DOD TESTIMONY ON H.R. 2889, THE COMPUTER SECURITY RESEARCH AND TRAINING ACT OF 1985

STAT STAT Office of Legislative Liaison Rau"" 9NP 5. Legisla ion Sanitized Copy Approved for Release 2010/04/06 : CIA-RDP87M0l 152R001101350046-6  Sanitized Copy Approved for Release 2010/04/06: CIA-RDP87M01152R001101350046-6 EXECUTIVE OFFICE OF THE PRESIDENT OFFICE OF MANAGEMENT AND BUDGET WASMINQYON. D.C.:0103 September 16, 1985 LEGISLATIVE REFERRAL MEMORANDUM TO: Legislative Liaison Officer Department of Cmulerce - Mike Levitt (377-3151) General Services Administration ,T 1 Ebert (566-1250) Central Intelligence Agency t/ SUBJECT: DOD testimony on H.R. 2889, the "Canpiter Security Research and Training Act of 1985" The Office of Management and Budget requests the views of your agency on the above subject before advising on its relationship to the program of the President, in accordance with OMB Circular A-19. A response to this request for your views is needed no later than NOON, TUESDAY, SEPTEMBER 17, 1985 Questions should be referred to Constance J. Bowers (395-3457), the legislative analyst in this office. Assistant Director for Legislative Reference Enclosures cc: Ed Springer Kevin Sheid Russ Neely Sanitized Copy Approved for Release 2010/04/06: CIA-RDP87M01152R001101350046-6  Copy Approved for Release 2010/04/06: CIA-RDP87MO1152RO01101350046-6 pp. Weaver STATEMENT BY DONALD C. IATMAM ASSISTANT SECRETARY OP DEFENSE COMMAND, CONTROL. COMMUNICATIONS, AND INTELLIGENCE AND CHAIRMAN NATIONAL TELECOMMUNICATIONS AND INFORMATION SYSTEMS SECURITY COMMITTEE i CONCERNING N.R. 2889 BEFORE THE SUBCOMMITTEE ON LEGISLATION AND NATIONAL SECURITY COMMITTEE ON GOVERNMENT OPERATIONS UNITED STATES HOUSE OF REPRESENTATIVES SEPTEMBER 16, 1985 T00 T80 ON Sanitized Copy Approved for Release 2010/04/06: CIA-RDP87MO1152RO01101350046-6 I  ? l:hairm&n and members of the dubcosw-ittee $ to testify on H.R. 2889, known nit t y u Thank you for this oppor 11985's- the "Computer Security Research and Training Act Of as security This bill has the objectives of providing for a comp research program within the National Bureau of Standards Who (s~sinvolved training andf use Federal information in also providing for the is the e managements operation, (AIS) systems. The efforts of this subcommittee are as it carries out in its investigation of the importance of the computer systems security pwith oa prsbsnsivsiremediesconsiders a this actions aimed at aL coming up eOmplox issue. Today, I would like to address myself first to the general intent and overall purpose of the bill by providing perspectives, in my dual roles as both the Assistant Secretary of Defense for Command, Control and Commuunications and Chairman. National Tele- communications and Information systems security Committee (NTISSC), of the problemwe faces s confusion inthe billdreLike quirin clarificationisoe area of f potential as ao not to impact adversely on existing Adminiirevision~to the Finally, I hive included in my testimony suggested bill for your careful review and action. rirst, I wbolehSartedly supportnthe eneral inttenttof H.R. 2909 to provide for much needed support the of systems security training and education. All to often this is an area sorely overlooked and poorly funded because it is not glamorous. Also, as you are all too aware, the computer system security problem is extremely complex and solutions to the problem are made all the more difficult by continuing rapid advances in the state-of-the-art. The emerging use of supercomputers and the prolifati~ef local that area networks are but two examples of technology computer systems security problem a challenge that must be faced now. The problem is immense in scope and associated R&D in the and area is totally inadequate. The shortage system yns security aggravates the trained d professionals in comp problem. Any effort to try to assist in this endeavor is clearly welcome. In this regard. I view H.R. 2889 as a positive step to achieve consensus on the need for additional resources. The Ntatcenterional of Bureau of standards has for some time been an Importan security. It i expertise in certain therefore that the BBS be tapped to takes on entirely aPPopP additional responsibilities and funding in research and related activities as reiterated in the Bill. Let me quickly caveat my comments by saying that, to be truly effective, these additional BB8 efforts must be further focused in the context of on-going ? efforts such as those Which fall under National Security Decision ress this ) isso to avoid costl sue in some detail duplication of effort. Directive I will add  Sanitized Copy Approved for Release 2010/04/06: CIA-RDP87MO1152RO01101350046-6 As Chairman of the 11TI8BC, I view as one of my key responsi- bilities making sure the problem of computer systems