1994 ANNUAL REPORT OF THE COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD (CSSPAB) TABLE OF CONTENTS Executive Summary. . . . . . . . . . . . . . . . . . . . . . . .1 I. Introduction. . . . . . . . . . . . . . . . . . . . . . . . .2 Board's Establishment and Mission . . . . . . . . . . . . .2 Board Charter . . . . . . . . . . . . . . . . . . . . . . .2 Membership. . . . . . . . . . . . . . . . . . . . . . . . .3 II. Major Issues Discussed . . . . . . . . . . . . . . . . . . .4 Escrowing Release/Program Procedures. . . . . . . . . . . .4 Alternative Key Escrow. . . . . . . . . . . . . . . . . . .5 Security in the NII . . . . . . . . . . . . . . . . . . . .5 III. Advisory Board Correspondence . . . . . . . . . . . . . . .6 Exhibits. . . . . . . . . . . . . . . . . . . . . . . . . .6 IV. Conclusions. . . . . . . . . . . . . . . . . . . . . . . . 29 LIST OF APPENDICES A - Computer Security Act of 1987 B - Charter C - March Agenda and Minutes D - June Agenda and Minutes E - September Agenda and Minutes F - December Agenda and Minutes G - Federal Register Notice Executive Summary This Annual Report documents activities of the National Computer System Security and Privacy Advisory Board during 1994, its sixth year. The Board, which met four times during the year, was established by Congress through the Computer Security Act of 1987 to identify emerging computer security and privacy issues. Dr. Willis Ware, of RAND, has served as Chairman of the Board since July of 1989. During the year, the Board continued to review cryptography related issues. During 1994, the Escrowed Encryption Standard (EES) and the Digital Signature Standard (DSS) were approved as Federal Information Processing Standards (FIPS 185) and (FIPS 186) respectively. The Board heard briefings on escrowing release procedures, escrow program procedures, U.S. export procedures, international cryptography proposals, international corporate key escrow, alternative key escrow approaches, and software-based key escrow encryption. The Board was briefed on the National Computer Ethics & Responsibilities Campaign (NCERC) which included a series of initiatives coordinated over the course of 1994 and beyond. By way of Resolution 94-2 (see attachment), the Board applauded the activities of the NCERC and supported their efforts to make the ethical and responsible use of information technology a national priority. The Board also urged support of the NCERC's efforts. Security issues with regard to Electronic Benefits Transfer (EBT), Electronic Massaging (e-mail), and the Internet were discussed throughout the year. EBT security concerns are similar to those found in other systems (e.g., physical and system access, personnel, network operations, point of sale terminal and card design, and equipment and syystem failure). Security and privacy were concerns in the governmentwide e-mail program. A Security Infrastructure Program Management Office was created under the General Services Administration that is responsible for ensuring that security is addressed in the e-mail program. Internet security incidents remain a concern with the advent of the Internet password sniffer. The sniffer/intruder looks for systems with uncorrected vulnerabilities, and installs a backdoor to the system. The Board also continued to follow activities related to the Common Criteria (CC), which remains in draft form. Pieces of the International Standards Organization (ISO) document are in progress now, which will be removed and substituted with the October 1994 draft of the CC. [Comments on the CC will be reviewed and processed in March 1995.] The Board continued to examine the question as to whether there is a business case for setting up a Trusted Technology Assessment Program (TTAP). I. Introduction Board's Establishment and Mission The passage of the Computer Security Act of 1987 (P.L. 100-235, signed into law on January 8, 1988) established the Computer System Security and Privacy Advisory Board. The Board was created by Congress as a federal public advisory committee in order to: - identify emerging managerial, technical, administrative, and physical issues relative to computer systems security and privacy. Appendix A includes the text of the Computer Security Act of 1987, which includes specific provisions regarding the Board. The Act stipulates that the Board: - advises the National Institute of Standards and Technology (NIST) and the Secretary of Commerce on security and privacy issues pertaining to federal computer systems; and - reports its findings to the Secretary of Commerce, the Director of the Office of Management and Budget (OMB), the Director of the National Security Agency (NSA), and appropriate committees of Congress. Board Charter The Board was first chartered on May 31, 1988 and was re-chartered for a third time on March 24, 1994 by U.S. Department of Commerce Assistant Secretary for Administration Thomas Bloom. (See Appendix B for the text of the current charter.) Consistent with the Computer Security Act of 1987, the Board's scope of authority extends only to those issues affecting the security and privacy of unclassified information in federal computer systems or those operated by contractors or state or local governments on behalf of the federal government. The Board's authority does not extend to private sector systems (except those operated to process information for the federal government), systems which process classified information, or Department of Defense unclassified systems related to military or intelligence missions as covered by the Warner Amendment (10 U.S.C. 2315). Membership The Board is composed of twelve computer security experts in addition to the Chairperson. The twelve members are, by statute, drawn from three separate communities: - four members from outside the Federal Government who are eminent in the computer or telecommunications industry, at least one of whom is representative of small or medium sized companies in such industries; - four members from outside the Federal Government who are eminent in the fields of computer or telecommunications technology, or related disciplines, but who are not employed by or representative of a producer of computer or telecommunications equipment; and - four members from the Federal Government who have computer systems management experience, including experience in computer systems security and privacy, at least one of whom shall from the National Security Agency. Currently, Dr. Willis H. Ware, a senior researcher of the Corporate Research Staff of RAND, serves as Chairman of the Board. He was appointed in July 1989. As of December 1994, the membership of the Board is as follows: - Chairman Willis H. Ware, RAND - Federal Members Charlie C. Baggett, Jr. National Security Agency Henry H. Philcox, Department of the Treasury, Internal Revenue Service Cynthia C. Rand, Department of Transportation Stephen A. Trodden, Department of Veterans Affairs - Non-Federal, Non-Vendor Genevieve M. Burns, Monsanto Corporation (Member Designate) Cris R. Castro, KPMG Peat Marwick Sandra Lambert, Citibank Randolph Sanovic, Mobil Corporation (Member Designate) - Non-Federal, Vendor Gaetano Gangemi, Wang Laboratories, Inc. Linda Vetter, Oracle Corporation (Member Designate) Stephen T. Walker, Trusted Information Systems, Inc. Bill Whitehurst, International Business Machines Corp. In December of 1994, Ms. Cynthia Rand resigned from the Board, leaving a vacancy in the federal member category. NIST's Associate Director for Computer Security, Mr. Lynn McNulty, serves as the Board's Executive Secretary and is the Designated Federal Official (DFO) under the Federal Advisory Committee Act. The DFO is responsible for ensuring that the Board operates in accordance with applicable statutes and agency regulations. Additionally, the DFO must approve each meeting and its agenda. Through the Secretariat, NIST provides financial and logistical support to the Board as stipulated by the Computer Security Act of 1987. II. Major Issues Discussed The following section summarizes the discussions held by the Board in 1994. Additionally, the Board accomplishes much informal, non-decisional, background discussion and preparation for meetings by electronic mail between meetings. The Board's activities complement those of the individual Board members. (Note that the minutes and agenda from the March, June, September, and December meetings are included as Appendices C to F, respectively. The required Federal Register announcement notices for the meetings are presented in Appendix G.) The work of the Board during 1994 was devoted to various topics related to security of federal unclassified automated information systems. Among the most important were: - Cryptographic Key Escrowing Procedures - Alternative Key Escrow - Security in the National Information Infrastructure (NII) Escrowing Release/Program Procedures The Department of Justice briefed the Board on procedures for release of cryptographic key components, by the two escrow agents, to government agencies. The two escrow agents at the National Institute of Standards and Technology (NIST), of the Department of Commerce and the Automated Systems Division of the Department of Treasury. The agents act under strict procedures to ensure the security of the key components and which govern their release for use in conjunction with lawful wiretaps. NIST discussed the procedures for the key escrow program. Five federal agencies share a role in the key escrow program: (1) the Department of Justices is a sponsor and a family key agent that holds one of the components of the family key, (2) the Federal Bureau of Investigation is the initial law enforcement user and a family key agent that holds the other component of the family key, (3) NIST has a dual role as the program manager and aa key escrow agent, (4) the Department of Treasury is a key escrow agent; and (5) the National Security Agency is the system developer that provides technical assistance. Alternative Key Escrow Bankers Trust presented some rationales for key escrow encryption for corporations, which fulfills management supervision and compliance duties, and reduces business risks. They maintain that the Bankers Trust system can meet both U.S. and European needs. Their system has been discussed with Canada, Britain, France, Singapore, and the U.S.; however, none of these countries have endorsed the system. Trusted Information Systems, Inc. gave a demonstration and overview of their approach to software-based key escrow encryption. They said that software key escrow systems could be built that meet the objectives of law enforcement. Also, that variations of their software key escrow system can provide a commercial key escrow capability that will be very appealing to corporate and individual computer users. They believe that widespread use of corporate key escrow, in which corporations operate their own key escrow centers, and individual key escrow, in which bonded commercial key escrow centers provide a key retrieval capability for registered users, will better achieve the key escrow objectives of law enforcement that a government-operated key escrow system. Security in the NII Mr. Lynn McNulty, Executive Secretary, briefed the Board on how security is being addressed in the committee that the Administration has established to plan for the implementation of the National Information Infrastructure (NII). The Board was advised that security was viewed as one of the several "cross cutting" issues that was not assigned to any single NII committee or working group. Rather, it was viewed as a concern that will be addressed by all of these groups in the context of their individual charters. Mr. McNulty summarized a meeting that was held to address the subject of security in the NII. Participating in the meeting were a number of representatives of government components and inter- agency committees having a responsibility for information technology security for some segments of the federal government. The Office of Management and Budget (OMB) discussed the federal role in the development of the NII, in particular, the government's role in stimulating competition for use, protecting law enforcement's abilities, and promoting appropriate security. The Board was briefed on a public meeting that was held mid-year to discuss NII security. The NII Security Issues Forum was organized to provide a clear and direct means for the IITF to address security issues. A meeting was held and the public was invited to appear before the IITF and members of the NII Advisory Council to assess security needs and concerns of potential NII users. III. Advisory Board Correspondence During 1994, the Board issued seven letters to: 1) the Director, Computer Systems Laboratory, NIST, with regards to NIST's Computer Security Program, 2) Senator Patrick Leahy, advising him of Chairman Ware's testimony to Congressman Valentine's House Subcommittee on Technology, Environment and Aviation, on the subjects of cryptography, Clipper, and the digital Telephony bill, 3) the Director, NSA, regarding a resolution passed by the Board endorsing the National Performance Review objectives, 4) the Director, NIST, regarding the adopted resolution, which affirms the Board's concerns that several unresolved issues documented during the Board's three public hearings in 1993 on Clipper, are still inadequately addresses, 5) the Director, NIST, regarding the adopted resolution, which underscores its continuing concern that major impediments remain in the way of widespread adoption of FIPS 186, 6) the Executive Director, Federal Electronic Benefits Transfer (EBT) Task Force, expressing their thanks for obtaining the Board's input on the Federal EBT Task Force security and privacy plan, and 7) the Office of Management and Budget, Office of Information and Regulatory Affairs, expressing their satisfaction with the presentation given by the Internal Revenue Service in regard to their planning for privacy and security issues in the Tax Systems Modernization program. Exhibits The Board's correspondence and replies (when received) are included in the following exhibits: Exhibit I: Letter dated December 30, 1993, from Chairman Ware to Mr. James Burrows of NIST, expressing their support and endorsement of NIST's computer security program FY94. Exhibit II: Letter dated March 25, 1994, from Executive Secretary McNulty to Mr. Peter S. Tippett, Director, Security & Enterprise Products, extending appreciation for their efforts to establish a National Computer Ethics and Responsibilities Campaign. Exhibit III: Letter dated May 16, 1994, from Chairman Ware to Senator Patrick Leahy, Subcommittee on Technology and the Law, concerning Chairman Ware's testimony summarizing the activities of the Board in regard to Clipper. Exhibit IV: Letter dated May 16, 1995, from Chairman Ware to Vice Admiral John McConnell, Director, National Security Agency, endorsing the National Performance Review objectives. Exhibit V: Letter dated May 16, 1994, from Chairman Ware to Dr. Arati Prabhakar, Director, NIST endorsing the National Performance Review objectives. Exhibit VI: Answer from Raymond G. Kammer, Deputy Director, NIST. Exhibit VII: Answer from Vice Admiral John McConnell, Director, National Security Agency. Exhibit VIII: Letter dated June 22, 1994, from Chairman Ware to Dr. Arati Prabhakar, Director, NIST, concerning public hearings held by the Board in 1993 on Clipper. Exhibit IX: Letter dated June 22, 1994, from Chairman Ware to Dr. Arati Prabhakar, Director, NIST, concerning the adoption of FIPS 186 and the patent issue. Exhibit X: Letter dated October 6, 1994, from Chairman Ware to Mr. Jack Radzikowski, Executive Director, Federal Electronic Benefits Transfer (EBT) Task Force, with regard to the Board providing comments on the EBT security and privacy draft plan. Exhibit XI: Letter dated October 21, 1994, from Chairman Ware to Ms. Sally Katzen, Office of Management and Budget, Office of Information and Regulatory Affairs, regarding the Internal Revenue Service's Tax Systems Modernization Exhibit XII: Answer from Margaret Milner Richardson, Department of the Treasury, Internal Revenue Service The National Computer System Security and Privacy Advisory Board Established by the Computer Security Act of 1987 December 30, 1993 Mr. James H. Burrows Director of Computer Systems Laboratory Gaithersburg, MD 20899 Dear Jim, At its recent meeting, the Computer System Security and Privacy Advisory Board was briefed by Dr. Stuart Katzke on his research plan for coming fiscal year. We responded very favorably to it and believe that it quite well meets the developing needs of the nation for computer and network security technology standards. Accordingly, we adopted the enclosed resolution (number 93-8) which expresses our support and endorsement of the plan. We look forward to updates from time to time as the actual work unfolds and reaches fruition. Sincerely, /s/ Willis H. Ware Chairman Enclosure CC: A. Prabhaker R. Kammer S. Katzke B. McConnell - OMB Executive Secretariat: Computer Systems Laboratory National Institute of Standards and Technology Technology Building, Room B154, Gaithersburg, MD 20899 Telephone (301) 975-3240 COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD RESOLUTION 93-8 December 8-9, 1993 The Board has reviewed the overall National Institute of Standards and Technology (NIST) Computer Security Program for FY94 and endorses this plan as a reasonable allocation of its limited Computer Security Program. FOR: Castro, Gallagher, Gangemi, Kuyers, Rand, Walker, and Whitehurst AGAINST: None ABSTAIN: Lambert THE NATIONAL COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD Established by the computer Security Act of 1987 March 25, 1994 Peter S. Tippett PhD., M.D. Director, Security & Enterprise Products SYMANTEC 2500 Broadway, Suite 200 Santa Monica, CA 90404-3063 Dear Dr. Tippett, I would like to take this opportunity, on behalf of the Computer System Security and Privacy Advisory Board, to extend our appreciation for your presentation at the March 24, 1994 meeting regarding your efforts for a National Computer Ethics and Responsibilities Campaign (NCERC). Your presentation was well received by the Board, and we appreciate your interest and participation in the Board meeting. You will be pleased to know that the Board passed a resolution (See attachment) during the March 24, 1994 meeting supporting the campaign effort and applauding the activities of the NCERC. Sincerely, /s/ Lynn McNulty Attachment Executive Secretariat: Computer Systems Laboratory National Institute of Standards and Technology Technology Building, Room B154, Gaithersburg, MD 20899 Telephone (301) 975-3240 COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD RESOLUTION 94-2 MARCH 23 & 24, 1994 The Board applauds the activities of the National Computer Ethics and Responsibilities Campaign (NCERC). We support the NCERC's effort to make the ethical and responsible use of information technology a national priority, and we urge the National Institute of Standards and Technology and Congress to support the NCERC's efforts. FOR: Gallagher, Gangemi, Lambert, Philcox, Rand, Trodden, Walker, and Whitehurst AGAINST: None ABSENT: Castro and Kuyers* ___________________ * Present at meeting, but not available for this vote. The National Computer System Security and Privacy Advisory Board Established by the Computer Security Act of 1987 May 16, 1994 Senator Patrick Leahy Russell Senate Office Building Washington, DC 20510-4502 Dear Senator Leahy: During the morning of Wednesday, May 3, your Subcommittee on Technology and the Law held hearings on the subjects of cryptography, Clipper, and the Digital Telephony bill. The same afternoon a related hearing was held by Congressman Valentine's House Subcommittee on Technology, Environment and Aviation. For the latter, I, as the Chairman of the Computer System Security and Privacy Advisory Board, testified in behalf of the Board. My testimony summarized the activities of the Board in regard to Clipper, and indicated its position on the matter. I have enclosed a copy of the written testimony for use by your Committee in considering this important policy issue. We, the Computer System Security and Privacy Advisory Board, can be available for further discussion should you desire. For general information, I have also enclosed a copy of our 1993 Annual Report. Sincerely, /s/ Willis H. Ware Chairman Encl: Testimony Annual Report Executive Secretariat: Computer Systems Laboratory National Institute of Standards and Technology Technology Building, Room B154, Gaithersburg, MD 20899 Telephone (301) 975-3240 The National Computer System Security and Privacy Advisory Board Established by the Computer Security Act of 1987 May 16, 1994 Vice Admiral John McConnell Director National Security Agency 9800 Savage Road Fort George G. Meade, MD 20755-6000 Dear Vice Admiral McConnell: Attached for your information is a resolution