencies to get involved. (See Reference #9.)
Mr.- gene Schultz, of the Computer Incident Advisory Capability
(CIAC), Lawrence Livermore National Laboratory, presented an
overview of the DoE CIAC. He reviewed DoE's sponsorship, reasons
for the CIAC's formation, it charter, and other agencies and teams
with which CIAC coordinates. He then focused on the national
response to incidents. There is no single point of contact with the
U.S. Government, no established mechanism for cooperation between
government communities and a lack of coordination efforts. Mr.
Colvin stressed the role of the Inspector General community to
assist this effort. Mr. Schultz emphasized the need for uniform
computer security standards for federal internet computer systems.
He then provided possible areas for the expansion of NIST's role.
(See Reference #10.)
Mr. McNulty noted that the Board has heard from agencies which are
leaders in emergency response capabilities. He noted that it would
be useful for the Board to hear from other, primarily civilian,
government agencies regarding their efforts to develop CERT-type
capabilities. Mr. McNulty offered to collect information regarding
the status of the other agencies and to have these results presented
at the next Board meeting. The Board agreed to take advantage of
this offer. (ACTION - SECRETARY)
Future Technologies
Ms. Robin Rather of the Information Strategies Group (ISG), Inc.
(VA), presented an overview of emerging technologies. The paradox
which is inherent in rapid change is impatience versus intolerance
for rapid change. She noted that 90% of the people who were using
computers in 1990 were not using them in 1980. Factors used by ISG
to determine high impact technologies include: 1) 30% - 50% growth
per year, and 2) demonstrated user benefits. ISG receives the most
inquiries per month on wireless LANs, videoconferencing, and U.S.
federal GIS spending. Major technical gaps which must be filled in
the move toward true multimedia include interoperability, network
management and integration, and software and hardware synergy. She
noted that "the jury is still out" on ISDN, outsourcing, and AI.
(See Reference #11.)
Board's 1992 Work Plan
The Board's draft work plan for 1992, coordinated by Mr. Walker, was
considered by the Board. Changes were suggested and it was agreed
that the plan would be placed on the agenda for the December
meeting. (ACTION - SECRETARY)
Public Participation
Ms. Julie Smith from Logistics Management Institute offered to brief
the Board at its next meeting on EDI security and data
categorization.
December Board Meeting
Items identified for the December Board meeting included: a summary
of other agency CERT activities, an update on the NIST/OMB/NSA
visits, digital signature infrastructure briefing, FIPS-140-l short
technical briefing, a short ISF update, an OMB A-130 rewrite update,
LAN security (perhaps Ms. Rather), a briefing from a major software
house on application security, and Ms. Smith from LMI on EDI
security and data categorization.
Closing
Dr. Ware noted that, as this was the last meeting of FY-91, the
appointments of Messrs. Cooper and Courtney had expired. Their
valuable contribution to the Board will be missed.
The meeting was adjourned at 12:10 p.m.
References
Note: References are not included as attachments to the
minutes, but are maintained on file with, the Secretariat.
#1 - Procedures
#2 - Wayne Madsen's presentation
#3 - Wise floor statement
#4 - Dr. Katzke's presentation
#5 - DSS Briefing Lynn McNulty
#6 - Ross/Troy Criteria briefing Secretary
#7 - Part A (Final, as passed) CERTIFIED as a true
#8 - Wack presentation accurate summary of
#9 - Pethia presentation the meeting
#10 - Schultz presentation
#11 - Rather Presentation
Willis Ware
Chairman
AGENDA
Meeting of the
Computer System Security and Privacy Advisory Board
December 10-11, 1991
Marriott Hotel, Gaithersburg, Maryland
Tuesday, December 10, 1991
I. Opening Remarks
9:00 Welcome & Update
Lynn McNulty, Board Secretary
9:10 Remarks from the Chair & Review and Approval of Minutes
Willis Ware, Chairman
9:15 Introductions
11. Paperwork Reduction Act and Its Relationship to OMB Circular
A-130
9:20 Peter Weiss
Senior Management Analyst
Office of Management and Budget
and
Ed Springer
Senior Management Analyst
Office of Management and Budget
111. Information Security Foundation
9:45 International Information Security Foundation
Cris Castro
SRI
10:00 Discussion
10:15 Break
IV. Emergency Response
10:30 Security Incident Management at Digital Equipment
Corp. Steve Redfern
Digital Equipment Corporation
11:15 Review of Other CERT Activities
Lynn McNulty
11:30 Discussion
12:00 Lunch
V. NIST Updates
1:30 Agency Visits, Handbook
(NIST speakers)-
1:40 Integrated 051, ISDN and Security Program Patricia Edfors
Program Manager, NIST
2:00 Trusted System FIPS Update
Col. Ron Ross, NSA
VI. Government Cryptographic Standards
2:30 FIPS 140-1 (draft) - Technical Overview Miles Smid, NIST
3:15 Break
3:30 Digital Signature Update
Miles Smid, NIST
3:45 Discussion
4:00 Recess
Note: Cancellation of scheduled speaker has
resulted in a shorter session for today.
