MEETING WITH JOHN STEIN REGARDING THE JOINT IC/DOD ELECTRONIC INFORMATION SECURITY PROJECT

MEMORANDUM FOR: Director, Planning and Policy Staff DCI/ICS 83-4413 6 June 1983 Approved For Release 2008/04/14: CIA-RDP85M00364R000400510031-1 Information Handling Committee, ICS SUBJECT: Meeting with John Stein regarding the Joint IC/DoD Electronic Information Security Project FROM: On 11 May 1983, met with Mr. John Stein, 25X1 CIA/DDO, to discuss the joint IC/DoD Electronic ation Security (ELINFOSEC) project. briefed Mr. Stein on the objectives of the 25X1 project and on the proposed conduct of the effort. She noted that the effort is bigger than just computer security, stating that it must encompass both the computers that process data and communications that link computers with users. also noted that the project will be concerned with three 25X1 major categories of personnel and processes: (a) the producers of intelligence such as CIA/DDO who are concerned about the security of their products when processed in electronic information systems, (b) the customers of the intelligence such as the nuclear CINCs who are concerned about the timely receipt and analysis of the intelligence product, and (c) the personnel and equipment involved in storing the data in computers or transmitting it via communications links. M tPin ed that these three groups should be included in the effort. 25X1 2, briefed Mr. Stein on the five areas that will be addressed in parallel tasks during the conduct of the effort. These five areas were summarized as follows: o Polic - Will deal with the possible revision, upgrading, or re- endorsement of relevant existing policies in the Intelligence and National Security communities (e.g., DCID 1/16, DCID 1/7, and DIAM 50-4). Policies protecting methods and sources. Handshake agreements between "source" and "user" policy officials (e.g., MOUs). o Process - Will deal with the development or revision of processes and procedures needed for obtaining ELINFOSEC Certifications/Ac- creditation for varying levels of "secure operations." This will include analyses and recommendations related to items such as the qualified products list, systems operation at specified security levels, designation of accreditation/certification/standards- adherence responsibilities. :]noted that field/theater commander's ELINFOSEC processes will probably differ from Head- quarters, Management, and S&T organizational ELINFOSEC processes. Approved For Release 2008/04/14: CIA-RDP85M00364R000400510031-1 25X1  Approved For Release 2008/04/14: CIA-RDP85M00364R000400510031-1 o Vulnerabilities. Threats, and Risks Associated With Exist S stems - Will identify the most serious or most easily exploit- able vu nerabilities from existing experience and knowledge. Anecdotal or case examples within the IC and National Security communities will form a descriptive taxonomy for explaining the ELINFOSEC vulnerability-threat. Remedies for the most serious threats will be cited and options for solution and recommenda- tions will be provided to assist in program-budget decisions. o Technolo Application, Innovation and Inventin Efforts Needed for ELINFOSEC - Will identify and endorse the application of existing technology that can be used to resolve ELINFOSEC prob- lems as fast as possible. It will also identify technology gaps or shortfalls so that needed R&D can be undertaken by appropriate agencies/organizations. o An Agenda for Action - Will be based on the preceding four efforts. Will identify action priorities hierarchically with the first probably being to fix selected existing systems deemed to be most needed and most vulnerable. Will include development and imposition of a set of designated "critical ELINFOSEC" standards. Includes preparing most needed policy document drafts 25X1 3. Mr. Stein agreed that these were the areas that needed to be addressed and offered his personal support of the project. There was a general discussion on each of these areas, and noted that he felt 25X1 CIA/DD0 played a role in the certification/accre a ion process for security features such as the CIA RECON effort. :]noted that the 25X1 project will address the role that producers of intelligence play in certifying/accrediting electronic information systems. Mr. Stein agreed that producers should be involved in the accreditation process and again provided his support of the effort. 25X1 4. referenced the recent message sent to various elements of 25X1 the Community by e DDO which constitutes a general policy regarding the storage and processing of CIA/DDO products in electronic information systems. asked Mr. Stein if there were specific concerns that 25X1 prompted the development of the message. Mr. Stein noted his general concern and the concern of his Directorate with the expansion of electronic informa- tion systems that process highly sensitive information that could reveal sensitive methods and sources. He expressed a concern that there appears to be a general reduction in positive control as we increase the use of elec- deals with the gathering of t t e ora tronic systems. He noted that his Direc intelligence using human sources and is, therefore, highly cognizant of the potential for com romise 25X1 Stein noted that the Community has to develop secu- Mr . rity processes to ensure that avoidable compromises do not occur, and that unavoidabl s are contained with absolutely clear audit trails to the incident. 5. Mr. Stein addressed several problems dealing with the processing of materials that could reveal sensitive methods and sources. He acknowledged SECRET Approved For Release 2008/04/14: CIA-RDP85M00364R000400510031-1  ~E1ufi Approved For Release 2008/04/14: CIA-RDP85M00364R000400510031-1 6. Mr. Stein stated that he felt the Community needed to develop an electronic information processing policy based on compartmentation and need- now controls. 7. Mr. Stein also stated that he had asked irector of SIGINT 25X1 l op a Operations, DDS&T/CIA, to assist DDO in its efforts to plan for and deve secure CRAFT automated support system. Mr. Stein suggested be contacted ation and request assistance for efforts . 8. Mr. Stein recommended that be briefed on the DDO's auto- mated systems and other computer-reiaTeU . He noted that the following personnel should be contacted in the Directorate: 25X1 2 A11 25X1 25X1 9. Mr. Stein ended the meeting by again offering his support o effort. He offered two questions that he felt the Community needs to address: (a) Why should everybody see what the DCI sees? (b) Is this the ? 25X1 olic it y y p direction we want to go for an electronic information secur d b t y noted that these were key questions that would be addresse 25X1 project. 25X1 SECRET 25X1 Approved For Release 2008/04/14: CIA-RDP85M00364R000400510031-1  Approved For Release 2008/04/14: CIA-RDP85M00364R000400510031-1 Approved For Release 2008/04/14: CIA-RDP85M00364R000400510031-1