passed by the Board endorsing the National Performance Review (NPR) objectives. The Board is pleased that security and privacy are recognized as vital to the success of the NPR and National Information Infrastructure (NII). However, the Board urges that essential technologies not now available, such as digital signature standard be given special attention by all components of the executive branch. We would welcome your reaction to our resolution. Sincerely, /s/ Willis H. Ware Chairman Attachment Identical letter sent to Honorable Leon E. Panetta, OMB Executive Secretariat: Computer Systems Laboratory National Institute of Standards and Technology Technology Building, Room B154, Gaithersburg, MD 20899 Telephone (301) 975-3240 COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD RESOLUTION 94-1 March 23-24, 1994 The Board endorses the National Performance Review (NPR) objectives for a more efficient and effective government through to use of information technology. The Board is encouraged that government briefers' acknowledge that security and privacy are vital to the success of the NPR and to the National Information Infrastructure (NII). Unfortunately, progress on essential parts of the security architecture necessary for the NII appears to be very slow. Among these, the lack of a Digital Signature Standard risks the success and acceptance of the NII. The Board urges that critical technologies, such as digital signature, be given special attention by all components of the executive branch to quickly resolve the technical, legal, and infrastructure issues so that the NII and other vital government and industrial initiatives can proceed expeditiously. FOR: Gallagher, Gangemi, Lambert, Philcox, Rand, Trodden, Walker, and Whitehurst AGAINST: None ABSENT: Castro and Kuyers* __________________ * Present at meeting, but not available for this vote. The National Computer System Security and Privacy Advisory Board Established by the Computer Security Act of 1987 May 16, 1994 Dr. Arati Prabhaker Director National Institute of Standards and Technology Gaithersburg, MD 20899 Dr. Prabhaker: Attached for your information is a resolution passed by the Board endorsing the National Performance Review (NPR) objectives. The Board is pleased that security and privacy are recognized as vital to the success of the NPR and to the National Information Infrastructure (NII). However, the Board urges that essential technologies not now available, such as a digital signature standard be given special attention by all components of the executive branch. We would welcome your reaction to our resolution. Sincerely, /s/ Willis H. Ware Chairman Attachment Executive Secretariat: Computer Systems Laboratory National Institute of Standards and Technology Technology Building, Room B154, Gaithersburg, MD 20899 Telephone (301) 975-3240 COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD RESOLUTION 94-1 March 23-24, 1994 The Board endorses the National Performance Review (NPR) objectives for a more efficient and effective government through to use of information technology. The Board is encouraged that government briefers' acknowledge that security and privacy are vital to the success of the NPR and to the National Information Infrastructure (NII). Unfortunately, progress on essential parts of the security architecture necessary for the NII appears to be very slow. Among these, the lack of a Digital Signature Standard risks the success and acceptance of the NII. The Board urges that critical technologies, such as digital signature, be given special attention by all components of the executive branch to quickly resolve the technical, legal, and infrastructure issues so that the NII and other vital government and industrial initiatives can proceed expeditiously. FOR: Gallagher, Gangemi, Lambert, Philcox, Rand, Trodden, Walker, and Whitehurst AGAINST: None ABSENT: Castro and Kuyers* __________________ * Present at meeting, but not available for this vote. UNITED STATES DEPARTMENT OF COMMERCE National Institute of Standards and Technology May 24, 1994 Willis H. Ware, PhD Chairman, Computer System Security and Privacy Advisory Board The Rand Corporation 1700 Main Street P.O. Box 2138 Santa Monica, CA 90406-2138 Dear Dr. Ware: I am please to inform you that on May 19, 1994, NIST announced the Secretary of Commerce's approval of Federal Information Processing Standard (FIPS) 186, Digital Signature Standard. I believe this addresses the issues raised by the Board in its recent resolution regarding the need for such a federal standard and the important role it is expected to play in the National Information Infrastructure. I have enclosed a copy of FIPS 186 for your information. We look forward to its widespread use by federal agencies as they take advantage of potential cost savings through Electronic Commerce and Electronic Data Interchange. Also, let me thank you for the opportunity to appear before the Board at its March meeting to brief the members on the voluntary key escrow encryption initiative. I look forward to further communications from the Board. Sincerely, /s/ Raymond G. Kammer Deputy Director Enclosure (FIPS 186) NATIONAL SECURITY AGENCY FORT GEORGE G. MEADE, MARYLAND 20755-6000 20 June 1991 Dr. Willis Ware Chairman, National Computer System Security and Privacy Advisory Board National Institute of Standards and Technology Technology Building 225, Room B154 Gaithersburg, MD 20899 Dear Dr. Ware: Thank you for your letter of May 16 advising us of the Computer System Security and Privacy Advisory Board's (CSSPAB) endorsement of National Performance Review (NPR) objectives. We, too, are pleased that security and privacy are recognized as vital aspects of the NPR and emerging National Information Infrastructure (NII). We will continue to lend our experience and knowledge to the pursuit of security and privacy solutions for the NII. The recently established Digital Signature Standard (DSS) is just one of many information protection tools that can reduce data abuse. Other vital services will include mechanisms to assure data integrity, availability, and confidentiality. We are prepared to help integrate all of these capabilities into the NII architecture. We believe it is imperative that information be sufficiently protected, and our citizens' right to privacy be maintained, as the NII evolves. Thus, we are fully committed to taking whatever steps are necessary to quickly resolve technical, legal, and infrastructure problems. We appreciate your update on CSSPAB deliberations, and the opportunity to state our views on this important issue. /s/ J. M. McConnell Vice Admiral, U.S. Navy Director, NSA Copy Furnished: Mr. Lynn McNulty Executive Secretary, CSSPAB NIS The National Computer System Security and Privacy Advisory Board Established by the Computer Security Act of 1987 June 22, 1994 Dr. Arati Prabhaker Director National Institute of Standards and Technology Gaithersburg, MD 20899 Dear Dr. Prabhaker: The Computer System Security and Privacy Advisory Board (CSSPAB) is directed under the Computer Security Act of 1987 to identify emerging public policy issues related to information computers and communications technology; and to bring them to the attention of national decision makers for consideration. At its June 1-2, 1994 meeting, the CSSPAB adopted Resolution 94-3 which reaffirms the Board's concerns that several unresolved issues documented during the Board's three public hearings in 1993 on Clipper are still inadequately addressed. The Resolution 94-3 raises no new issues but does restate the Board position that failure of the government to properly resolve many issues collateral to Clipper and Capstone can lead to the adoption of a costly and ineffective system which will not achieve its objectives of solving the law enforcement problem and of providing a practical solution to the unclassified encryption needs of the United States. If you would like further clarification of this action or wish to discuss it, please feel free to contact me. Sincerely, /s/ Willis H. Ware Chairman Enclosures cc: Leon Panetta - OMB Ray Mislock - NSC Identical letter sent to: Vice Admiral John M. McConnell Director, National Security Agency Executive Secretariat: Computer Systems Laboratory National Institute of Standards and Technology Technology Building, Room B154, Gaithersburg, MD 20899 Telephone (301) 975-3240 COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD RESOLUTION 94-3 June 1-2, 1994 The Board is concerned by the announcement of February 4, 1994 that the Government plans to proceed with the Clipper key escrow initiative. In particular, it is uncertain that the Clipper/Capstone key escrow initiative will provide a practical solution to the unclassified encryption needs of the United States or solve the law enforcement issue. Although some progress has been made, many of the concerns stated in the Board's September 1993 resolution (Number 93-5) remain valid. The Board cautions that unless these concerns are resolved, the Government's continued adherence to the Clipper/Capstone key escrow approach risks a costly and ineffective system which will not achieve its objectives. Motion Approved: FOR: Castro, Lambert, Kuyers, Philcox, Rand, Trodden, Walker, Whitehurst AGAINST: Gallagher ABSTAIN: None ABSENT: Gangemi COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD RESOLUTION 93-5 September 1-2, 1993 Subsequent to the June 2-4, 1993 meeting of the CSSPAB, the Board has held an additional 4 days of public hearings and has collected additional public input. The clear message is that the preliminary concerns stated in Resolution 1 of that date have been confirmed as serious concerns which need to be resolved. Public input has heightened the concerns of the Board to the following issues: - A convincing statement of the problem that Clipper attempts to solve has not been provided. - Export and import controls over cryptographic products must be reviewed. Based upon data complied from U. S. and international vendors, current controls are negatively impacting U. S. competitiveness in the world market and are not inhibiting the foreign production and use of cryptography (DES and RSA). - The Clipper/Capstone proposal does not address the needs of the software industry, which is a critical and significant component of the National Information Infrastructure and the U.S. economy. - Additional DES encryption alternative and key management alternatives should be considered since there is a significant installed base. - The individuals reviewing the Skipjack algorithm and key management system must be given and appropriate time period and environment in which to perform a thorough review. This review must address the escrow scheme to allow it to be fully understood by the general public. - Sufficient information must be provided on the proposed key escrow scheme to allow it to be fully understood by the general public. - Further development and consideration of alternatives to the key escrow scheme need to be considered, e.g., three "escrow" entities, one of which is a non-government agency, and a software based solution. - The economic implications for the Clipper/Capstone have not been examined. These costs go beyond the vendor cost of the chip and include such factors as customer installation, maintenance, administration, chip replacement, integration and interfacing, government escrow system costs, etc. - Legal issues raised by the proposal must be reviewed. - Congress, as well as the Administration, should play a role in the conduct and approval of the results of the review. Moreover, the following are additional concerns of the Board: - Implementation of the Clipper initiative may negatively impact the availability of cost-effective security products to the U.S. Government and the private sector; and - Clipper products may not be marketable or usable worldwide. FOR: Castro, Gangemi, Lambert, Lipner, Kuyers, Philcox, Rand, Walker, Whitehurst, and Zeitler AGAINST: none ABSTAIN: Gallagher ABSENT: Colvin The National Computer System Security and Privacy Advisory Board Established by the Computer Security Act of 1987 June 22, 1994 Dr. Arati Prabhakar Director National Institute of Standards and Technology Gaithersburg, MD 20899 Dear Dr. Prabhakar: The Computer System Security and Privacy Advisory Board (CSSPAB) is directed under the Computer Security Act of 1987 to identify emerging public policy issues related to information, computers and communications technology; and to bring them to the attention of national decision makers for consideration. At its June 1-2, 1994 meeting, the CSSPAB adopted Resolution 94-4 which underscores its continuing concern that major impediments remain in the way of widespread adoption of FIPS 186. In particular, the unresolved patent infringement issue which is commonly believed to still be a risk will deter widespread adoption of FIPS 186. In addition, the lack of a certificate and key-management infrastructure will effectively negate any practical use of FIPS 186 even if the patent situation is resolved. The Board urges NIST's prompt attention to both. If you would like further clarification of this action or wish to discuss it, please feel free to contact me. Sincerely, /s/ Willis H. Ware Chairman Enclosure cc: John McConnell - NSA Leon Panetta - OMB Identical letter sent to: Honorable Ronald Brown Department of Commerce Executive Secretariat: Computer Systems Laboratory National Institute of Standards and Technology Technology Building, Room B154, Gaithersburg, MD 20899 Telephone (301) 975-3240 COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD RESOLUTION 94-4 June 1-2, 1994 The federal government has recently approved a digital signature standard (DSS), through the promulgation of FIPS 186. The Board supports the principle that such a capability should be available to all parties on a royalty free basis. The Board remains concerned that there are impediments to the availability and use of the DSS. These impediments include the risk of potential patent infringement and the lack of certificate and key management infrastructures. Motion Approved. FOR: Castro, Gallagher, Lambert, Kuyers, Philcox, Rand, Trodden, Walker, Whitehurst AGAINST: None ABSTAIN: None ABSENT: Gangemi FEDERAL ELECTRONIC BENEFITS TRANSFER TASK FORCE 300 7th Street, S.W., Suite 501 Washington, D.C. 20024 September 23, 1994 Isabel Sawhill, Chair Associate Director for Human Resources Office of Management and Budget Ellen Haas, Vice Chair Mr. Willis H. Ware Assistant Secretary for Chair, Computer Systems Security and Privacy Advisory Board Food and Consumer Service C/O F. Lynn McNulty, Executive Secretary Department of Agriculture Bldg. 225, Room B154 Kenneth Apfel, Vice Chair Gaithersburg, Md 20899 Assistant Secretary for Management and Budget Department of Health and Services Jack Radzikowski Executive Director Dear Chairman Ware, I wanted to thank you and the other members of the Computer Systems Security and Privacy Advisory Board for the opportunity to address you on September 14. I hope that the overview of Vice President Al Gore's plan for a nationwide Electronic Benefits Transfer (EBT) system was helpful to the Board. Our discussion was useful in focusing on the importance of security and privacy issues. As I mentioned during my presentation, staff of the Federal EBT Task Force are currently preparing a security and privacy pan, which will delineate the specific issues which must be addressed, and describe the action steps that will be taken to ensure system security and privacy as we implement nationwide EBT. I wish that the plan had been completed before the board meeting, so that I could have shared it with you. Nevertheless, your meeting occurred at a timely moment. We have the opportunity to secure the Board's input as we finalize the security and privacy plan. In order to facilitate this process, I would appreciate your designation of an individual who could act as a liaison between the Board and the Federal EBT Task Force. In this way, we can assure that the Board can provide timely input. Once again, thank you for the opportunity to discuss our implementation strategy. I hope that you and the other members of the board will feel free to contact me if you have additional questions. I look forward to working with you to assure that the nationwide EBT system satisfies all appropriate security and privacy requirements while providing cash and food program benefits in a safe, timely and cost-effective manner. I can be reached at (202) 690-0180. Sincerely, /s/ Jack Radzikowski Executive Director The National Computer System Security and Privacy Advisory Board Established by the Computer Security Act of 1987 October 6, 1994 Mr. Jack Radzikowski Executive Director Federal Electronic Benefits Transfer Task Force 300 7th St., SW, Suite 501 Washington, DC 20024 Dear Mr. Radzikowski: Thank you for your recent letter expressing your interest in obtaining the Board's input on the Federal EBT Task Force security and privacy plan. The Board would be pleased to provide you comments, as appropriate, on your draft when it becomes available. Mr. Lynn McNulty, the Board's Executive Secretary, can serve as Board's liaison to the Federal EBT Task Force in this matter. Lynn can be contacted on (301) 975-3241. The Board appreciates your presentation at our last meeting and look forward to seeing your draft plan. Sincerely, /s/ Willis H. Ware, PhD Chairman Executive Secretariat: Computer Systems Laboratory National Institute of Standards and Technology Technology Building, Room B154, Gaithersburg, MD 20899 Telephone (301) 975-3240 The National Computer System Security and Privacy Advisory Board Established by the Computer Security Act of 1987 October 21, 1994 The Honorable Sally Katzen Office of Management and Budget Office of Information and Regulatory Affairs Old Executive Office Building, Room 350 17th Street & Pennsylvania Ave., N.W. Washington, DC 20503 Dear Ms. Katzen: The Computer System Security and Privacy Advisory Board (CSSPAB) is directed under the Computer Security Act of 1987 to identify emerging public policy issues related to information, computers and communications technology; and to bring them to the attention of national decision makers for consideration. The Board was exceptionally pleased with the presentation given by Mr. Henry Philcox at our September meeting in regard to IRS's planning for privacy and security issues inherent in the Tax System Modernization (TSM). It is clear that the IRS takes these matters very seriously, is staffed with appropriate people to handle them, and is moving generally in the right direction toward final planning and implementation of the TSM. We want to say also that we value his participation as a Federal member of the CSSPAB. The Board commends the IRS, and Mr. Philcox especially, for its progress and achievement to date. We look forward to hearing from time to time of additional progress. Sincerely, /s/ CC: Honorable John Conyers, Jr. Willis H. Ware, PhD Honorable John Glenn Chairman Executive Secretariat: Computer Systems Laboratory National Institute of Standards and Technology Technology Building, Room B154, Gaithersburg, MD 20899 Telephone (301) 975-3240 DEPARTMENT OF THE TREASURY INTERNAL REVENUE SERVICE WASHINGTON, D.C. 20224 January 11, 1995 Dr. Willis H. Ware Chairman, The National Computer System Security and Privacy Advisory Board National Institute of Standards and Technology Technology Building, Room B154 Gaithersburg, Maryland 20899 Dear Dr. Ware: Thank you for taking the time to write to Sally Katzen at OMB to compliment the presentation given to your Board by Hank Philcox, IRS's Chief Information Officer. I appreciate your support and understanding of the difficult challenges we are facing at the Internal Revenue Service as we work to modernize our tax processing systems. We are fortunate to have someone of Hank's talent available to help with the design and delivery of a quality tax administration system to the nation's taxpayers, and I know he also greatly appreciated your letter. Best wishes. Sincerely, /s/ Margaret Milner Richardson cc: Hank Philco IV. Conclusions During 1994, the Computer System Security and Privacy Advisory Board held four meetings to look at important security issues involved with federal computer systems, and in particular, the National Information Infrastructure. The Board also followed cryptographic-related activities, including the issuance of the Digital Signature Standard (DSS, FIPS 186) and the Clipper/Capstone Key Escrow initiative, and the pursuit of other key escrow approaches. The Board expressed its concern with the viability of the Clipper/Capstone initiative, and the need for clarification of the DSS patent situation and the need for a supporting infrastructure. The Board also continued to track the development of the Common Criteria. The Board plans to continue to address the items identified in their 1994 work plan in 1995, augmented