Wednesday, December 11, 1991
VII. Electronic Data Interchange Security
9:00 EDI Security - Panel
Julie Smith
Logistics Management Institute
Elaine Barker
NIST
Bob Campbell
Advanced Information Management, Inc.
Victor Hampel
Logistics Management Institute
10:15 Break
VIII. NIST Response to Board's Recommendations
10:30 NIST Response to Board Program Recommendations
James Burrows
Director, Computer Systems Laboratory, NIST
and
Stu Katzke
Chief, Computer Security Division, NIST
12:00 Lunch
IX. Board's 1992 Workplan
1:30 Discussion
X. Public Participation
2:15 Public Participation (as required)
XI. Wrap-up
2:45 Agenda for March Meeting
2:55 Closing Remarks
3:00 Close
Next Meeting
March 17-18, 1992 (Tue./Wed.)
Sheraton Inner Harbor Hotel
Baltimore, Maryland
MINUTES OF THE
DECEMBER 10-11, 1991 MEETING OF THE
COMPUTER SYSTEM SECURITY PRIVACY ADVISORY BOARD
December 10, 1991
Call to Order
Dr. Willis Ware, Chairman of the Board, called the meeting to
order at 9:00 a.m. at the Marriott Hotel in Gaithersburg,
Maryland. Members present were: Castro, Gallagher, Wills,
Gangemi, Philcox, Zeitler, Colvin, Rand, Kuyers, Lipner and
Walker. The Chairman and Mr. Lynn McNulty, Board Secretary,
welcomed the four new Board members whom the Director of NIST had
appointed since the September meeting.
In consideration of the September Board minutes, Mr. Kuyers moved
that they be accepted, which was seconded by Mr. Wills. No
objections were raised and the minutes were accepted unanimously.
International Information Security Foundation (IISF)
Mr. Cris Castro briefed the Board on a meeting held December 5-6,
1991 in San Antonio, sponsored by ADAPSO, to look at the
formation of an IISF. Progress has been slow since the call for
the formation of such a group in the National Research Council
Report Computers at Risk. Approximately five meetings have been
held to examine the viability of forming an IISF. Among those
participating organizations, ADAPSO has been the most visible.
SRI (Mr. Castro's employer), made presentations at several
meetings of an approach to an IISF. SRI sent letters to the
Fortune 200 companies asking for contributions ($10,000) for seed
funding for the organization. Approximately 19 contributions
have been received to date. SRI's very modest approach to the
creation of an IISF does not include performing security
certifications. He also noted that a funding level of
approximately one-half to three-quarters of a million dollars is
needed for the IISF to be of interest to SRI management.
Mr. Whitehurst of IBM, who was in attendance at the meeting, also
provided the Board with his insights into the meeting in San
Antonio. In particular he noted the meeting's recommendation
that the scope of the IISF be reduced.
The Chairman asked Mr. Castro to keep the Board informed of IISF
developments at future meetings. (ACTION - SECRETARY and MR.
CASTRO)
Re-Write of OMB Circular A-130
Mr. Peter Weiss, Senior Management Analyst, Office of Management
and Budget (OMB), discussed the framework for policies of OMB
Circular A-130. A whole range of issues related to the Paperwork
Reduction Act are under discussion; for example, Circular A-3 on
government publications and Circular A-114 on audio-visual
materials. Additionally, the Congress is currently revising the
Paperwork Reduction Act and OMB hopes to incorporate concepts
from this revision in the revised Circular.
Marginal cost of data sharing, for example, may be incorporated
under the general rule that the government should not use the
sale of information for revenue purposes. Records management,
archival issues, new technology's influences on collection and
dissemination are all issues which will be dealt with during the
first phase of the rewrite of the Circular. During the second
phase, issues such as information technology management,
strategic planning, IRM investment, how OMB will review budget
requests, and computer security will be examined.
