MEETING WITH JOHN STEIN REGARDING THE JOINT IC/DOD ELECTRONIC INFORMATION SECURITY PROJECT
Document Type:
Collection:
Document Number (FOIA) /ESDN (CREST):
CIA-RDP85M00364R000400510031-1
Release Decision:
RIPPUB
Original Classification:
S
Document Page Count:
4
Document Creation Date:
January 4, 2017
Document Release Date:
April 14, 2008
Sequence Number:
31
Case Number:
Publication Date:
June 6, 1983
Content Type:
MEMO
File:
Attachment | Size |
---|---|
CIA-RDP85M00364R000400510031-1.pdf | 170.19 KB |
Body:
MEMORANDUM FOR: Director, Planning and Policy Staff
DCI/ICS 83-4413
6 June 1983
Approved For Release 2008/04/14: CIA-RDP85M00364R000400510031-1
Information Handling Committee, ICS
SUBJECT: Meeting with John Stein regarding the Joint IC/DoD
Electronic Information Security Project
FROM:
On 11 May 1983, met with Mr. John Stein, 25X1
CIA/DDO, to discuss the joint IC/DoD Electronic ation Security
(ELINFOSEC) project. briefed Mr. Stein on the objectives of the 25X1
project and on the proposed conduct of the effort. She noted that the effort
is bigger than just computer security, stating that it must encompass both the
computers that process data and communications that link computers with
users. also noted that the project will be concerned with three 25X1
major categories of personnel and processes: (a) the producers of
intelligence such as CIA/DDO who are concerned about the security of their
products when processed in electronic information systems, (b) the customers
of the intelligence such as the nuclear CINCs who are concerned about the
timely receipt and analysis of the intelligence product, and (c) the personnel
and equipment involved in storing the data in computers or transmitting it via
communications links. M tPin ed that these three groups should be
included in the effort. 25X1
2, briefed Mr. Stein on the five areas that will be addressed
in parallel tasks during the conduct of the effort. These five areas were
summarized as follows:
o Polic - Will deal with the possible revision, upgrading, or re-
endorsement of relevant existing policies in the Intelligence and
National Security communities (e.g., DCID 1/16, DCID 1/7, and
DIAM 50-4). Policies protecting methods and sources. Handshake
agreements between "source" and "user" policy officials (e.g.,
MOUs).
o Process - Will deal with the development or revision of processes
and procedures needed for obtaining ELINFOSEC Certifications/Ac-
creditation for varying levels of "secure operations." This will
include analyses and recommendations related to items such as the
qualified products list, systems operation at specified security
levels, designation of accreditation/certification/standards-
adherence responsibilities. :]noted that field/theater
commander's ELINFOSEC processes will probably differ from Head-
quarters, Management, and S&T organizational ELINFOSEC processes.
Approved For Release 2008/04/14: CIA-RDP85M00364R000400510031-1
25X1
Approved For Release 2008/04/14: CIA-RDP85M00364R000400510031-1
o Vulnerabilities. Threats, and Risks Associated With Exist
S stems - Will identify the most serious or most easily exploit-
able vu nerabilities from existing experience and knowledge.
Anecdotal or case examples within the IC and National Security
communities will form a descriptive taxonomy for explaining the
ELINFOSEC vulnerability-threat. Remedies for the most serious
threats will be cited and options for solution and recommenda-
tions will be provided to assist in program-budget decisions.
o Technolo Application, Innovation and Inventin Efforts Needed
for ELINFOSEC - Will identify and endorse the application of
existing technology that can be used to resolve ELINFOSEC prob-
lems as fast as possible. It will also identify technology gaps
or shortfalls so that needed R&D can be undertaken by appropriate
agencies/organizations.
o An Agenda for Action - Will be based on the preceding four
efforts. Will identify action priorities hierarchically with the
first probably being to fix selected existing systems deemed to
be most needed and most vulnerable. Will include development and
imposition of a set of designated "critical ELINFOSEC"
standards. Includes preparing most needed policy document
drafts 25X1
3. Mr. Stein agreed that these were the areas that needed to be
addressed and offered his personal support of the project. There was a
general discussion on each of these areas, and noted that he felt 25X1
CIA/DD0 played a role in the certification/accre a ion process for
security features such as the CIA RECON effort. :]noted that the 25X1
project will address the role that producers of intelligence play in
certifying/accrediting electronic information systems. Mr. Stein agreed that
producers should be involved in the accreditation process and again provided
his support of the effort. 25X1
4. referenced the recent message sent to various elements of 25X1
the Community by e DDO which constitutes a general policy regarding the
storage and processing of CIA/DDO products in electronic information
systems. asked Mr. Stein if there were specific concerns that 25X1
prompted the development of the message. Mr. Stein noted his general concern
and the concern of his Directorate with the expansion of electronic informa-
tion systems that process highly sensitive information that could reveal
sensitive methods and sources. He expressed a concern that there appears to
be a general reduction in positive control as we increase the use of elec-
deals with the gathering of
t
t
e
ora
tronic systems. He noted that his Direc
intelligence using human sources and is, therefore, highly cognizant of the
potential for com romise 25X1
Stein noted that the Community has to develop secu-
Mr
.
rity processes to ensure that avoidable compromises do not occur, and that
unavoidabl s are contained with absolutely clear audit trails to the
incident.
5. Mr. Stein addressed several problems dealing with the processing of
materials that could reveal sensitive methods and sources. He acknowledged
SECRET
Approved For Release 2008/04/14: CIA-RDP85M00364R000400510031-1
~E1ufi
Approved For Release 2008/04/14: CIA-RDP85M00364R000400510031-1
6. Mr. Stein stated that he felt the Community needed to develop an
electronic information processing policy based on compartmentation and need-
now controls.
7. Mr. Stein also stated that he had asked irector of SIGINT 25X1
l
op a
Operations, DDS&T/CIA, to assist DDO in its efforts to plan for and deve
secure CRAFT automated support system. Mr. Stein suggested be
contacted ation and request assistance for
efforts .
8. Mr. Stein recommended that be briefed on the DDO's auto-
mated systems and other computer-reiaTeU . He noted that the following
personnel should be contacted in the Directorate:
25X1
2 A11
25X1
25X1
9. Mr. Stein ended the meeting by again offering his support o
effort. He offered two questions that he felt the Community needs to
address: (a) Why should everybody see what the DCI sees? (b) Is this the
? 25X1
olic
it
y
y p
direction we want to go for an electronic information secur
d b
t
y
noted that these were key questions that would be addresse
25X1
project. 25X1
SECRET
25X1
Approved For Release 2008/04/14: CIA-RDP85M00364R000400510031-1
Approved For Release 2008/04/14: CIA-RDP85M00364R000400510031-1
Approved For Release 2008/04/14: CIA-RDP85M00364R000400510031-1