as necessary as new issues arise. Meeting of the Computer System Security and Privacy Advisory Board March 23-24, 1994 Hilton Hotel Gaithersburg, MD AGENDA WEDNESDAY, MARCH 23, 1994 I. INTRODUCTION 9:00 Welcome Lynn McNulty, Board Secretary 9:10 Opening Remarks Dr. Willis Ware, Chairman II. CRYPTOGRAPHIC UPDATE 9:15 Overview & Summary of February 4, 1994 Cryptographic Announcement & DSS Update Raymond G. Kammer, NIST Deputy Director 9:45 Discussion 10:15 BREAK III. TECHNOLOGY BRIEFINGS 10:30 Briefing on Key Escrowing Release Procedures Geoff Greiveldinger, Department of Justice 11:00 Briefing on Escrow Program Procedures Miles Smid, NIST 11:30 Change in U.S. Export Procedures Rose Biancaniello, Department of State 12:00 LUNCH 1:30 International Cryptography Proposal Keith Klemba, HP AND Jim Schindler, HP 2:15 International Corporate Key Escrow Frank Sudia, V.P. Bankers Trust 2:45 iPower Technology Briefing John Jones, National Semi-Conductor 3:15 BREAK 3:30 Public Response to Clipper David Sobel, Legal Counsel, CPSR IV. POLICY REVIEW 3:50 H.R. 3627, Amendment to the Export Administration Act of 1979 Daniel Ebert, Legislative Assistant to Rep. Maria Cantwell, Washington St. 4:15 Briefing on Interagency Working Group Ray Mislock, NSC AND Mike Nelson, OSTP 4:45 Public Comment (max. 10 min. per speaker - sign up in advance with secretary) 5:15 Discussion 5:30 RECESS THURSDAY, MARCH 24, 1994 V. COMPUTER ETHICS 9:00 Briefing on the National Computer Ethics & Responsibilities Campaign Dr. Peter Tippett, The Computer Ethics Institute VI. GOVERNMENT AND INTERNET SECURITY 9:30 Internet Security and Firewall Initiative John Wack, NIST 10:00 BREAK 10:15 Briefing on Internet Password Sniffer Incident Dain Gary, Software Engineering Institute 11:00 PANEL: Internet Security Issues for Agency Mission Systems Jaren Doherty, National Institutes of Health Bill Donovan, Federal Emergency Management Agency Tom Thompson, Department of Health and Human Services 11:45 Discussion 12:00 LUNCH 1:30 PANEL: Internet Security Issues for Agency Mission Systems (cont.) Peter Groen, Department of Veterans Affairs Greg Jones Sr., Securities and Exchange Commission Tom Sandman, Department of Interior Steve Schmidt, Department of State 2:10 Discussion 2:30 BREAK VII. GOVERNMENT BRIEFING 2:45 Briefing of the OMB NII Security Meeting & the Resulting Assignment for the Advisory Board Lynn McNulty Summary of March 22 Congressional Hearings Lynn McNulty 3:00 Discussion 3:15 Public Comment (max. 10 min. per speaker - sign up in advance with secretary) 3:45 Board Discussion/June Agenda 4:00 ADJOURN ------------ Next Meeting - June 1-2, 1994 Hyatt Regency Inner Harbor Baltimore, Maryland MINUTES OF THE MARCH 23-24, 1994 MEETING OF THE COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD Wednesday, March 23, 1994 Call to Order A quorum being present, the Chairman, Dr. Willis Ware, called the meeting to order at 9:00 a.m. at the Hilton Hotel, Gaithersburg, Maryland. In addition to Dr. Ware, the following members were present: Patrick Gallagher, John Kuyers, Sandra Lambert, Henry Philcox, Cynthia Rand, Steve Walker, and Bill Whitehurst. Dr. Ware introduced and welcomed the appointment of Stephen A. Trodden, Inspector General for the Department of Veterans Affairs. Mr. Trodden fills a federal sector Board vacancy. (Two vacancies remain.) Mr. Lynn McNulty, Board Secretary, acknowledged two Board members, Dr. Willis Ware and Cynthia Rand, on receiving the IRM 100 Award from Federal Computer Week. The entire meeting was held in open, public session. Opening Remarks Mr. McNulty, reviewed the agenda and materials distributed to the Board. There was a short discussion regarding the availability of an appendix to Federal Information Processing Standard, FIPS 181 Automated Password Generator, on the NIST Bulletin Board System (BBS). The random number generator is based on the Data Encryption Standard (DES) cryptographic algorithm, therefore, the possibility of exporting DES (contained in the appendix) through the BBS was a potential issue. NIST questioned and received approval from the State Department to post the standard on the BBS with one caveat. State stipulated that the section of the standard that refers to DES should be specifically annotated as being subject to export control laws. Note that NIST has removed the code and the sample executable files. Overview & Summary of February 4, 1994 Cryptographic Announcement & DSS Update Mr. Ray Kammer, Deputy Director of NIST, briefed the Board on the outcome of several announcements by the Administration on February 4, 1994. The Escrowed Encryption Standard (EES) was approved as a Federal Information Processing Standard (FIPS 185). In response to a question, Mr. Kammer indicated that the EES does not apply to TESSERA/Capstone when this technology is used for data communications. (FIPS 185 applies to telephonic communications). A separate FIPS would have to be developed to apply to non-telephonic data communications. Regarding the DSS, Mr. Kammer stated that intellectual property issues are preventing the issuance of the standard. A draft agreement was reached, but after reviewing it (and the public comments) the government decided that the terms did not conform to one of its basic objectives of achieving a world-wide license free, royalty free, technology. He noted the government's objective of a free Digital Signature for users that does not involve a transaction charge. Mr. Walker asked what guidance Mr. Kammer would provide to government agencies that need such technology. Mr. Kammer replied that, in the absence of a federal standard, they are free to use whatever they want. Mr. Whitehurst asked about the international reaction to the government's key escrow encryption initiative. Mr. Kammer replied that some foreign governments have indicated that they found the approach conceptually appealing, but were reluctant to adopt a U.S. government-developed solution. Other countries are intensely worried about this issue - but are not having a public debate. Regarding the Administration's response to the public comments, Mr. Kammer noted that the Federal Register announcement (of Feb. 9, 1994) addressed them. He also was asked about whether the Administration would publish a public report of the interagency review of these issues. He stated that an unclassified report could not directly address all these issues and would not be satisfying. (See Reference # 1.) Briefing on Escrowing Release Procedures Mr. Geoffrey Greiveldinger, Department of Justice, briefed the Board on the procedures for release of encryption key components, by the two escrow agents, to government agencies. The two escrow agents are the National Institute of Standards and Technology (NIST), under the Department of Commerce and the Automated Systems Division of the Department of Treasury. The two agents will act under strict procedures that will ensure the security of the key components and govern their release for use in conjunction with lawful wiretaps. Each agent will be responsible for holding one of the key components for each chip. Neither will release a key component, except to an authorized government agency with a valid authorization to conduct lawful electronic surveillance wiretapping. The key escrow system does not in any way change the basic rules (i.e., Title III) under which government agencies are authorized to conduct wiretaps. Dr. Ware asked how many agencies have the authority to do wiretaps. Mr. Greiveldinger replied seven or eight as well as thirty-seven states, including the District of Columbia and Puerto Rico, which have wiretap laws. Cities and counties perform wiretaps under their state laws. (See Reference #2.) Briefing on Escrow Program Procedures Mr. Miles Smid, Manager, NIST Security Technology Group, discussed the procedures for the key escrow program. The procedures were developed during the September through October, 1993 timeframe. Seventeen thousand chips have been programmed to date, for incorporation into AT&T commercial products. Five federal agencies share a role in the key escrow program: 1) the Department of Justice is a sponsor and a family key agent that holds one of the components of the family key, 2) the Federal Bureau of Investigation is the initial law enforcement user and a family key agent that holds the other component of the family key, 3) NIST has a duel role as the program manager and a key escrow agent, 4) the Department of Treasury is a key escrow agent and, 5) the National Security Agency is the system developer that provides technical assistance. (An NSA contractor, Mykotronyx, actually performs chip programming, under supervision by the escrow agents.) The functions of the key escrow program, that have already been accomplished, are to: 1) produce the chips, 2) generate the seed keys, 3) secure the transport of critical data to the programming site, 4) generate key components and chip programming, and 5) secure the storage of key components, which is done in double locked containers. The functions that will be done in a later phase are to: 1) control the release of key components, 2) decrypt collected communications, and 3) audit the system. (See Reference #3.) Change in U.S. Export Procedures Ms. Rose Biancaniello, Deputy Director of the Department of State's Office of Defense Trade Controls, briefed the Board on reform in U.S. export procedures applicable to products incorporating encryption technology. These reforms are part of an effort to eliminate unnecessary controls and ensure efficient implementation. The reforms are: License Reform: Under new licensing arrangements, encryption manufacturers will be able to ship their products from the U.S. directly to customers within approved regions without obtaining individual licenses for each end user. This will improve the ability of our manufacturers to provide expedited delivery of products, and to reduce shipping and tracking costs. It should also reduce the number of individual license requests, especially for small businesses that cannot afford international distributors. Rapid review of export license applications: A significant number of encryption export license applications can be reviewed more quickly. For such exports, there is a license turnaround goal of two working days. Personal use exemption: U.S. citizens will no longer be required to obtain an export license prior to taking encryption products out of the U.S. temporarily for their own personal use. In the past, this requirement caused delays and inconvenience for business travelers. Allow exports of key-escrow encryption: After initial review, key-escrow encryption products may now be exported to most end users. Additionally, key-escrow products will qualify for special licensing arrangements. These reforms should have the effect of minimizing the impact of export controls on U.S. industry. The Board had comments regarding the relaxation of export controls for encryption products for personal use. Several members thought this could be a useful step to aide those traveling out of the U.S. It is not clear whether the export of DES or RSA is covered by the personal use exemption. Several members also expressed their concern about the speed with which the vendor could get their products through the export procedures. The Board questioned whether the DES cryptographic algorithm, published on the NIST bulletin board and, therefore, available on the Internet, is considered in the public domain. International Cryptography Proposal Mr. Jim Schindler and Mr. Keith Klemba from Hewlett-Packard Company presented an international cryptography proposal. They discussed the fundamental problem of how to provide global information technology products featuring security, while respecting the independent development of national security policies. People, government, and technology play a role in the creation of national cryptography policy. Hewlett-Packard is proposing four service elements for a national security policy framework. The framework would consist of a "national flag" card installed into a cryptographic unit which is installed into a host system. Cryptographic functions on the host system could not be executed without a cryptographic unit which itself requires the presents of a valid national flag card before its services are available. A network security server can provide a range of different security services including verification of the other three service elements. Mr. Klemba and Mr. Schindler suggest that the need for policy exists, whether for key escrow or other technology. This framework is meant to be used to support the design and development of any national policy regarding cryptography. (See Reference #4.) International Corporate Key Escrow Mr. Frank Sudia, Bankers Trust, presented his views of the government's key escrow encryption chip initiative and a system designed by Bankers Trust. First, he presented some rationales for key escrow encryption. He proposed that for corporations, key escrow encryption fulfills management supervision and compliance duties, and reduces business risks. Customers in the computer industry may prefer escrow products, if given a choice. Mr. Sudia suggests that the law enforcement and national security communities might pose a threat to society if encryption is unregulated. Mr. Sudia discussed key escrow encryption chip/capstone limitations. Some of those limitations are listed below: - insufficient business input into design process; - user not permitted to select escrow agents; - device cannot be re-keyed periodically or as desired; - storage of keys by government may violate constitutional rights; and - cannot support an interoperable global network. Mr. Sudia then discussed some features and benefits of the proposed Bankers Trust escrow system: - user can select suitable escrow agents, from pool of participating entities; - device can be re-keyed: upon sale, routinely, etc.; - companies can obtain keys to "owned" devices without a warrant; and - system provides full "equality of tapping" for sender and receiver. Mr. Sudia maintains that the Bankers Trust system can meet both U.S. and European needs. The Banker Trust system has been discussed with Canada, Britain, France, Singapore, and the U.S.; however, none of these countries have endorsed the system. (See Reference #5.) iPower Technology Briefing Mr. John Jones, National Semiconductor, briefed the Board on iPower technology, developed by National Semiconductor. Mr. Jones began by examining the current security limitations of computing such as: the lack of sufficient data security for corporate, government and personal communications; the ease with which intellectual property is pirated; and further computerized distribution of transaction authorizations. Continuing emerging security issues remain a concern as with the security problems with current systems and technology- enabled applications requiring a higher standard of security to ensure widespread adoption. iPower technology integrates advances in three critical technologies: 1) semiconductor, 2) networking, and 3) encryption. He said that iPower is built on industry standards including, but not limited to, PCMCIA, DES, RSA, and X.509. Mr. Jones further stated that iPower products can provide the highest level of data security for fixed or portable applications on unsecured networks. Key iPower product benefits are they: - deliver privacy, authentication, verification and non-repudiation; - use bulletproof cryptography; - offer personal portability; - enable credit card-sized implementations; - give unbeatable price-performance; and - work on unsecured networks. iPower technology can be used in emerging data security applications such as: 1) authenticated identity, 2) electronic commerce (ID, privacy, signatures), 3) desktop/settop purchasing, and 4) secure communications. iPower technology can also be used in authenticated identity cards/smart cards to enable more complex security protocols. It can be used for credit and identity and home services (e.g., electronic funds transfer and credit services.) Mr. Jones maintains that iPower technology is a new kind of communications tool -- an emerging standard for access to the information highway network. In response to a question, Mr. Jones stated that the cost of the iPower card would be approximately $175 plus a $200 reader for work stations not configured with a PCM port. (See Reference #6.) Public Response to Clipper Mr. David Sobel, Legal Counsel for Computer Professionals for Social Responsibility (CPSR), delivered some public responses to the key escrow encryption chip initiative. Mr. Sobel brought to the Board's attention that of the 320 comments submitted to NIST on the proposed Federal Information Processing Standard for an Escrowed Encryption Standard (EES), only two supported the adoption of the now approved standard. Mr. Sobel stated that nearly all of the comments received from industry and individuals raised the concerns about privacy; the use of a secret algorithm; the security of the technology; restrictions on software implementation; impact on competitiveness; and lack of procedures for escrowing keys. However, he said now that procedures for escrowing keys have been developed, that raises a whole new host of comments. Mr. Sobel said that CPSR initiated an Internet petition. Within several weeks, nearly 50,000 users of the Internet registered their opposition to the key escrowed encryption chip initiative. Mr. Sobel was asked what he thinks the Board should do after reviewing the public comments. He suggested that it would be appropriate for the Board to recommend hearings by Congress regarding the implementation of the Computer Security Act. (See Reference #7.) Briefing on Interagency Working Group Dr. Mike Nelson, Office of Science and Technology Policy, briefed the Board on the Encryption and Telecommunications Interagency Working Group (IWG) activities. He said that the Administration is guided by three principles: - Providing good solid encryption for all Americans; - Preserving the interests of law enforcement in regards to maintaining status quo of law enforcement's ability to do wiretaps but at the same time, not weaken protection presently in law for citizen's; and - Conducting the prior two without slowing down the pace of technology. Dr. Nelson said that the Administration sees the key escrow encryption chip as an answer to the problem created by the spread of easy to use, high quality encryption into the nations's telephone system and stressed it is not for computer networks. He said that the chip is not being imposed on anyone. The Administration is not considering outlawing other forms of encryption and will not seek to do so. The working group considers these same three principles to also guide Administration efforts on digital telephony, the FBI approach to Congress for legislation to compel the telecommunications industry to redesign its facilities to meet certain law enforcement requirements. The Administration is not asking for controls on domestic encryption and has no intent of doing so. The Administration is moving to establish escrow agents outside the executive branch but, this may require legislation. Dr. Nelson briefly discussed the TESSERA card which is for the Department of Defense's own application in the Defense Messaging System. The TESSERA, or ID card, is a "tool box" that holds an encryption and digital signature algorithm. The TESSERA card allows for 1) signature only or 2) signature and encryption (as long as the receiver has the same capability.) It is hardware based and admittedly too expensive for broad application. No decision to proliferate TESSERA into the civil government sector or to adopt key escrowing for the federal data communications applications has been made to date. Public Comment During this period members of the public are afforded the opportunity to speak to the Board. Mr. Paul Jones, Racal-Guardata, presented his views on a royalty free digital signature process. Mr. Jones reported that using products and procedures available in current NIST and ANSI standards would obtain a digital signature standard with royalty-free use worldwide. He referred to the Secure Hash Algorithm, a notarized DES signature, and FIPS 140-1 level 3 DES based products. See Reference #8, Mr. Jones' prepared statement (in its entirety). Mr. Wayne Madsen, Computer Sciences Corporation, stated that the recent U.S. State Department's "Country Reports on Human Rights Practices for 1993" failed to address major wiretapping operations in numerous countries around the world. He said that the Administration on one hand tries to convince the public that the key escrowed encryption chip is for law enforcement only while on the other hand its 1409-page human rights document fails to report on wiretaps conducted around the world for non-law enforcement purposes. See Reference #9, Mr. Madsen's prepared statement (in its