Mr. Ed Springer, Senior Management Analyst, OMB, then provided
the Board with a review of Appendix III, to Circular A-130
dealing specifically with computer security. There are three main
thrusts to the current Appendix: application/user security,
personnel security, and installation security. Following this
review, issues to be included in the review were briefly
discussed, including: the requirements of the Computer Security
Act of 1987, NIST guidelines, and amending the definition of
sensitive information to be consistent with the Act. It is his
desire to have a draft of the document available for comment by
early Spring. It was also noted that the Federal Computer
Security Program Managers Forum plans to provide input to OMB
regarding the security-relevant aspects of the rewrite.
Emergency Response
Mr. Steve Redfern, Digital Equipment Corporation (DEC), provided
an overview of security incident management at DEC. Two separate
issues were addressed in his presentation (Reference #1): 1) how
DEC corrects problems with its software products and distributes
those corrections and 2) how DEC responds to internal attacks of
malicious software. During the discussion session following the
formal presentation, he stressed the importance of communication
in being able to respond effectively to such incidents. Mr.
Walker asked about the scope of the problem at DEC. Mr. Redfern
replied that approximately 60 incidents were qualified as
"significant" and handled during 1990. Mr. Burrows inquired
whether an increasing number of DEC customers were asking to be
notified as soon as DEC heard of a potential problem. Mr. Redfern
replied that the information is held close until a fix is ready
for distribution.
In reviewing CERT-type activities in the federal government, Mr.
McNulty relayed that Ms. Kathie Everhart at NIST had been
contacting non-DoD federal agencies to determine whether they had
formalized a CERT-type structure. Unfortunately, other than
those identified at the September meeting, no other non-DoD
formal structures could be located during this informal survey.
Two of the federal Board members were asked what they do to
respond to incidents. They indicated that such incidents were
dealt with individually, with the appropriate people notified and
participating as necessary in each situation. Discussions
identified one main source of virus infections to be the transfer
of diskettes from the home to office.
Dr. Ware asked the members if there was sufficient interest in
drafting a letter to OMB on the emergency response issue. There
was an agreement that such a letter should be drafted. (As
discussed below, the draft letter was acted upon later in the
meeting.)
NIST Updates
Mr. McNulty provided the Board with a brief update on several
NIST activities of particular interest to the Board. The series
of OMB/NIST/NSA visits to senior agency management officials
continues. Ms. Rand noted that the visit to the U.S. Department
of Transportation was very helpful in getting senior officials to
focus on the issue for a substantial period. Mr. McNulty noted
that a report on the visit process was to be prepared and
completed in the Spring of 1992.
Next, he reviewed the progress NIST has made on the development
of the Computer Security Handbook, which was recommended by the
Board in its October 1990 letter to the Director of NIST.
Following an open., fully competitive procurement process, the
contract to write the Handbook was awarded in September 1991 to
Trusted Information Systems. Dr. Ware inquired whether a
delivery schedule is available for distribution to the Board. Mr.
McNulty answered that the outline and introduction were still
being debated within NIST, and once these were agreed upon, a
realistic delivery schedule could be prepared and delivered to
the Board. It is NIST's intention to make drafts of the Handbook
chapters available to the Board once NIST has cleared them
internally. It was suggested that the Handbook be placed on the
March agenda. (ACTION - SECRETARY)
Following this, Ms. Patricia Edfors, Program Manager of NIST's
Integrated OSI, ISDN and Security Program briefed the Board on
her program. (See Reference #2.) Dr. Ware noted that the first
overhead transparency implies that the government, industry and
academia are equal recipients of the program's products from the
program while the Computer Security Act of 1987 clearly directs
NIST to do work for the government Ms. Edfors replied that her
program conducts research on items of potential interest to the
government, which are also often of interest to others as well.
However, the principal focus is meeting the government's needs.
Next Dr. Katzke, Chief of NIST's Computer Security Division,
provided the Board with an overview of the progress made under
the Joint NIST/NSA Strategic Plan for the development of Federal
Information Processing Standards (FIPS) for Trusted Systems
Technology. (See Reference #3.) He reviewed the near term
objectives for the program, which includes the publication of
federal computer security criteria and the establishment by NIST
of an evaluation process for C2 enhanced operating systems. The
long term objectives as well as an explanation of the reasons for
the criteria development were also presented. Following Dr.
Katzke's overview, Col. Ron Ross of NSA provided the Board with a
more detailed status briefing of the federal criteria project,
which included the top-level goal, project objectives, projected
milestones and the status of each. In discussions which
followed, the Board noted the success of the project so far and
that they would like to receive updates at each meeting. (ACTION
SECRETARY) Col. Ross said approximately 35 people are
participating in some capacity in this effort, equating to
approximately 10 people full-time equivalent. During discussions
which followed, Mr. Gallagher offered to have a briefing for the
Board on the integration of trusted products and work on the
Defense Intelligence Agency's compartmented mode workstation.
(ACTION - SECRETARY and MR. GALLAGHER)
Next, Mr. Miles Smid, Chief of the Computer Security Division's
security Technology Group at NIST presented a brief overview and
technical Specifications of the draft of FIPS 140-1, Security
Requirements for Cryptographic, (See Reference #4.) In response
to a question from the Board, he noted that until FIPS 140-1 is
approved, federal users could use either NSA endorsements (no
longer being performed) or accept vendor written self-certif
ication of conformance. He hopes to have a new draft of the
document prepared in early 1992.
Mr. Smid then turned to the issue of the draft Digital Signature
Standard (DSS). (See Reference #5.) Of particular interest to
the Board was the extension of the public comment period and
summary of negative comments. Approximately 60 comments have
been received. Two observations were made: 1) the international
standards process will force the use of RSA; and 2) the DSS is
not salable outside the USA, particularly in light of the suspect
role of NSA. In a discussion of future actions, Mr. Burrows
noted that the patent issues remain to be resolved; the
application is still pending at the Patent and Trademark Office.
Mr. Walker requested that at the March meeting a sufficient
period of time (perhaps 2 hours) be set aside solely for
discussion of this issue. (ACTION - SECRETARY)
The Board then recessed for the day.
December 11, 1991
Security of Electronic Data Interchange
The day opened with a panel focused on the security issues of
Electronic Data Interchange (EDI). Panelists included: Ms. Julie
Smith of Logistics Management Institute (LMI), Ms. Elaine Barker
of NIST, Mr. Bob Campbell of Advanced Information Management,
Inc., and Mr. Viktor Hampel, a consultant to LMI.
Ms. Smith provided an overview of EDI security within the Department
of Defense, including: electronic commerce, security issues, and a
thorough review of their EDI risk assessment methodology. (See
Reference #6.) Next, Ms. Barker reviewed EDI security activities in
the voluntary standards community, including ANSI X12.58, X12.42, and
X9.17. (See Reference #7.) Mr. Bob Campbell followed with his
perspective as to the pressing requirements for EDI security. He
stressed that developments were moving such that the U.S could be left
behind if it is not a leader in this area. Finally, Mr. Hampel
provided the Board with an update of IA's efforts to implement public-
key cryptography in EDI, including: modernization and data protection
in the Department of Defense, implementation of the draft DSS,
commercial interests, new requirements, and recommendations.
Mr. Walker inquired as to what the most important thing that the Board
could do to aid the development of EDI security.
Mr. Campbell replied that the Board could stress the need for urgent
action lest the world leave the U.S. behind, while Ms. Smith noted the
need for risk management guidelines, a clearer definition of
"sensitive," and the need for a digital signature algorithm. Ms.
Barker added that help was needed from interested, knowledgeable
individuals and organizations for the development of standards. Dr.
Ware thanked the panel and noted that the Board may wish to reexamine
the issue in a year or so.
NIST Response to Board's Recommendations
During this session NIST presented its response to the recommendations
made by the Board regarding a restructuring of the NIST computer
security program. Mr. James Burrows, Director of the Computer Systems
Laboratory (CSL), summarized each of the
Board's recommendations and NIST's actions to support each. (See
Reference #9.) Of particular interest was his call for the help
of the Board's industry members to provide him with updates of
Mr. Burrows with which is available to 14. (ACTION - MR. CASTRO)
In discussing product level security specifications, Mr. Burrows
stressed that this and testing suites were very expensive
undertakings, far in excess of the entire CSL computer security
program. Regarding the Board's recommendation that the principal
thrust of the NIST program should be to establish itself as the
preeminent authority in the field, he noted that such an undertaking
was a very expensive proposition. He said that he could keep his
people on the road full time, responding to requests for conference
and training session speakers, and noted the tradeoff between
appearance of leadership and actually producing useful materials.