entirety). Board Discussion and Assignments Before discussing ideas for the June meeting, the Board unanimously approved the minutes of the December, 1993 meeting. Discussion continued proposing to devote all or a part of the June meeting to privacy and/or other issues. The Board also discussed the possibility of a briefing from the Information Infrastructure Task Force (IITF). Mr. McNulty said that after checking with Mr. Dennis Steinauer, NIST and a member of the IITF working group, he would send a preliminary IITF report to the Board. (ACTION - SECRETARY). The Board is tasked with working two items regarding the National Information Infrastructure (NII) security issues, as outlined in a recent meeting, chaired by Ms. Sally Katzen, Director of OIRA/OMB and Chair of the Information Policy Committee, which address the subject of security in the NII. However, the Board would like to know the details of the NII before discussing those issues. Also, the Board asked that they be briefed at the June meeting on past (perhaps two years) presentations (e.g., key stroke monitoring, H.R. 3627, Amendment to the Export Administration Act of 1979, etc.) The Board also asked to have an update on the Common Criteria. The meeting then recessed at 5:15 p.m. Thursday, March 24, 1994 Briefing on the National Computer Ethics & Responsibilities Campaign Dr. Peter Tippett, the Computer Ethics Institute, briefed the Board on a National Computer Ethics and Responsibilities Campaign (NCERC). NCERC includes a series of initiatives coordinated over the course of 1994 and beyond. The purpose of the campaign is to make the ethical and responsible use of information technology a national priority. The goals are to: 1) raise public awareness of the need for action and 2) provide individuals and organizations with the tools they need to use information technology in responsible ways. Dr. Tippett discussed the various ways in which the campaign is being launched. The project includes, but is not limited to, a national conference, a press briefing, public relations, and an adverrtising effort to promote the campaign and sponsoring organizations. Dr. Tippett said that six organizations are absolutely committed. He said that the goal is to have twenty companies as sponsors. Dr. Tippett asked the Board for its support of their campaign. The Board did so by drafting and unanimously passing a resolution, which was considered later in the meeting. (See Reference # 10.) Internet Security and Firewall Initiative During this and the next several sessions Mr. McNulty was called away and Ms. Kathie Everhart, of his staff at NIST, served as DFO. Mr. John Wack, NIST Computer Security Division, briefed the Board on NIST's Internet security and TCP/IP firewall initiative. Mr. Wack began by outlining some of the problems with TCP/IP. He said that: 1) a number of services are vulnerable, 2) passwords transmitted in the clear can be monitored, 3) host controls are difficult to administer, 4) it is difficult to secure large numbers of hosts, and 5) it can lead to easy access for intruders. Mr. Wack said that many organizations are first-time users and do not know where to start. They need help connecting LANs and making data and services available on the Internet. It is these new sites that are most susceptible to attack. Mr. Wack discussed some of the efforts that have been accomplished at NIST to date. These efforts include: - a recently established lab for firewall research; - a newly installed operational firewall for the computer security division; - a NIST Special Publication on firewalls, due out in June, 1994; and - an agency workshop on security considerations for connecting to the Internet, planned for the summer or fall of 1994. The overall goal is to enable agencies and businesses to connect to the Internet and use it with security, and to influence IPng replacement protocol and NII security design decisions. Mr. Wack said that presently there are six or seven people in his group at NIST, but that number may need to grow. The Board encouraged NIST to continue with this effort. (See Reference #11.) Briefing on Internet Password Sniffer Incident Mr. Dain Gary, Software Engineering Institute and manager of the CERT Coordination Center, briefed the Board on a recent Internet password sniffer incident. Mr. Gary explained how the sniffer/intruder operates. It looks for systems with uncorrected vulnerabilities. Once into the system, it gains privileged access and installs a network monitoring program. Then It installs a backdoor to the system which allows it to come and go at will. It also installs modified systems utilities in an effort to conceal its activities and the presence of the network monitor. From initial access to having the network monitor installed can take as little as 45 seconds. To date, two sniffer incidents have been reported in England and one in Australia. Mr. Gary said Internet security is a global issue. The purpose of the CERT incident response activities is to help the Internet community respond to computer security incidents, maintain incident data in a secure repository, facilitate communications between sites, response teams, investigators, and vendors, and to maintain expert knowledge in technologies being exploited. (See Reference #12.) Internet Security Issues for Agency Mission Systems Several government agency representatives participated on a panel to convey to the Board their concerns regarding security on their systems that are connected to the Internet. Several agencies are networked across the U.S. Each of the agency representatives expressed their concern with unauthorized access to agency sensitive information. There is the concern of viruses being introduced through the Internet as well as unauthorized modification of data, unauthorized destruction of data and disruption of services. Chairman Ware asked each of the panel members where they received their guidance and/or what kinds of guidance they need. The panel members said that they either had no guidance or they acquired it from a host agency or contractor. They expressed a desire to have a handbook of sorts based on experience. They suggested a bulletin board system as a tool for sharing information. Other areas of guidance would be security policies for the Internet, where to go for documentation, and a checklist of key contacts. Handouts were provided by Mr. Jaren Doherty, National Institutes of Health, Mr. Bill Donovan, Federal Emergency Management Agency, Mr. Peter Groen, Department of Veterans Affairs, Mr. Tom Sandman, Department of Interior, and Mr. Steve Schmidt, Department of State. (See Reference #'s 13 through 17.) Other members of the panel included: Mr. Greg Jones Sr., Securities and Exchange Commission, and Mr. Tom Thompson, Department of Health and Human Services. Briefing of the OMB NII Security Meeting & the Resulting Assignment for the Advisory Board Mr. McNulty, Board Executive Secretary, provided the members of the Board with an overview of how security is being addressed in the context of the committee structure the Administration has established to plan for the implementation of the NII. He reminded the Board of the philosophical principal regarding security stated by Mr. Bruce McConnell of OMB/OIRA at the December, 1993 meeting of the Board. At this meeting, Mr. McConnell had advised the Board that security was viewed as one of the several "cross cutting" issues that was not assigned to any single NII committee or working group. Rather, it was viewed as a concern that will be addressed by all of these groups in the context of their charter. He summarized a recent meeting, chaired by Ms. Sally Katzen, Director of OIRA/OMB and Chair of the Information Policy Committee, held to address the subject of security in the NII. Participating in this meeting were a number of representatives of government components and inter-agency committees having a responsibility for information technology security for some segment of the federal government. Mr. McNulty stated that he was invited to participate in his capacity as Executive Secretary of the Advisory Board. He then briefly summarized the results of this meeting. He advised the Board that at the conclusion of this meeting Ms. Katzen had requested CSSPAB to survey the types of commercially available security products and suggest those which appear to have utility in the context of the NII. Following Mr. McNulty's briefing the members held a wide ranging discussion of the subject of security and the NII, as well as the ability of the Board to accomplish the project it had been requested to undertake. Several Board members, including the Chairman, expressed doubt that the Board had the time and resources needed to accomplish this task. Most members felt that as a group that met only on a quarterly basis such an assignment was beyond the capability of the Board to complete on a timely basis. At the conclusion of this portion of the allotted time for this topic, Dr. Ware stated that he would initiate a dialogue with the OMB/OIRA staff and advise them of the Board's concerns. He stated that he would also attempt to identify a role for the Board that could play vis-a-vis NII security. Summary of March 22 Congressional Hearings Mr. McNulty also presented a summary of Congressional Hearings on security on the Internet that were held before the Subcommittee on Science, Committee on Science, Space, and Technology, U.S. House of Representatives. Mr. McNulty identified NIST's role in the security of both the Internet and the evolving National Information Infrastructure (NII). NIST has played a leadership in the Forum of Incident Response and Security Teams (FIRST) from the beginning and has led efforts to bring together existing teams, develop an operational framework, and get the activity underway. NIST continues to serve as the secretariat of FIRST providing coordination and technical support. Mr. McNulty discussed some of the primary objectives identified in the Vice President's National Performance Review with particular attention to two items relevant to Internet security. The first item involves the development of an overall Internet security plan. NIST will participate with several other organizations. The second item, national crisis response clearinghouse, will be the expansion and application of the FIRST concept to the entire federal government. NIST has the lead responsibility for this. Mr. McNulty went on to discuss the specific Internet security activities of NIST. These include: - CSL Bulletins - guidance on connecting to the Internet - Special Publications - guidance on Incident Response Capability - FIRST leadership and support Of particular interest is the firewall research at NIST. It is one of the most actively examined methods of protecting systems or subnetworks connected to the Internet. NIST has established a new Firewalls Research Laboratory effort to extend and share knowledge in this important area. In addition to these programmatic activities, NIST is involved in a number of groups and activities that are directly involved in Internet security. (See Reference #18.) Board Discussion Due to an early departure, Chairman Ware appointed Ms. Sandra Lambert acting Chair for the remainder of the meeting. During the discussion period of the meeting, a number of informal proposed resolutions were considered by the Board members. A draft resolution to endorse the National Performance Review objectives for a more efficient and effective government through the use of information technology was discussed. After review, approval of the resolution was moved by Ms. Lambert and seconded by Mr. Gangemi. The motion passed unanimously as annotated. (See Attachment #1 for Resolution 94-1.) Another motion, applauding the activities of the National Computer Ethics and Responsibilities Campaign was brought to the table for discussion. It was moved by Mr. Walker and seconded by Mr. Gangemi and adopted. (See Attachment #2 Resolution 94-2.) Both motions were passed in open, public session. After much deliberation, the Board took a straw vote on a draft resolution regarding the Administration's announcement of February 4, 1994 that it planned to proceed with the Escrow Encryption Chip Initiative essentially as proposed in April 1993, despite widespread concerns expressed by the public, U.S. industry and the Board. No formal vote was taken. The meeting adjourned at 5:15 p.m. Attachments #1 - Resolution 94-1 #2 - Resolution 94-2 /s/ References Lynn McNulty #1 - Kammer slides Secretary #2 - Greiveldinger briefing #3 - Smid slides #4 - Klemba/Schindler slides #5 - Sudia slides #6 - Jones slides #7 - Sobel slides CERTIFIED as a true #8 - Jones statement and accurate summary #9 - Madsen statement of the meeting #10 - Tippett slides #11 - Wack slides #12 - Gary slides #13 - Doherty slides /s/ #14 - Donovan slides Willis Ware #15 - Groen slides Chairman #16 - Sandman slides #17 - Schmidt slides #18 - McNulty testimony Meeting of the Computer System Security and Privacy Advisory Board June 1-2, 1994 Hyatt Regency Inner Harbor Baltimore, Maryland AGENDA WEDNESDAY, JUNE 1, 1994 I. INTRODUCTION 9:00 Welcome and Update Lynn McNulty, Board Secretary 9:10 Opening Remarks Dr. Willis Ware, Chairman II. GOVERNMENT VIEWS ON SECURITY IN THE NII 9:15 OMB NII Security Activities and Request for Board Assistance Ed Springer, OMB 9:30 NSA View of NII Security Roger Callahan, NSA 10:00 What NIST is Doing in the NII Dr. Stu Katzke, NIST 10:30 BREAK III. NPR SECURITY RECOMMENDATIONS 10:45 Overview of NPR Security and Privacy Recommendations and Strategies for their Implementation Lynn McNulty 11:00 Generally [Accepted] System Security Principle's Update Marianne Swanson, NIST 11:30 Firewall/Internet Initiative John Wack, NIST 12:00 LUNCH 1:30 Federal Networking Council's Perspective on the NII Dennis Steinauer, Co-Chair, Federal Networking Council Security Group 2:00 Detailed Overview of NPR Security and Privacy Recommendations and Strategies for their Implementation Roger Cooper, DOJ IV. CRYPTOGRAPHIC UPDATES 2:30 Update on the NRC Congressionally Mandated Cryptographic Policy Study Dr. Herb Lin, National Research Council 2:45 BREAK 3:00 Status of the DSS & Report on the Infrastructure Study Lynn McNulty 4:00 Secure Hash Algorithm and Key Escrow Update Miles Smid, NIST V. BOARD DISCUSSION 4:30 Board Discussion on Procedures for the Introduction of Items for Consideration by the CSSPAB 5:00 RECESS THURSDAY, JUNE 2, 1994 9:00 Proposed Resolution's Before the Board 10:15 BREAK VI. BRIEFINGS OF INTEREST 10:30 Update of Common Criteria Dr. Stu Katzke, NIST 11:30 Discussion 12:00 LUNCH 1:30 Report of Computer Security Experts to China Dr. Michel Kabay, Director of Education of the National Computer Security Association (NCSA) 2:00 Public Comment VII. PENDING BOARD BUSINESS 2:30 BREAK 2:45 Board Discussion, as required/September Agenda 4:00 ADJOURN ------------ Next Meeting - September 14-15, 1994 Hilton Hotel Gaithersburg, Maryland Minutes of the June 1-2, 1994 Meeting of the Computer System Security and Privacy Advisory Board Wednesday, June 1, 1994 Call to Order A quorum being present, the meeting was called to order at 9:00 a.m. by the Chairman, Dr. Willis Ware, at the Hyatt Hotel in Baltimore, Maryland. Members attending were: Mr. Castro, Mr. Gallagher, Mr. Kuyers, Ms. Lambert, Mr. Philcox, Ms. Rand, Mr. Trodden, Mr. Walker, and Mr. Whitehurst. All portions of the meeting were open to the public. Opening remarks were delivered by Mr. Lynn McNulty, Executive Secretary. He reviewed recent announcements and items of interest, including the issuance of Federal Information Processing Standard 186, the Digital Signature Standard. He also noted that two nominees were being cleared by the Department of Commerce and he hoped that they would be able to be formally appointed in time to attend the September meeting. The Chairman noted that the Secretariat was making the Board's documents electronically available to the public through the NIST Computer Security Bulletin Board. He also distributed the Deputy Director of NIST's letter (dated May 24, 1994) responding to the Chairman's letter to the Director of NIST (dated May 16, 1994) regarding the issuance of the Digital Signature Standard. (See Reference #1.) Government Perspectives on NII Security Mr. Ed Springer of OMB's Office of Information and Regulatory Affairs (OIRA) discussed the federal role in the development of the National Information Infrastructure. In particular, he mentioned the government's role in stimulating competition and fair use, protecting law enforcement's abilities, and promoting appropriate security. The NII Security Issues Forum seeks a broad dialog with users and builders of the NII. A meeting has been scheduled for July 15, 1994 to examine pertinent issues. Specific help from the Board would be useful in further defining user's security requirements and in describing what products have been or would be useful. A letter from the Director of OIRA requesting the Board's assistance will be forthcoming. Mr. Springer agreed to brief the Board in September on the July 15 meeting. (ACTION - SECRETARIAT) Mr. Roger Callahan of NSA's Information Systems Security Organization presented the Board with NSA's View of NII security. (See Reference #2.) He focused specifically on the Multilevel Information System Security Initiative (MISSI). He will send the Board additional information on MISSI and MOSAIC. (ACTION - MR. CALLAHAN) The anticipated costs of the Tessera card-- and how those prices would change over time -- were debated. Of concern to the Board is the likelihood that the cost of Tessera will be too high for widespread commercial utilization. Next, Dr. Stuart Katzke, Chief of NIST's Computer Security Division, discussed NIST's NII-related activities, National Performance Review (NPR) action items and related computer security program initiatives. (See Reference #3.) NIST's participation in various Information Infrastructure Task Force committees was presented, as well as NPR action items (specifically # IT-10), which includes cryptographic standards, Generally Accepted SSystem Security Principles, a national Crisis Response Clearinghouse, the need for improved security awareness, and coordination of security research and development. National Performance Review Mr. Lynn McNulty, Associate Director for Computer Security at NIST, provided the Board with a brief summary of the National Performance Review (NPR). (See Reference #4.) The NPR resulted from a campaign promise by this administration to reinvent how government operates. One of the ways that this is being done is through the use of Information Technology (IT). Mr. McNulty noted that security was recognized as necessary for the successful use of IT, that citizens would trust with the protection of their personal information. Following Mr. McNulty's presentation, reports on the status of two specific NPR recommendations were presented. The status of the NPR recommendation to develop Generally Accepted System Security Principles (GSSPs) was explained by Ms. Marianne Swanson of NIST's Computer Security Division. (See Reference #5.) NIST is working closely with the GSSP committee on the development of the highest level "pervasive principles." A forum, involving diverse professional communities, is anticipated to be held in mid-August to discuss their progress. The need for about $500,000 in funding was discussed. An update report will be provided in September. (ACTION -SECRETARIAT) The NPR recommendation to strengthen Internet security was presented by Mr. John Wack, also of NIST's Computer Security Division. (See Reference #6.) The Board discussed who would tell agencies that they had to take the necessary measures to strengthen security. Mr. McNulty said that this was OMB's role. The Federal Networking Council's perspectives on NII security was the subject of the next presentation, as provided by Mr. Dennis Steinauer of NIST's Computer Security Division and Mr. Steve Squires of ARPA. Mr. Steinauer prefaced his remarks by stating he would focus on the plan for developing an Internet security plan, not the plan itself. He discussed the scope of the Internet and the FNC, and its role as a catalyst, vice regulator, for improving security. He also said there may be a need for a international security summit meeting. Next, Mr. Roger Cooper of the Department of Justice briefed the Board. He serves as the "security champion" for NPR implementation. In this capacity he oversees the implementation of the various security-related recommendations (which each, in turn, have their own champion). He provided the Board with two handouts, an organizational overview and the NPR IT Accompanying Report. (See References #7 and #8.) A question was raised regarding the funding of agency implementation of NPR recommendations. Mr. Cooper responded that, in many cases, there are not adequate answers to such questions. He also discussed