Regarding exportable cryptography, he said that the federal agencies
were not influential enough to swing the issue; it would require
commitment on the part of the vendor and user communities.
Following this overview, Dr. Stu Katzke, provided an overview of the
resources available for the computer security program for FY-91 and
FY-92 and their actual and planned expenditures, respectively. (See
Reference #10.)
The Board then discussed the NIST program, quickly focusing upon the
draft DSS issue. Statements were made by a number of Board members
that the DSS was a drain on NIST resources, inconsistent with
international standards, and not technically adequate without key
management functionality. A motion was made to 1) express the sense
of the Board that the DSS has grave problems and 2) to authorize and
direct the Chairman to raise the Board's concerns with the Director of
NIST. (See Reference #11.) Members voting in favor of the motion
were: Castro, Colvin, Gangemi, Kuyers, Lipner, Walker, Wills, and
Zeitler. Mr. Gallagher voted against the motion while Mr. Philcox and
Ms. Rand abstained. The same motion included an agreement that the
Board would develop a formal written position for consideration at the
March meeting. The Secretary agreed to coordinate a meeting between
the Chairman and the Director of NIST. (ACTION - SECRETARY)
Following the lunch break, the Secretary distributed two draft
letters to OMB Director Darman on: 1) the need for federal agencies to
establish formal emergency response capabilities, and 2) the
OMB/NIST/NSA agency visit process. Following brief modifications,
both letters were approved in open public session to be sent following
editorial corrections by the Secretary. (ACTION - SECTARY) (See
References #12 & #13.)
Board's 1992 Workplan
The Board discussed its draft workplan for 1992, providing
considerable input to Mr. Walker and Mr. McNulty, who agreed to
develop a revised plan for coordination. (ACTION - SECRETARY and MR.
WALKER)
Further, it was agreed to ask the Secretary to verify clearances for
the Board members so that the classified Threat IV project could be
briefed at a future Board meeting. (ACTION - SECRETARY) Mr. Gallagher
offered use of one of his facilities for the briefings at the March
meeting (in Baltimore), if the clearance issue was resolved in time.
Messrs. Zeitler and Castro agreed to champion the issue of the Data
Encryption Standard (DES) Revalidation for a meeting in 1992. (ACTION
- MR. CASTRO and MR. ZEITLER) Further, Messrs. Lipner and Walker
agreed to coordinate the Public Key Cryptography issue for a 1992
meeting. (ACTION - MR. LIPNER and MR. WALKER)
Public Participation
Mr. Whitehurst provided the Board with a brief summary of the recent
OECD meeting on Privacy Guidelines to see how well the guidelines were
being implemented. Very few responses were received to an Australian
questionnaire sent to all firms which agreed to follow the guidelines.
The OECD will not develop more specific guidelines but will hold
annual meetings to examine progress made in implementing the
guidelines.
Mr. Wayne Madsen commended the Board on its decision to move privacy
to an action item in its workplan. He said that by January of 1993
the EC privacy directive will be in place which will prohibit the
transfer of privacy information to other countries without the same
level of protection. A U.S. delegation attended, which appeared to
primarily represent U.S. direct market merchants.
Dr. Sara Comley noted that no one in the U.S. government was
interested in the policy aspects of genetic privacy. The government
never sent representatives to international meetings of data
protectorates; she contacted the Assistant Director of the FBI, who
said INTERPOL was there but not any U.S. government representatives.
She believes that this issue needs a reassessment by the government
and is very concerned why no one is interested in privacy issues.
Wrapup
The meeting was adjourned at 3:00 p.m.
References
Note: References are not included as attachments to the
minutes, but are maintained on file with the Secretariat.
#1 - Redfern briefing
#2 - Edfors briefing
#3 - Ross briefing
#4 - Smid briefing (FIPS 140-1)
#5 - Smid briefing (DSS)
#6 - Smith briefing
#7 - Barker briefing
#8 - Hampel briefing
#9 - Advisory Board Recommendations
#10- NIST Computer Security Program Areas
#11- DSS Motion
#12- CERT letter to Darman
#13- Agency Visit Letter to Darman
Lynn McNulty
Secretary
CERTIFIED as a true and accurate
summary of the meeting
Willis Ware
Chairman