the role Government Information Technology Services committee (GITS) is playing in implementing the NPR. GITS plans to publish a "vision paper" this month on how they intend to operate. The pressure to increase direct electronic public access to data was briefly mentioned. Also, Mr. Cooper examined the issue of whether e-mail messages constitute official government records. The National Archives and Records Administration has put out draft guidance on the matter, which is important to the Justice Department, which spends approximately $30 million per year on Freedom of Information Act processing. Cryptographic Issues Dr. Herb Lin of the National Research Council discussed the requirement of P.L. 103-160, the Defense Authorization Bill for FY-1994, to conduct a comprehensive independent study of national cryptography policy. (See Reference #9.) The NRC is moving to get the committee into place, and obtain the statutorily-directed Defense Department funding. (Ms. Rand, Board Member, reported later in the meeting that the paperwork within DoD was proceeding, and that the OOffice of th Secretary of Defense would seek to work with Dr. Lin to expedite the process.) Mr. Kenneth Dam, former Deputy Secretary of State, has been selected as Chairman. The selection process is still underway for other committee members (not all of whom will require SI/TK clearances). Dr. Lin is seeking wide inputs from the community for potential presenters to the committee. He hopes that the study will be underway by July 1994, with a final report by the end of 1995 or early 1996. Mr. Lynn McNulty and Mr. Miles Smid, Manager of the Computer Security Division's Security Technology Group, provided the Board with an update of NIST's cryptographic-related activities. (See Reference #10.) Mr. Smid reviewed the proposed correction to the Secure Hash Standard (discovered by the National Security Agency). Even without the change the standard remains strong. Mr. Smid said that it was stronger than the work it would take to exploit DES. Mr. Smid said that the change would be announced in the Federal Register for public comment. Regarding the key escrow encryption program, Mr. Smid said that the transition was underway from Clipper to Capstone chip programming. The search is now underway for possible new escrow agents. Also, a meeting was held in March 1994 of the Skipjack review team, to review current and anticipated features of the key escrow system. That group is working on a paper that will contain any comments they wish to make. Additionally a proposed Federal Information Processing Standard (FIPS) has been developed for common cryptographic service calls. Public comments will be requested in the Federal Register on this document as well. The discussion then turned to the recently issued Digital Signature Standard (FIPS 186). Discussion centered on the statement in the standard that the Department of Commerce was not aware of any patents which would be infringed by the standard. However, Mr. McNulty indicated that discussions with Public Key Partners, Inc., (a firm which has claimed patent infringement) continue. Mr. Walker stated that issuance of the standard should not be viewed as an accomplishment since the patent issue remains unresolved. Messrs. McNulty and Smid answered numerous questions from the Board on DSS and other cryptographic issues. Mr. Walker provided the Board with a summary of a presentation he gave to the Federal Networking Council Advisory Committee Meeting on April 5, 1994. He discussed the need for an approach that will let service providers integrate security into their products without actually providing any cryptography. He called for a high level Cryptographic Applications Programming Interface that would link to a low level interface that would contain the actual cryptographic implementations. He also provided the group with an interim status report of the NIST-sponsored alternate key escrow working group. He said that an analysis was conducted on the software surrounding the Tessera card, leading to the conclusion that any software solutions need not be any stronger than Tessera and the surrounding software. He stated that any technique should not be used for government-imposed key escrow until a law is passed by Congress. Adoption of the March 1994 CSSPAB Meeting Minutes After modifications, the minutes to the March meeting were unanimously adopted. The Secretary agreed to provide a revised set to the Board members. (ACTION - SECRETARY) (See Reference #11.) The meeting was recessed at 5:00 p.m. Thursday, June 2, 1994 Resolution on Clipper/Capstone The session began with discussions of draft resolutions before the Board. Mr. Walker stressed that he thought it very important that the Board have something to say about the February 4, 1994 announcements. After much discussion, Mr. Walker moved a motion, seconded by Mr. Castro, regarding the uncertainty that the Clipper/Capstone key escrow initiative will provide a practical solution to the unclassified encryption needs of the U.S. or solve the law enforcement issue. This resolution (Number 94-3) passed with eight in favor and one (Mr. Gallagher) opposed. (See Attachment #1.) Board Operating Procedures After discussions, the Board voted unanimously to change its operating procedures (first adopted in 1990). The Board replaced section D, "Exceptions," in its entirety to read: "The Board retains its prerogative to consider and act upon items, subject to the procedures outlined in Robert's Rules of Order, "Suspension of the Rules." (See Reference #12.) Common Criteria Update Dr. Stuart Katzke provided the Board with a status report on the common criteria project. (See Reference #13.) He reviewed the seven meetings held to date and the planned meeting for the remainder of FY-94. A draft of the criteria is expected to be available for widespread review in October 1994. A decision has not been made on how evaluations would be conducted. Members expressed an interest in receiving a copy of this draft when it becomes available. (ACTION - SECRETARY) People-to-People Visit to China Dr. Mitch Kabay, Director of Education for the National Computer Security Association provided the Board with a written summary of a recent People-to- People visit of computer security experts to China. The group, which included Board member Mr. Gallagher, met with high level computer professionals in three cities. A continued theme expressed by the Chinese was their concern over virus infections, which is exacerbated by widespread software piracy. Dr. Kabay drew the Board's attention to his conclusions and recommendations on page 12 of the handout. (See Reference #14.) Mr. Gallagher added a few personal observations about the new Chinese computer security law and their desire to use international standards. Public Participation Mr. Richard Graveman of Bellcore provided the Board with highlights of the Eurocrypt '94 conference. Many papers at the conference stressed Diffie-Hellman discrete log problems over RSA-type factoring problems. The conference included an invited talk by Dr. Silvio Micali on "fair cryptography." Other Business At the request of the Chairman, Board Member Ms. Lambert summarized a recent X9.F1 standards meeting. At the meeting the committee rejected Tessera and Capstone as work items as the group does not want any product-specific standards. Instead, they will work to develop application interface standards. Mr. Walker introduced and reviewed a motion regarding the DSS and the patent infringement situation. After revisions the resolution (Number 94-4) motion was passed unanimously. (See Attachment #2.) It supports the principle of a digital signature capability being made available to all parties on a royalty free basis. It also notes the Board's concern that there are impediments to the availability and use of the DSS. These impediments include the risk of potential patent infringement and the lack of certificate and key management infrastructures. The meeting was adjourned at 3:15 p.m. Attachments /s/ 1. Resolution 94-3 Lynn McNulty 2. Resolution 94-4 Secretary References 1. NIST Response (5/24/94) to the CERTIFIED as a true Board's Letter (5/16/94) (both) and accurate summary 2. Callahan presentation of the meeting 3. Katzke presentation #1 (NII) 4. McNulty presentation 5. Swanson presentation /s/ 6. Wack presentation Willis Ware 7. Cooper handout-org. chart Chairman 8. Cooper handout-NPR IT Accompanying Rpt 9. Lin handout-5/27/94 Memo to CSSPAB 10. Smid Presentation 11. Walker paper, "Network Security Issues" 12. CSSPAB March 1994 meeting minutes 13. Katzke presentation #2 (Common Criteria) 14. Kabay handout --------------------------------------------------- Meeting of the Computer System Security and Privacy Advisory Board September 14-15, 1994 Hilton Hotel Gaithersburg, Maryland AGENDA WEDNESDAY, SEPTEMBER 14, 1994 I. INTRODUCTION 9:00 Welcome & NPR Initiative on Cost Containment for Advisory Boards Lynn McNulty, Board Secretary 9:10 Opening Remarks Willis Ware, Chairman II. RECENT CRITERIA ACTIVITIES 9:15 Common Criteria Update Stu Katzke, NIST 9:30 Report on Developmental Assurance Workshop Pat Toth, NIST III. CRYPTOGRAPHIC ACTIVITIES 9:45 Status of Cryptographic Patents Mike Rubin, Deputy Chief Counsel, NIST 9:55 Briefing on DSS and Update on Proposed Procurement for Prototype Infrastructure Services Lynn McNulty Rob Rosenthal, NIST 10:10 BREAK 10:25 Status of Alternative Key Escrow Initiative Working Group and other Cryptographic News Lynn McNulty 10:45 Discussion 11:00 TIS Approach to Software-based Key Escrow Encryption Steve Walker, TIS Demonstration and Discussion 12:00 LUNCH IV. SECURITY AND PRIVACY IN ELECTRONIC BENEFITS TRANSFER (EBT) SYSTEMS 1:30 Overview of EBT Task Force Workgroup Report Jack Radzikowski, Executive Director, Federal EBT Task Force 2:15 Security Issues in EBT Roy Saltman, NIST 2:35 BREAK 2:50 EBT Application Briefings Dale Brown, State of Maryland Tom Martin, USDA, OIG Tom Musslewhite, Secret Service Joyce Kohler, Food and Nutrition Service 3:50 Discussion 4:15 Worksite Verification Recommendation Susan Martin, U.S. Commission on Immigration Reform 5:00 RECESS THURSDAY, SEPTEMBER 15, 1994 V. BRIEFINGS OF INTEREST 9:00 Governmentwide Electronic Mail Neil Stillman, Department of Health & Human Services 10:00 Reaction to Public Meeting on Information Superhighway Security Martin Ferris, Department of Treasury 10:30 BREAK 10:45 Update on Congressional Privacy and Security Issues Lynn McNulty 11:00 Tax Systems Modernization - Business Changes - Security Challenges Hank Philcox, IRS Jim Robinette, IRS 12:00 LUNCH VI. NIST ACTIVITIES 1:30 Status of Security Handbook Ed Roback, NIST Barbara Guttman, NIST 1:45 Status of Generally Accepted Systems Security Principles (GSSP) Effort Barbara Guttman, NIST 2:15 Public Comment (max. 5 min. per speaker - sign up in advance with secretary) 2:45 BREAK 3:00 Board Discussion/December Agenda/1995 Workplan 4:30 ADJOURN ------------ Next Meeting - December 7-8, 1994 Sheraton Reston Hotel Reston, Virginia MINUTES OF THE SEPTEMBER 14-15, 1994 MEETING OF THE COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD Wednesday, September 14, 1994 Introduction A quorum being present, the Chairman, Dr. Willis Ware, called the meeting to order at 9:00 a.m. at the Hilton Hotel, Gaithersburg, Maryland. Besides Dr. Ware, the following members were present: Cris Castro, Don Gangemi, John Kuyers, Sandra Lambert, Henry Philcox, Cynthia Rand, Steve Walker, and Bill Whitehurst. Mr. Lynn McNulty, Board Secretary, introduced the new Board member nominees. Ms. Genevieve Burns from Monsanto Corporation, will fill a non-government/non- vendor vacancy and Mr. Charlie Baggett, NSA replaces Mr. Pat Gallagher, who recently retired. (Additional vacancies are in the process of being filled, hopefully by the December meeting.) Mr. McNulty, advised the Board of a plan to reduce Board expenses by at least 5%, as required by the National Performance Review. This will be accomplished by holding three of the four meetings next year on the NIST campus or at a nearby Hotel, in order to reduce the cost of staff travel, and by asking the Board members to utilize government air contract carriers. Mr. McNulty then reviewed the agenda and materials distributed to the Board. Among the materials distributed to the Board was a paper from Dr. Herb Lin of the National Research Council (NRC), National Academy of Sciences (NAS) on their Study of National Cryptography Policy. Dr. Ware commented that the NRC/NAS does not discuss the status of reports or NRC study groups until completed. (See Reference #1.) The Chairman welcomed the two new members-designate and advised them to watch their e-mail as that is how the Board communicates most of the time. He also noted that he looked forward to their formal appointments so they could vote on Board matters. The entire meeting was held in open, public session. Recent Criteria Activities Dr. Stu Katzke, Chief, NIST Computer Security Division, gave the Board an update of the Common Criteria activities. He reported that the April draft document went out for review with final comments due back by June 5. Following the receipt of comments the report went to the Common Criteria Editorial Review Board for review. Eighty-seven reviewers looked at the sponsors' draft of the criteria. The next draft of the Common Criteria will be ready in the January/February 1995 timeframe. The U.S. will begin trial evaluations of conformant products in mid 1995. Meanwhile, NSA will continue with Orange Book evaluations. In response to a question, Dr. Katzke said that the Canadian and European sponsors are still supportive of this activity. Dr. Katzke noted that there will be a session on the Common Criteria at the National Computer Security Conference in October. The discussion will be primarily at the conceptual level. Ms. Pat Toth, NIST Computer Security Division, briefed the Board on the Developmental Assurance Workshop held on June 16-17, 1994. She reported that developmental assurance is not meant to replace evaluations, but could help to speed up the evaluation process. She said that NIST would continue developmental assurance at an international level. Ms. Toth offered the opinion that the workshop raised issues rather than solved problems. A second workshop is planned for December. The Board asked that Dr. Katzke and Ms. Toth return to the December Board meeting with a more extensive briefing. Cryptographic Activities Mr. Michael Rubin, NIST Deputy Chief Counsel, briefed the Board on the status of cryptographic patents affecting the Escrowed Encryption Standard (EES) and the Digital Signature Standard (DSS). He reported that during the public comment process preceding adoption of the EES there were comments from two patent holders, Mr. Andrew Logan and Professor Silvio Micali. Mr. Rubin stated that NIST concluded that there is no patent infringement; however, in the case of the Micali patent it was a close call. Accordingly, the government entered into a licensing agreement with Micali. The scope of the Micali license includes anyone using Clipper, Capstone or Tessera/Fortezza. The agreement resulted in Professor Micali granting rights for anyone to use his patent provided that it is done for a law enforcement purpose (i.e., escrowing of keys with a government designated agent.) The Digital Signature Standard (DSS) was issued in May 1994. There were allegations of infringement from Mr. Claus Schnorr and Public Key Partners (PKP). Again, Mr. Rubin indicated that there is no infringement by the DSS of any patent licensed by PKP. DSS Update Mr. McNulty reported that the DSS was approved by the Secretary of Commerce and issued as FIPS 186 on May 19, 1994. The FIPS is mandatory for the federal government in outgoing and incoming documents. However, there is some confusion about whether government agencies will accept documents signed using other algorithms. Mr. McNulty said that the focus had shifted from algorithm issues to Public Key Infrastructure (PKI), which the government will build to support the DSS. He went on to say that the government needs practical experience in a limited PKI operation. The strategy will be for NIST to award contracts to provide prototype certificate management services for two or three federal agencies. A draft RFC will soon be published in the Commerce Business Daily, which will translate into an RFP to be issued in early 1995. (See Reference #2.) Update on Proposed Procurement for Prototype Infrastructure Services Mr. Robert Rosenthal, Manager, NIST Protocol Security Group, discussed NIST's Public Key Infrastructure (PKI) Pilot Procurement that is designed to support NIST's Federal Information Processing Standard Publication on the Digital Signature Standard. Mr. Rosenthal explained the need to gain practical experience managing public key certificates. He indicated that real operations data from the Pilot will be used to guide future PKI policy implementation decision. In addition, cost information on building, installing and operating the Pilot PKI will guide decision to incrementally scale up an operation, PKI. Finally, technical experience and lessons learned from the Pilot will provide feedback to operators integrating commercial off-the-shelf components needed to provide certificate management services. Several technical issues were also discussed including: - Specification of the certificate management hierarchy; - Generation and distribution of public keys; - Managing and distributing the certificates and their revocation lists; and - Interoperability among and between other PKI prototypes. The Board invited Mr. Rosenthal to present an in-depth report at the December meeting, with the other committee representatives. (See Reference #3.) Status of Alternative Key Escrow Initiative Working Group and other Cryptographic News Because of Vice President Gore's letter to Rep. Cantwell, stating the Administration's desire to seek alternative key escrow approaches, a series of government/industry workshops is being held to develop and test various industry approaches to key escrow. Mr. McNulty said that vendors believed there was a significant market for escrow products. Mr. Whitehurst and Mr. Walker disagreed with this statement. A full report of the first NIST workshop is available in NISTIR 5468. (See Reference #4.) TIS Approach to Software-based Key Escrow Encryption Mr. Steve Walker, President, Trusted Information Systems, Inc. (TIS) and Mr. Carl Ellison (TIS), gave a demonstration and overview of their approach to software-based key escrow encryption. Mr. Walker stated that software key escrow systems could be built that meet the objectives of law enforcement. He believes that variations of their software key escrow system can provide a commercial key escrow capability that will be very appealing to corporate and individual computer users. He also believes that widespread use of corporate key escrow, in which corporations operate their own key escrow centers, and individual key escrow, in which bonded commercial key escrow centers provide a key retrieval capability for registered users, will better achieve the key escrow objectives of law enforcement than a government-imposed key escrow system. (Reference #5.) Overview of EBT Task Force Workgroup Report Mr. Jack Radzikowski, Executive Director, Federal Electronic Benefits Transfer (EBT) Task Force presented an overview of the recently published NPR report on EBT. The objectives of the task force are to: - construct a uniform nationwide EBT operating environment; - issue a base service EBT payments in at least one region in 1996; - expand the base service capabilities to multiple regions; and - extend EBT service to all other appropriate benefit programs. The objective of creating a national EBT is to replace multiple paper-based benefit delivery systems with a single electronic system that delivers benefits for a full range of federal and state programs. Mr. Radzikowski stated that the goal is to begin implementing basic EBT services for the major federal and state programs by march of 1996 and expanded to additional benefit programs by March 1999. (See Reference #6.) Security Issues in EBT Mr. Roy Saltman of NIST briefed the Board on the security issues in EBT that he identified during a recent study. Mr. Saltman stated that theft of equipment, funds, and intellectual property were of concern as well as damage and alteration to equipment, programs or information. Also of concern is the unapproved information retrieval of privacy information, which could affect not only the recipient of benefits but also the distributor of those benefits. EBT system security concerns are similar to those found in other systems. They are: physical and system access; personnel; network operations; point of sale terminal and card design and equipment and system failure. With electronic benefits there is the same concern of collusion between the recipient and the retailer as there is in paper-based systems. Administrative procedures should be able to handle most security concerns. The use of data analysis could be used to identify possible recipient/retailer collusion such as the purchase of alcohol and/or drugs. (See Reference #7.) EBT Application Briefings Ms. Joyce Kohler, Food and Nutrition Service (FNS), gave an overview of the existing Department of Agriculture's Food Stamp Program currently using the EBT system. Ms. Kohler reported that illegal sale of food stamps is the biggest problem. Clients sell coupons or EBT benefits to the retailer for cash (e.g., 50 cents on the dollar). EBT delivers about 2% of food stamp benefit dollars to about 2% of food stamp households. States deliver food stamps through local offices which determine client eligibility and calculate benefit levels. The FNS reimburses the states 50% of their administrative costs. She stated that security requirements follow existing federal security policies; for example, security plans are required as part of design documentation and security reviews have been conducted in EBT demonstration projects by the FNS. The Food Stamp Program security assessment looked at all system linkages. Vulnerabilities were assessed in terms of probability of occurrence, value of the asset, opportunity for abuse, and the effect on the system. In conclusion, Ms. Kohler stated that there are few serious vulnerabilities and none that required immediate attention or reconsideration of the cost of providing EBT services for the delivery of food stamp and cash benefits. Ms. Kohler gave an overview of specific privacy issues for EBT systems. She said that recipients names do not appear on point of sale receipts, or on the terminal display. Balances may not appear on terminal displays, and EBT regulations require ensuring the privacy of household data and providing benefit and data security. (See Reference #8.) Ms. Dale Brown from the State of Maryland briefed the Board on the EBT system used in Maryland. Ms. Brown stated that Maryland is the first state in the nation to provide its citizens, receiving public assistance and food stamps, an opportunity to use state-of-the-art technology. Through the use of a debit card with a magnetic strip, called the "Independence Card" recipients access their monthly benefits electronically through point of sales devices at retail stores and at automated teller machines, therefore replacing food stamp coupons, child support and cash benefit checks. One of the problems that the state has encountered is the ongoing 6% replacement of EBT cards. The replacement of the cards is a result of the client losing or selling their cards. When the card is lost or sold, the client must go into their local office to replace the card (which is currently free) and receive a new PIN number. (See Reference #9.) Mr. McNulty asked Ms. Brown if there are any security lessons for the overall EBT program to be drawn from her state's experience. She said that separation of duties is the most successful. She discussed other security measures that have been resolved and they include, but are not limited to, improved workstation audit trail reporting, reduced number of user IDs with access to the system, automatic aging of inactive user IDs, and updated procedures for establishing new EBT recipients. Ms. Brown talked about future projects to include: EBT for gas and electric, housing, and farmers market vendors. Mr. Tom Martin, U.S. Department of Agriculture, Office of the Inspector General, discussed the fraud, waste, and abuse of EBT in the Food Stamp Program. He said that even though EBT replaces coupons, fraud is still a problem. Internal controls are applied such as separation of duties. The Privacy Act is applied to all EBT programs including law enforcement except in the case of fraud. Mr. Tom Musselwhite, U.S. Secret Service, is involved in EBT to investigate food stamp and financial institute fraud. He said that secure systems for the delivery of government benefits should be employed. An EBT program should address the following: Applicant/Recipient Verification. Any document can be counterfeited. 100% verification can be obtained by fingerprints encoded on the card. Card User Verification. Lost and stolen cards can be used by criminals. Physical Card Security. Features in the EBT card can prevent counterfeiting. Authorized Purchases. Measures should be taken to ensure that program funds are spent for intended purposes. Computer Systems Integrity. Can reduce potential for compromise of systems. (See Reference #10.) Dr. Ware complimented the State of Maryland for a job well done and for their strong message on computer security. Worksite Verification Recommendation Dr. Susan Martin, Executive Director, U.S. Commission on Immigration Reform, briefed the Board on the Commission's recent report on ways to reform U.S. Immigration policy. The Commission was mandated by the Immigration Act of 1980. The first report on immigration reform is due to Congress by September 30, 1994 and the second report is due in 1997. One major recommendation is to deter and prevent illegal immigrants employment. Two problems remain: 1. employers are able to hire illegal aliens; and 2. potential is high for discrimination because of looks or accent. The Commission is proposing the development of a computer registry based on SSN that will allow employers to check the SSN against the registry. This will eliminate the current process. The Commission proposes five pilot programs with three approaches: 1. Issuance of temporary SSN card linked to database; 2. Issuance of drivers license as basic identifier issued by DMV linked to database; and 3. telephone verification, asking name, SSN, mothers maiden name. There are various security and privacy concerns: 1. preventing the system from fraudulent use; and 2. concerns that the database does not have any weaknesses. The Commission is very concerned about the security and privacy issues and hopes to identify some of the problems through pilot programs as well as seek the Boards advice. It is the hope of the Commission to deter the illegal alien by removing the magnets, which are jobs. (See Reference #11.) The meeting recessed at 5:05 p.m. Thursday, September 14, 1994 Government-wide Electronic Mail Dr. Neil Stillman, Deputy Assistant Secretary for Information Resources Management, Department of Health and Human Services, briefed the Board on an Office of Management and Budget (OMB) chartered task force to establish a government infrastructure for interagency electronic mail. Dr. Stillman discussed the vision which would be: 1) a service that appears to the user to be a single unified electronic postal system, 2) offers robust and trustworthy capabilities with legally-sufficient controls for moving all forms of electronic information among employees at all levels of government, and with the public, and 3) like the nations telephone network, is affordable, ubiquitous, efficient, accessible, easy-to-use, reliable, cost-effective, and supported by an effective directory service. Dr. Stillman discussed the idea of "Business Quality", loosely defined as security and availability. There was some discussion between Board members and Dr. Stillman to more closely define what "Business Quality" Email means. The Board highly recommended that the task force not use this term, as it is not recognized by the community and has different meanings to different people. Dr. Stillman went on to outline the functional, management, and technical requirements. He discussed the task force's recommendations to OMB which are: 1. Promote Electronic Government; 2. Require Government-wide E-Mail Connectivity; 3. Establish a Government-wide E-Mail Standard; 4. Promote Public Access; 5. Establish government-wide E-Mail Directory; 6. Issue E-Mail Policy; 7. Establish E-Mail Program Office; 8. Establish E-Mail Management Council; and 9. Provide Funding for Government-wide E-Mail. Dr. Stillman said that OMB would look favorably on those agencies that have e- mail in their budget; however, OMB is not planning on providing agencies additional funding for this effort. Board members expressed concern that privacy was not addressed and that policy is needed first. (See Reference #11). Reaction to Public meeting on Information Superhighway Security Mr. Martin Ferris, Computer Security Program Manager, Department of Treasury, briefed the Board on the public meeting on NII security held in July of this year. He reported that the Information Infrastructure Task Force (IITF) recognized that they had not addressed security in the National Information Infrastructure (NII); therefore, the NII Security Issues Forum was organized. A meeting was held and the public was invited to appear before the IITF and members of the NII advisory council to assess security needs and concerns of potential NII users. The participants were asked to address three principal questions: 1. How will the NII be used; 2. What security exposures or risks are of concern; and 3. What type of approaches should be taken to address those concerns. There were several hundred people in the audience and 32 speakers participated. The speakers were from several communities, including: - commerce/banking trade; - business/manufacturing/industry; - health services; - electronic publishing/entertainment; - education/libraries; and - government services. The presenters discussed the importance of security. They would like and need additional dialogue. Mr. Ferris said that the speakers recognized many of the security needs and solutions within the NII. He also expects the federal government to have a role in some of the solutions to the NII security needs. Mr. Ferris reported that the next steps will be to continue dialogue via additional meetings. The process for those meetings is yet to be determined. (See Reference #12). Update on Congressional Privacy and Security Issues Mr. Lynn McNulty, Associate Director for Computer Security, NIST, gave the Board an update on Congressional activities. Mr. McNulty discussed the Digital Telephony Bill (HR 4922). He said that this is the third attempt to get legislation going on this Bill; however, this is a new proposal expected to be passed during this session of Congress. The purpose of HR 4922 is to make clear a telecommunication carrier's duty to cooperate in the interception of communications for law enforcement purposes, and for other purposes. He outlined the key provisions telecommunications carriers must ensure: 1. Intercept communications; 2. Access call identifying information; 3. Deliver intercepted communication to the government; and 4. Do the above in a surreptitious manner. Mr. McNulty said that the law does not authorize any Law Enforcement Agency to require specific design features or to prohibit the adoption of specific features. He said the Bill also relieves carriers of any responsibility for decrypting communications, unless encryption is provided by the carrier. Mr. McNulty reported on the status of a staff draft of a Bill, tentatively titled the Encryption Standards & Procedures Act. It is the purpose of this Act to allow government to issue voluntary encryption standards but only under a formal rulemaking process where stakeholders have opportunity to influence final program. The key provisions are to: 1. Authorize NIST to establish an encryption standard & procedures program; 2. Authorize the Computer System Security & Privacy Advisory Board to review any standard before issuance and submit recommendations and advise; 3. Establish statutory requirements for key escrow agents and establish key release procedures; and 4. Criminalize misconduct by escrow agents or law enforcement officials. (See Reference #13). Tax Systems Modernization - Business Changes - Security Challenges Mr. Hank Philcox, Chief Information Officer, and Mr. Jim Robinette, Information Security Officer, Internal Revenue Service (IRS), presented the Board with IRS' Tax Systems Modernization program. Under the old program, 25 year old systems were not connected to each other and there was inadequate monitoring detection and prevention capabilities. Mr. Philcox said that they began to look at how they could transform the delivery of services to customers and change the way they do business. Mr. Robinette discussed their new operating concept which would give immediate help to customers by providing: more electronic and telephone activity; education/outreach; research; redefining of jobs; new measures; an emphasizes on training; and streamlining paper. Some of the security challenges will be to: - ensure data access to IRS users (tax payers in the future); - prevent browsing; - detect and prevent fraud (e.g., artificial intelligence techniques); - educate IRS users; and - provide physical protection of information. Mr. Philcox discussed an IRS video that has been seen by all IRS employees. The video has a series of vignettes showing the types of privacy issues employees may encounter. The Board commended IRS' efforts and made a motion to draft a statement. The motion was made by Mr. Steve Walker and seconded by Mr. Cris Castro. Mr. Philcox abstained. Dr. Ware said that he and Mr. McNulty would draft a statement to be delivered to appropriate government officials. (ACTION CHAIRMAN AND SECRETARY.) (See Reference #14.) Status of Security Handbook Mr. Ed Roback and Ms. Barbara Guttman, NIST, presented the Board with a status of the NIST handbook effort. Mr. Roback and Ms. Guttman remarked that 500+ copies of the draft handbook were mailed out for review and was also available on the NIST bulletin board. Forty-five comments were received. Some of the questions posed to readers were: Are we missing topics? If so what are they and where do you suggest we add them? Suggested text would be welcome. Do you have any additions to any of the cost considerations or interdependencies sections to add? Please be specific. We would like our references to be as useful and current as possible. Do you have any additional ones? should any be deleted? Do you thing the Handbook will be useful? (The majority said yes.) Some of the major general comments from readers had to do with the title of the document. Some readers also felt that the document needs better finding aids. They questioned whether there is an audience such as the one described in the document. Mr. Roback and Ms. Guttman discussed some major comments on specific topics. Some commentors suggested that the authors work with the Office of Management and Budget (OMB) to go along with their approach on accreditation and certification. There was significant disagreement about the policy chapter. The handbook refers to three types of policies and comments received (including some Board members) argued that there is only one type of policy, and that is an overall security policy (i.e., that establishes an organizations's computer security program. Other topical comments were discussed, such as, program management, audit, assumptions, trusted systems, and networks. The handbook is being written in coordination with other projects, for example, OMB's A-130, the Generally Accepted Systems Security Principles, and the UK Department of Trade and Industry (DTI) Codes of Practice. NIST will be reviewing the handbook over the next few months and hopes to obtain the assistance of a technical editor in the process. (See Reference #15.) Status of Generally Accepted Systems Security Principles (GSSP) Effort Ms. Barbara Guttman, NIST Computer Security Division, addressed the status of the Generally Accepted Systems Security Principles (GSSP) effort. The GSSP's are a task under the National Performance Review. It began as an Information Systems Security Association (ISSA) effort as a result of the Computers At Risk recommendation. NIST and ARPA prepared a proposal to the GSSP Committee to expand the effort. NIST also has a task item under the NPR to draft high level GSSPs. In August, NIST and ARPA sponsored a meeting to explore what is needed with GSSPs. Ms. Guttman stated that they wanted to get from the community what they needed in GSSPs and did they in fact want GSSPs. Participants decided it would be better to do something quickly with the work that has already been done and concluded that it would be helpful to publicize and move existing GSSP documentation forward by: Publishing executive principles based on OECD; Publishing and keeping up to date practices (DTI/Handbook); Continuing with Common Criteria and Evaluation Efforts; and Looking to see what else is needed. Ms. Guttman noted an ISSA draft report that is due out in the near future. Mr. McNulty said he would see that Board members receive a copy. (ACTION SECRETARY). (See Reference #16.) Public Participation At this time the Chairman asked if any of the members of the public at the meeting had any remarks they wished to address to the Board. There were no comments from the floor. Board Discussion During Board discussion the minutes from the June meeting were approved. The Secretary agreed to provide a signed copy to the Board members. (ACTION - SECRETARY) Also, Dr. Ware agreed to draft a letter to Ms. Sally Katzen of OMB, to inquire about the future plans for security and privacy issues being addressed by the IITF Security Forum. (ACTION - CHAIRMAN) Closing The Chairman advised the Board members that there was no further business for the group to consider. He asked if the Board members had any additional suggestions for the December meeting. Ms. Lambert suggested briefings from the medical community on security and privacy issues. There being no additional business for the Board, the Chairman adjourned the meeting at 3:25 p.m. References: #1 - NRC Study #2 - McNulty slides /s/ #3 - Rosenthal slides Lynn McNulty #4 - McNulty slides Secretary #5 - Walker slides #6 - Radzikowski slides #7 - Saltman slides CERTIFIED as a true #8 - Kohler statement and accurate summary #9 - Brown slides of the meeting #10 - Musslewhite slides #11 - Stillman slides #12 - Ferris slides #13 - McNulty slides /s/ #14 - Philcox slides Willis Ware #15 - Roback/Guttman slides Chairman #16 - Guttman slides Meeting of the Computer System Security and Privacy Advisory Board December 7-8, 1994 Sheraton Reston Hotel Reston, Virginia AGENDA WEDNESDAY, DECEMBER 7, 1994 I. INTRODUCTION 9:00 Welcome Lynn McNulty, Board Secretary 9:10 Opening Remarks Willis Ware, Chairman II. RECENT CRITERIA ACTIVITIES 9:15 Common Criteria Update Stu Katzke, Chief, Computer Security Division National Institute of Standards and Technology 9:45 Discussion 10:15 BREAK III. KEY ESCROW UPDATE 10:30 Key Escrow Approaches Workshops Lynn McNulty IV. PRIVACY ISSUES Information Infrastructure Task Force (IITF) on Privacy Rob Veeder, Privacy Advocate Internal Revenue Service 11:30 Discussion 12:00 LUNCH V. CONGRESSIONAL UPDATES 1:30 U.S. Congress Report Summary: "Information Security and Privacy in Network Environments" Joan Winston, Project Director Office of Technology Assessment 2:15 Update on H.R. 5199 - Encryption Standards and Procedures Act of 1994 Anthony S. Clark, Professional Staff Member House Science, Space, and Technology Committee, Subcommittee on Technology, Environment, and Aviation 2:45 Discussion 3:00 Computer Network Security and Privacy Walt Koscinski, LEGIS Fellow for Sen. Roth (R-DE) 3:15 Crime Bill Revision, 18 U.S.C. Sec. 1030 A5 Stevan Mitchell, Trial Attorney, Computer Crime Unit Department of Justice 3:45 Discussion VI. PUBLIC COMMENT PERIOD 4:15 Public Comment (max. 5min. per speaker - sign up in advance with secretary) VII. GENERAL DISCUSSION 4:45 Board Discussion 5:00 RECESS THURSDAY, MARCH 23, 1995 VIII. REVIEW OF DISA SECURITY PROGRAM 9:00 Program Overview Robert Ayers, Director, Center for Information Systems Security Defense Information Systems Agency (DISA) IX. SECURITY OF GOVERNMENTWIDE E-MAIL 9:30 Government-wide Electronic Mail Tom DeWitt, Acting Program Manager General Services Administration 10:00 BREAK 10:15 Security Protocol for the World Wide Web Greg Bergren, Technical Director, Architecture and Standards National Security Agency 10:45 Discussion X. GENERALLY ACCEPTED SYSTEMS SECURITY PRINCIPLES (GSSP) 11:00 Status of GSSP Effort Will Ozier, Chair, GSSP Committee President and CEO of OPA 11:30 NIST's Participation in GSSP Effort Stu Katzke, NIST 11:45 Discussion 12:00 LUNCH XI. GOVERNMENT DIGITAL SIGNATURE ACTIVITIES 2:00 Panel Security Infrastructure Program Management Office Al Williams, Telecommunications Specialist General Services Administration Update on Proposed Procurement for Prototype Infrastructure Services Robert Rosenthal, Manager, Protocol Security Group NIST Postal Electronic Commerce Services Dick Rothwell, Senior Director, Technology Integration U.S. Postal Service 3:00 BREAK XIII. ARPA SECURITY PROGRAM 3:15 ARPA NII Security/Privacy Program Teresa Lunt, Program Manager ARPA/CSTO 3:45 Board Discussion/March Agenda/1995 Workplan 4:30 ADJOURN ------------ Next Meeting - March 22-23, 1995 Holiday Inn Gaithersburg, Maryland MINUTES OF THE DECEMBER 7-8, 1994 MEETING OF THE COMPUTER SYSTEM SECURITY AND PRIVACY ADVISORY BOARD Wednesday, December 7, 1994 Introduction A quorum being present, the Chairman, Dr. Willis Ware, called the meeting to order at 9:00 a.m. at the Reston Sheraton Hotel, Reston, Virginia. Besides Dr. Ware, the following members were present: Charlie Baggett Jr., Cris Castro, Don Gangemi, Sandra Lambert, Henry Philcox, Cynthia Rand, Stephen Trodden, Steve Walker, and Bill Whitehurst. Mr. McNulty, Board Secretary, introduced two designate members, Mr. Randolph Sanovic, Corporate Manager, Computer Security Planning, Mobil Corporation and Ms. Linda Vetter, Vice President, Product Management Server Technologies Division, Oracle Corporation. He also welcomed, again, Ms. Genevieve Burns, Monsanto Corporation, as a designate member, who was present. Mr. McNulty noted that he had received a letter of resignation from Ms. Cynthia Rand. He said that the Board would be looking within the government for a replacement to be at the March meeting. Mr. McNulty stated that there was nothing to report on the merger at NIST between the Computer Systems Laboratory (CSL) and the Computer and Applied Mathematics Laboratory (CAML); however, an off-site was scheduled for the week of December 12 to discuss the reorganization. He said that the process to select a Director for the new laboratory remains underway. The entire meeting was held in open, public session. Recent Criteria Activities Dr. Stuart Katzke, Chief, NIST Computer Security Division, gave the Board an update of the Common Criteria (CC) activities. He reported that copies of the CC were distributed to members of ISO at the September meeting. All sponsors expressed their intent to adopt the CC as their national criteria when it is complete. Based on that, ISO sent a proposal to the national bodies proposing to accept the CC as the basis for the ISO document. The Chairman asked Dr. Katzke if ISO will definitely use the CC as a replacement for the ISO document. Dr. Katzke reported that he believed the pieces of the ISO document that are in progress now will be removed and substituted with the October draft of the CC. [Comments on the CC will be reviewed and processed in March 1995.] The CC Editorial Board will spend the first two weeks in April analyzing the contents to decide which issues to handle. Two workshops will take place in May, one in Canada and one in Europe. Attendees will be those people who submitted comments to discuss the issues and how to solve them. Dr. Katzke stated he hopes to have a briefing at the October 1995 National Computer Security Conference on the status of the CC; however, he does not think there will be a new version for the conference. The completion date is still to be decided. Dr. Katzke discussed the evaluation issue. He said that NIST and NSA has been working this issue for some time, but are having difficulty establishing a TTAP. There is little vendor or commercial interest for evaluated products. Dr. Katzke pointed out that there may be a need to rethink the importance, relevance, and cost-effectiveness of evaluations for obtaining trust in commercially-oriented products/systems. Dr. Katzke and the Board discussed whether there is a need for a new evaluation process. Individual Board members made the following recommendations: - Assure that security is built into the product during the development process. Expand the process to include both hardware and software. Allow vendors to trade off security options and hardware/software options when developing networks for differing degrees of assurance. Base network components on functionality, cost, performance, and the minimum level of assurance needed. Evaluation of Commercial-Off-The-Shelf (COTS) products is not achievable due to the short lifetime of COTS product versions and the inability of the current evaluation process to keep up. The evaluation process needs change from being an evaluation of a product of effecting the development process of a vendor's product. Determining the vendor's "security process capabilities" during their development cycle will be key. - Have the client work with the developer to find the appropriate assurance level. Automate the auditing process team more. Develop baseline controls for each type of application in a business environment. - Expand the entire security process to include not only incorporation of security in the development process, but also testing, evaluation, and auditing of operational networks. - Measure the vendor's product security development process. Establish a gray scale to detect functionality of the network/total system. Ensure deployed/operational network use and security maintenance measurement. Require periodic assessments and testing/verification of high-level assurance networks. - Expand the CC framework applied against the most important business areas in the US. Change the focus of the CLEFs to apply a general application analysis approach. At this time, Mr. Lynn McNulty, acknowledged Mr. Hank Philcox, recipient of the Government Executive of the Year Award from Government Computer News. Key Escrow Update Mr. McNulty reviewed the status of the recent workshops held to discuss alternative approaches to key escrow encryption find alternative ways to accomplish the fundamental policy objectives of the government's key escrow approach. The White House assigned NIST the responsibility of organizing a workshop to try to look for other approaches to accomplish key escrow, particularly software alternatives. A meeting was held in June of 1994 with twenty vendors participating. The meeting was held according to Vice President Gore's letter to Rep. Maria Cantwell in late July of this year. A second meeting was held in August with greater vendor participation. Meetings were scheduled for October and December but because some basic policy questions could not be answered by then, the government postponed the meeting until early 1995. The vendor community has agreed that no substantive progress can be made at looking at alternative key escrowing techniques until some basic policy issues, raised by industry, are resolved. Five policy issues, or principles, were referred to industry by government. In summary, Mr. McNulty said that the next workshop is on hold until the policy issues are resolved. He said that NIST continues to receive requests for participation. (See Reference #1.) Ms. Lambert asked Mr. McNulty to give a status of the Micali patent agreement. He said that NIST previously announced that the government had reached an agreement with Professor Silvio Micali, of MIT, to obtain exclusive license to use his patents when used on government approved key escrow encryption devices or chips. Professor Micali received an initial partial payment for his techniques. The second payment has been held up due to allegations about whether Professor Micali was the sole inventor. Meanwhile, Professor Micali has sold his patents to Bankers Trust of New York City. Mr. McNulty emphasized that he has not been involved with any of the legal negotiations of the patent holders and is relating second hand information. Privacy Issues Mr. Robert Veeder, recently selected as Privacy Advocate for the Internal Revenue Service and chair of the Privacy Working Group under the Infformation Infrastructure Task Force (IITF), discussed privacy issues within the government. He said that because the National Information Infrastructure (NII) is interactive, it seeks advice from many different privacy experts and private and public sector parties. Two public hearings were held, one in Sacramento and one in Washington, D.C. These meetings brought panels together from particular sectors (e.g., financial services, law enforcement, and public archivists) to address NII privacy and the effects of NII privacy on their operations. One task the group is looking at is developing principles that would at least govern some kinds of behavior and define some kinds of relationships with the participants of the NII. The second task was set by the National Performance Review to look at creating, at the national level, a privacy board, privacy commission, data protection commission or other entities that would have as its sole focus the privacy interests both from the private and public sectors. Mr. Veeder stated that there are two reasons for developing a new set of principles that could be used to define behavioral relationships in the NII is: (1) to develop principles that describes a static environment, and (2) a desire to have the federal government's leadership role on this issue. The group debated, wrote, and developed some principles, sent them out for review, received comments back and published them on April 29 in the Federal Register. The latest draft needs go to the IITF for final approval. Mr. Veeder shared with the Board what he considers to be a final draft of the principles, but they have not yet been approved by the full IITF Committee. He said they tried to define the environment. There are two kinds of participants; those who provide information and those who collect and use information. Dr. Ware suggested that the group might consider using the principles as a basis of amending or rewriting the Privacy Act, the Fairness Relations Code, and health care regulations/rules. When asked if these guidelines map to the OECD guidelines, Mr. Veeder said that he was comfortable that they are consistent with the OECD guidelines and in some respects a little stronger. (See Reference #2.) U.S. Congress Report Summary: "Information Security and Privacy in Network Environments" Ms. Joan Winston, Project Director for the Office of Technology Assessment (OTA), briefed the Board on OTA's recent report: "Information Security and Privacy in Network Environments." Ms. Winston began by noting that the views and opinions expressed were her own, and not those of OTA, the Technology Assessment Board, the Technology Assessment Advisory Council, or individual members. Ms. Winston explained that OTA is an analytical arm of Congress created to provide analysis of technological issues. The report was requested by the Governmental Affairs Committee. The request for the assessment originally came from Senator Roth, then Ranking Minority Member of the Senate Committee on Governmental Affairs in the 102nd Congress. OTA was asked to study the changing needs for protecting unclassified information and for protecting the privacy of individuals. Senator Glenn and Representative Markey also endorsed the request. The report focuses on safeguarding unclassified information in networks, but because of limited resources, the report mainly deals with confidentiality and integrity of the information and leaves aside the issue of network security. The report also focuses on the processes that the government uses to regulate cryptography and to develop Federal Information Processing Standards (FIPS) based on cryptography. The report highlights the main policy issues. Ms. Winston pointed out that each policy issue lays out options, rather than recommendations. In answer to a question by the Chairman, Ms. Winston said that it was not clear that the current working relationship between NIST and NSA is necessarily achieving the proper balance. Greater oversight enforcement is needed of at least the Computer Security Act as it is written. She said that this could be contingent on what OMB does. Board members asked Ms. Winston what happens with the options. She said that the options were available to Congress to act as it deems appropriate. (See Reference #3.) Mr. Anthony S. Clark, Professional Staff Member, House Science, Space, and Technology Committee, Subcommittee on Technology, Environment, and Aviation, gave an update on H.R. 5199, the Encryption Standards and Procedures Act of 1994. Mr. Clark said that Representative Brown introduced this Bill for two reasons: (1) A recognition that if the Administration seeks to persuade the private sector to use encryption standards, the only success would be public buy-in; and (2) To protect the public's constitutional legal rights and protections. H.R. 5199 would essentially bring under the rule of the law the encryption standard setting process of the government and make clear, in law, that any such standard is voluntary. To require it or to outlaw the use of any other standards would require an act of Congress. The way this bill is structured, any party can challenge the standard for administrative or judicial means. A case would have to be made that their rights and protections have been infringed upon and that the requirements that are laid out in this particular statute are not adhered to in any particular way. It gives the opportunity for recourse for any expectant party that does not now currently exist in the law. The only recourse that any party has is through persuasion, or advocacy. The Chairman will reintroduce this bill in its current form. It is anticipated that it will be referred in the House solely to the Committee on Science. Mr. Clark noted that one important thing to remember about the Clipper Chip initiative for the Administration's encryption policy is it goes beyond the original intent of the Computer Security Act. This may be inconsistent with other laws concerning individual privacy, protection of private property, and government authority to conduct lawful electronic surveillance. (See Reference #4.) Computer Network Security and Privacy Mr. Walt Koscinski, a Legislative Fellow for Senator Roth, discussed the Senator's plans as he assumes the Chairmanship for the Government Affairs Committee and where he thinks the Senator is heading with computer security issues during the next Congress. Mr. Koscinski noted that anything he said were his views and did not necessarily represent those of Senator Roth or his staff. He said he thought that the Senator's primary initiative will be to review the involvement and proper role of the government, whether it is computer security, deployment of the Clipper Chip, or export controls. Additionally, there is a perception that the government needs to correct its own deficiencies regarding computer security. Overall, however, privacy is the Senator's paramount concern. Mr. Koscinski said that at this point they were clearly in a fact finding mode. He said that they had met with NSA to get their views. He told a group of about twenty representatives from industry and academia, that there was resounding support for many of the conclusions recently published in the OTA report. There is also support for some proposed options. Mr. Koscinski said that there were distinct concerns regarding privacy, protection of privacy data, current export controls, the need for better practices and awareness within the government for computer security, and a need to replace or eliminate government involvement. Mr. Koscinski said that the Senator was very concerned about the amount of government involvement in developing both standards and technology. He also noted that the government needed to clean up its own house regarding the lack of management attention to security and security training. He emphasized that the Senator's number one concern is the protection of the privacy of Americans' personal data on computer networks. He said that current law was out of synch with today's widespread use of computer and computer networks. (See Reference #5.) During the question and answer period, Mr. Clark wanted to clarify two important legal aspects of encryption. First, the government cannot mandate or outlaw any encryption method used by the private sector without an act of Congress. Secondly, a private escrow agent cannot be used to carry out the Administration's policy without an act of Congress. The reason is a question of liability. When asked if that provision extended to quasi governmental bodies (e.g., Postal Service, Federal Reserve Board, or the Securities and Exchange Commission), Mr. Clark said that the main distinction was what is governmental and what is private. The quasi governmental issue needs to be resolved. Crime Bill Revision, 18 U.S.C. Section 1030 A5 Mr. Stevan Mitchell, Trial Attorney, Computer Crime Unit at the Department of Justice, briefed the Board on the revision of the Crime Bill. He discussed the hacker provision and specifically the newly revised version of 1030 A5. In the Crime Bill Congress repealed the predecessor 1030 A5 and replaced it with a rewritten subsection, which is broader and more useful, in some respects. Mr. Mitchell gave a brief overview of all the subsections of Section 1030. He said that 1030 was the Computer Fraud and Abuse statute, with six substantive subsections, 1030 A1 through A6. Some subsections protect the confidentiality of information, and others guard against unauthorized access to various computers deemed in the federal governments interest. Mr. Mitchell went on to discuss the old 1030 A5, which prohibited unauthorized access that then resulted in the alteration, the damage, or the destruction of information, or the denial of use, of what is termed a "federal interest computer." The first positive point of the new 1030 A5 is that it improves upon the access threshold. It no longer depends on access, but on "knowingly causing the transmission of a program, information, code or command." This criminalizes the actions taken by the actor rather than the results of the action. The second positive point is that it provides insider coverage and applies when a defendant acts "through means of a computer used in interstate commerce or communications." In closing, Mr. Mitchell said that the Department of Justice would be working on a high-tech legislative package during the coming months. He said that he would like to come back before the Board to share with them some ideas and to seek the Boards views on the proposed legislation. (See Reference #6.) Public Participation At this time Mr. McNulty asked if any of the members of the public had any remarks they wished to address to the Board. There were no comments from the floor. General Discussion The Chairman suggested that the Board finish discussion to further address Common Criteria and TTAP issues at the March meeting. If it is to be discussed in March, the Board must identify the issues for which they may wish to take a position. Dr. Katzke discussed whether there remains a business case for setting up a TTAP. He said that he was faced with moving ahead with a TTAP kind of program, which is the next step after the criteria. When asked what he means by "business case," Dr. Katzke said that it means there is a need for a TTAP based on government funds. Mr. McNulty, Dr. Katzke, and Ms. Vetter agreed to frame the agenda for the March meeting for a one day overview of Common Criteria and TTAP issues. (ACTION - Mr. McNulty, Dr. Katzke, and Ms. Vetter.) There being no additional business for the Board, the Chairman recessed the meeting at 5:25 p.m. Thursday, December 8, 1994 Review of DISA Security Program Mr. Robert Ayers, Director, Center for Information Systems Security (CISS), Defense Information Systems Agency (DISA), briefed the Board on the security program at DISA. He said that they are instituting a program to improve all aspects of information systems security. CISS is working on four main areas of INFOSEC Management and Policy Improvements. First, they plan to standardize, within DoD, certification and accreditation methodologies. Secondly, they intend to develop an INFOSEC products and systems program to ensure the availability of efficient, cost- effective INFOSEC products for all of DoD. The third area is the use of a DoD INFOSEC services contract for rapid and cost-effective acquisition of all INFOSEC services. This would enable services and agencies to easily get INFOSEC services and to promote cost-effective management and integration of INFOSEC resources to support common security requirements. The last area is the establishment of a systems integration management office. Mr. Ayers went on to discuss the INFOSEC architecture program. The objective of the program is to develop a DoD-wide Goal Security Architecture within the DoD technical architecture framework for information management. He concluded with a review of current efforts. He said that various DoD directives/instructions/manuals would be revised, consolidated, and canceled as INFOSEC is made a distinct security discipline. Also, DoDD 5200.28, "Security Requirements for Automated Information Systems" will be revised. (See Reference #7.) Security of Government-wide E-Mail Mr. Tom DeWitt, Acting Program Manager, General Services Administration (GSA) briefed the Board regarding GSA's new Electronic Messaging Program Management Office, or E-Mail PMO. He related that this new office is still in the formative stages and he discussed the next steps that will occur in the future. He reviewed some recent events that led up to the formation of the PMO. In June, 1993, with the activity of the National Performance Review (NPR) gearing up, GSA offered to establish a National Performance Review E-Mail Laboratory, which is now complete. The laboratory supported four pilot projects to identify four existing government mission offices. The sponsors were to conduct a re- engineering of the process involved. Mr. DeWitt said that the four sponsors learned that all were extremely different when looking at it from a practical business stand point. After customers requirements were evaluated and their basic cultural characteristics were acknowledged, they found that: (1) the Office of Science of Technology Policy Group is Internet technology oriented; (2) OMB is OSI technology oriented; (3) the Administrative Conference of the US, because of their financial circumstances, was a suitable fit for using a CompuServe forum primarily because they could not underwrite the technology as they had no mechanism to recover cost; and (4) an action plan was developed for the Office of the Manager of the National Communications Systems (NCS). NCS looked at the application of the Multilevel Information Systems Security Initiative (MISSI) technology in the environments of end users. The e-mail Task Force suggested to OMB that a program office be formed with central authority. OMB assigned them a mission to provide a service, which appears to the user, to be a single unified electronic postal system. This service would offer robust and trustworthy capabilities with legally sufficient controls for moving all forms of electronic information among employees at all levels of government and with the public. Like the nation's telephone network, it would be affordable, ubiquitous, efficient, accessible, easy to use, reliable, cost-effective and supported by an effective directory service. Mr. DeWitt went on to discuss the charter of the PMO, which says that the program manager will develop a two-year plan. The plan is not publicly available until the board of directors of the Government Electronic Mail Steering Subcommittee (GEMSS) approves it. Mr. McNulty said he would provide the Board with copies of the plan when it becomes available. (ACTION - SECRETARY) Board members relayed their concerns regarding security and privacy in the e- mail program. Mr. DeWitt suggested that the Board review the two-year plan after it is ratified by the GEMSS. Board members asked Mr. DeWitt to summarize the security aspects of the plan for them. He reviewed the plan's nine points. Mr. DeWitt said he did not feel that the security infrastructure is the responsibility of his office. He said that he was confident that his office and the Security Infrastructure Program Management Office have a clear understanding of their respective responsibilities. A separate program management office will be responsible for security. Chairman Ware asked: (1) if there are security safeguards in the plan and (2) whether privacy issues have been addressed. He said that the role of his offices is to provide guidance, a framework, and information. End users, program managers, developers, and those who administer agency systems within would have the information to decide their security requirements. He did not suggest that his office regulate that process or intervene in all of those programs and systems throughout the government and set their requirements and enforce technology solutions. The security and privacy community will be involved in all aspects; however, there is not one program that is specifically targeted toward security or privacy. Security and privacy requirements will be imbedded throughout, based on information from the security and privacy community. Mr. DeWitt discussed "Business Quality" e-mail. Ms. Burns said that if his charter is to provide "Business Quality" e-mail to the government, that he not even consider an Internet e-mail as the low end but that he raise his sights to something much higher. She said that business would not tolerate the transmission of electronic mail that anyone can access. It has to be securely transmitted from the sender to the receiver without any interruption, modification, or browsing. She went on to say that if he were to raise his expectations to what "Business Quality" e-mail means in the business community, some security and privacy concerns will automatically be satisfied. Ms. Burns invited Mr. DeWitt to visit Monsanto to discuss these issues. (See Reference #8.) Security Protocol for the World Wide Web Mr. Greg Bergren, Technical Director for Architecture and Standards at the National Security Agency, briefed the Board on Security for the World Wide Web (WWW). Mr. Bergren discussed security as the enabler for many WWW applications such as Electronic Commerce. WWW security includes the following requirements that will: Account for services provided; Make access control decisions; Record unauthorized access attempts; Prevent fraud; Prove liability; Protect integrity of information and systems; Protect Intellectual property; Protect company bids, plans and secrets; Allow multiple policies; Negotiate algorithms, modes and parameters; and Provide interoperability with existing clients and servers without security. To meet the above requirements, Mr. Bergrens' organization will provide the following services: Identification and authentication to support control and accounting; Non-rrepudiation; Integrity; and Privacy. Two groups at NSA are working in two areas of WWW security, specifically in Mosaic. They were concentrating on the security interface between the user and the secure Mosaic program, and the interface to the security protocol mechanisms. The effort is focused on providing identification and authentication and adding other services such as privacy and integrity. Mr. Bergren concluded that challenges still lay ahead for making electronic commerce work. Regarding the infrastructure, he said that most people would need public key certificates and directory access. He also discussed interoperable certificate management and reliability. There needs to be a way to know who is responsible and how to protect intellectual property. Network architectures, particularly firewalls, are important factors in protecting systems. (See Reference #9.) Status of Generally Accepted Systems Security Principle's (GSSP) Effort Mr. Will Ozier, Chair, GSSP Committee under the sponsorship of the Information Systems Security Association (ISSA), and President and CEO of OPA, briefed the Board on the status of the GSSP effort which arose from a recommendation of the 1990 Computers at Risk study by the National Research Council. NIST and ARPA are also involved in this effort. Mr. Ozier said the GSSP Committee will be: 1. Responsible for identification of appropriate principles, guidelines, and product profiles that will preserve the availability, integrity, and confidentiality of information systems. 2. An authoritative source for opinions, practices, and principles for the information security profession and information systems products. 3. Maintaining a close liaison and coordination with other international authoritative bodies who have developed related works to establish and maintain GSSPs, base on these efforts. 4. Working with the Information Infrastructure Task Force (IITF) to provide guidance for establishing secure commerce on the Information Superhighway. Mr. Ozier discussed the pervasive principles that specify the general approach information security should take to establish, maintain, and report on the security of systems in their charge. He said that these principles formed the basis for other principles. The following nine pervasive principles are based on the work of the Organization for Economic Cooperation and Development (OECD): Accountability, Awareness, Ethics, Multidisciplinary, Proportionality, Integration, Timeliness, Reassessment, and Democracy. Eight additional principles have been submitted for consideration: Certification & Accreditation, Internal Control, Adversary, Least Privilege, Separation of Duty, Continuity, Simplicity, and Policy Centered Security. The committee has expressed its desire to have the principles evolve into a legal document and/or be implemented throughout corporate America. Dr. Ware said that the Board's primary level of concern is for the federal government and how Mr. Osiers work plays into NISTs' application. Mr. Ozier said that the Computers at Risk document recommended that the GSSPs be common. There should not be a set of GSSPs for government and another for industry. The committee would like to see the government take an active role in reviewing the exposure draft and commenting on it. The committee would also like to get funding support and the appropriate people to express the importance and the need for this effort. He strongly urged the Board, as an advisory body, to put that message out to the world. (See Reference #10.) NIST Participation in the GSSP Effort Dr. Katzke said that NIST was tasked through the National Performance Review (NPR) to develop GSSPs for information security. He said that they looked at the committee work that was already in progress. NIST also looked at what documents were available internationally to see if there was a level of consensus, as did the GSSP committee. NIST and the committee agreed that the OECD set of principles made sense and that the committee would continue to work on the OECD document. He said that NIST and the committee are still working toward consensus on the exposure draft, but are confident that they will come to closure on a draft that they both can support. The goal is work together to develop a document that will serve the needs of both government and industry. Dr. Katzke said that the OECD document "Guidelines for the Security of Information Systems" is getting international circulation. The UK is putting the document forward as a British standard and it has also been introduced into ISO as a possible standard. Dr. Katzke said that NIST would look at the document and modify it appropriately, if needed, as some detail areas may not be relevant. The next step for NIST is to issue the document, sometime in the next year, to federal agencies for comment. In the meantime, Dr. Katzke said that hopefully the committee work will continue and produce a set of principles that NIST can review and disseminate to federal agencies for consideration for adoption. Board members are concerned that the interpretation of the principles to a lower level of detail would be difficult. Mr. Whitehurst asked Dr. Katzke if NIST was given any guidance as to what was expected for the GSSPs or whether NPR personnel expressed the need for GSSPs. Mr. McNulty interjected that he thought it was the latter. Mr. Whitehurst suggested that one approach be that the NIST Handbook serve as the GSSPs when completed. Mr. Whitehurst asked when something would be distributed from NIST for comment. Ms. Marianne Swanson, NIST, replied that the GSSP Pervasive Principles working group will meet in February to develop a new draft of Pervasive Principles. It is anticipated that the draft will be out for GSSP committee review by the end of February. The draft will be out for public review in mid-April. Board Discussion During the discussion period, Board members suggested that the NIST handbook or a version of the Common Criteria begin with a statement that the document is supportive of the GSSPs. Mr. McNulty said that he would send the Board a pre- publication copy of the handbook by the March meeting. (ACTION - SECRETARY) After discussing September minutes, they were unanimously approved by the Board. Ms. Cynthia Rand, who is resigning from the Board, was recognized with a certificate by the Chairman for her contributions to the Board. Mr. Cris Castro addressed the Board with regard to what industry is doing on software metering in which software companies make arrangements with customers to license usage of software for a period of time. The software company charges the customer based on various factors such as the number of users or length of use. Mr. Castro will provide an update at the March meeting. Mr. Steve Walker gave the Board an update of the TIS proposed Commercial Key Escrow (CKE) System. He discussed a system that does not have to have government escrowed keys and uses a software-based key escrow encryption system. He said that Clipper/Capstone will never be accepted in the commercial world even if it were implemented in software. Mr. Walker went on to describe a Data Center Recovery (DRC) approach. He thinks that the licensed DRC is a good approach because it benefits both the individual and the corporation. It also satisfies law enforcement requirements. He said there is a risk of proliferation of ad hoc approaches, which may not necessarily be compatible, without the DRC approach. (See Reference #11.) Government Digital Signature Activities Mr. Al Williams, Telecommunications Specialist with the General Services Administration, briefed the Board on the newly created Security Infrastructure Program Management Office (SI-PMO). Mr. Williams began by explaining that the SI-PMO will be responsible for ensuring that security is addressed in the government-wide e-mail program and will be chaired by GSA/OIS and DoD. There is a federal steering committee chaired by NIST to oversee the reporting process. Mr. Williams said that GSA made a proposal through the National Information Infrastructure (NII) process to the Government Information Technology Services (GITS) committee and the NII Security Issues Forum. Mr. McNulty said he would provide copies of the proposal to the Board. (ACTION - SECRETARY) Mr. Williams said he would appreciate feedback on the proposal from the Board. He also noted that GSA and NIST have requested a $2.9M budget for FY95. GSA only received $1.15M. A portion of that was to establish the SI-PMO. Mr. Williams remarked that the GITS working group directed that a User's Group be established to support the SI-PMO goals. (See Reference #12.) Mr. Robert Rosenthal, Manager, Protocol Security Group, NIST, updated the Board on the NIST proposed procurement for a prototype infrastructure for certificate management services. Mr. Rosenthal said that it is important to understand how this contrasts with GSA's previous briefing. The Public Key Infrastructure (PKI) Request for Comments (RFC) is consistent with the MITRE study's recommendations for a government PKI. The RFC articulated a desire to have commercial off-the-shelf products built and integrated in a fashion that would provide for the management of certificates for use within federal government to support NIST's Digital Signature Standard (DSS). The pilot would allow NIST to: (1) Gain practical experience managing certificate services, (2) Obtain empirical operational data to assist in making future policy decisions, (3) Attain costing information--building, installing and operating, and (4) Gain technical experience integrating commercial off-the- shelf components. Mr. Rosenthal discussed a timeline for the pilot. He said that in October of 1994, NIST issued a RFC in the Commerce Business Daily describing a proposed procurement for public key infrastructure services. The RFC was announced at the National Computer Security Conference in October of 1994. NIST plans to have the comments analyzed, reviewed, and the RFP modified by January 31, 1995. He said it would take about five months for the whole process to get to contract award. Mr. Rosenthal hopes to have an operational PKI by the end of next calendar year and said that technical work remains to be done to integrate the RFC into an RFP. (See Reference #13.) Mr. Dick Rothwell, Senior Director, Technology Integration, U.S. Postal Service, briefed the Board on the Postal Electronic Commerce Services. He said that the Postal Service has been working for the past couple of years on the development of a Public Key Certificate Management Infrastructure. He said that they are at a stage today where they are definitely in prototype and have started testing with the Federal Aviation Administration. He said that the Postal Service is involved in this activity because it is based on their original mandate to bind together a diverse nation through the correspondence of the people. He said that the Postal Service wants to enable the various technologies and services of electronic mail, directory services, and electronic commerce. The intention is to provide electronic commerce services at utility rates. That would be annual fees for certification issuance (like that of a drivers license with a small renewal fee). There would also be a small transaction fee that would cost only a few cents. He said that the four attributes of hardcopy mailed correspondence; postmark, sealed envelope, absence of tamper marks, and signature would have analogs for electronic correspondence. Chairman Ware asked Mr. Rothwell if he could comment on the legal status of quasi-government organizations. Dr. Ware said this becomes an important issue when someone asks if they can be sued which in turn is related to liability. Mr. Rothwell said that the Postal Service would not provide electronic commerce services without accepting liability. (See Reference #14.) ARPA Security Program Ms. Teresa Lunt, Program Manager for the Computer Systems Technology Office at the Advanced Research Projects Agency (ARPA), briefed the Board on their NII Security/Privacy Program. Ms. Lunt said that the primary goal of the program is to protect US national and economic interest from loss through electronic attack. One way to accomplish this is to use a secure enclave, which enables technology to be distributed to users within a common security perimeter, (i.e., firewalls and confinement-based Operating Systems Security are applied). She said that some of the tools for network security will include the elimination of weaknesses in the network infrastructure by adding authentication, authorization, nonrepudiation, etc. There will be tools to provide for services fundamental to DoD business use of NII/DII. Hardware encryption devices will be developed for high speed, flexible interfaces. A key management infrastructure will produce key generation, distribution, revocation, etc. and Interoperability of encryption-based security services. (See Reference #15.) The Board invited Ms. Lunt to present an update at the June, 1995 meeting. During Board discussion, Mr. Bill Whitehurst briefed the Board on the Organization for Economic Cooperation and Development's (OECD) three day international workshop on Privacy, Data Protection, Security, and Intellectual Property Rights. The following issues were addressed: - A vision of future computing, showing multimedia applications. - A book entitled Privacy on the Canadian Information Superhighway. - Privacy in medical data. - The use of information technologies to provide the protection to personal data in intellectual property. - Digital cash and digicash. - Intellectual property and copyright law. - Cryptography as a fundamental technology as a requirement on the GII. - Services that would be offered over an information infrastructure. - Security of information systems with regard to policy issues and options. Mr. Whitehurst related that during the wrap-up session, the secretariat remarked that the three day sessions helped "demystify" some of the security and privacy issues. Mr. Whitehurst said that five or six nations have taken the OECD security guidelines to the next level of detail. France developed seventy rules that come from the nine principles in the OECD security guidelines. Also, the codes of practice have been adopted by many nations. The codes of practice were presented to ISO and will be issued as a technical report as opposed to a standard. The UK is planning to adapt those codes of practice to small and medium size firms and to federal agencies. Sweden discussed an effort underway to install more than 40,000 workstations in their crime unit and tax department. All of the workstations will use RSA for public key encryption. (See Reference #16.) During final Board discussion, the Chairman remarked on the agenda for the March meeting. The decision is to have one of the two days devoted to the Common Criteria. Mr. McNulty suggested that there may also be a need to focus on the security issue in government-wide e-mail. Board members also requested an update on the GSSP effort. The meeting adjourned at 4:40 p.m. References #1 - McNulty slides /s/ #2 - Veeder slides #3 - Winston slides Lynn McNulty #4 - Clark paper Secretary #5 - Koscinski paper #6 - Mitchell paper #7 - Ayers slides #8 - DeWitt slides CERTIFIED as a true #9 - Bergren slides and accurate summary #10 - Ozier slides of the meeting #11 - Walker slides #12 - Williams slide #13 - Rosenthal slide /s/ #14 - Rothwell slides #15 - Lunt slides FOUO Willis Ware #16 - Whitehurst handout Chairman