security is recognised by the public at-large as an important national issue. We have not done as good a job as we might have done in the past because we were not properly organised. The NTISSC structure now in being provides that organisation and we are moving ahead with an aggressive awareness program in concert with similar initiatives being carried out by the N18. At its last meeting on 4 September 1985, the Subcommittee on Automated Information Systems security(BAIBS). one euof t to two major subcommittees of the NTISSC, approved MTISBC a proposal to require education and training of federal departments and agencies. expect the IITISSC to take up this proposal and make it a National Policy. In this regard, the National Computer Security Center (NCSC) at the National Security Agency (NSA) has begun development of training courses in AIS systems security for a DoD-sponsored awareness program. The MCSC will provide materials to other governmente depart entsa ndnaagencies for awareness training. Of resoutcea rax+ains a proDlem. Let on focus just a moment on some other DoD education and training efforts. We are developing guidelines which will make it easier to determine and specify the level of security that a system needs when generating requests for procurements or acquisitions. Also, we are in the process of issuing a Standard entitled. "DoD Trusted Computer System =valuation Criteria , hereafter referred to as the Criteria, to assist in evaluating the effectiveness of safe- guards for Defense applications. By the way* the SAISS adopted use of the Criteria on an interim one-year trial basis. Finally, the -DOD is undertaking an ambitious computer vulnerability reporting program aimed at correcting security weaknesses in DoD computer systems. This effort should also be very useful for designing a national reporting program. In my testimony for Mr. Glickman. Chairman of the subcommittee on Transportation. Aviation and Materials. Committee on Science and Technology# on 27 June 1985, I indicated that a high priority item was trying to provide a working definition for what constitutes "sensitive" information. Since that time, the SAISS has approved for issuance to the NTI88C a proposal for defining sensitive infor- mation. Specifically, it separates unclassified but sensitive information into two categoriess sensitive national security-related; and sensitive non-national security-related. The SDD 145 is only for the former category non-national security-related is the concern of the civilian sector with 155 playing a major role. Let me reiterate that NSDD-145 does not cover unclassified but sensitive non-national security-related information and therefore, it in no way restricts, controls, or manages the activities of other federal departments or agencies who have responsibilities in non- national security-related areas. In order to maintain this clear elm Sanitized Copy Approved for Release 2010/04/06 CIA-RDP87MO1152R001101350046-6 `bt 1/60 A  aemaroation line, language in H.R. 2889 making reference to "sensi- tive" information should be amended to reflect that "unclassified but sensitive non-national securityrsiated" data is the subject data in question. On the matter of research and development (R&D) responsibilities, the MBS has a well-developed program in the area of computer systems security. The MRS derives its responsibilities from the Brooks Act of 1965 (P.L. 89-306). , the Privacy Act of 1974 (P.L. 93-579), and the Paperwork Reduction Act of 1980 (P.L. 96-511). We view these responsibilities as distinct both in intent and focus from those cited in MBDD-145. Again, MBDD-145 addresses only unclassified but sensitive national security-related and does not cover unclassified but sensitive non-national security-related i ormation. more directly, privacy information, information on fraud, waste, and abuse, or proprietary data held by an agency is not covered by =DD-145 dictates. Let me quickly add that we don't intend to meddle in MBS authorities or responsibilities in these areas. Rather, we see the MRS efforts and those of other federal agencies under MBDD-145 as complementary and supportive of each other. Clearly, technical measures and techniques can apply squally well in many circumstances and technical interaction must be encouraged. Indicative of the strong current relationship between the MBB and the DoD, is the high-level of cooperation between the NBS and the National Computer security Center at NSA Which is already impressive and growing. Specifically, they have jointly sponsored for the past eight years a National Computer security Conference. This year's conference, scheduled from 29 September 1985 to 3 October 1985, will focus on mutual subjects of concern such as secure networks, verification, labelling, a profile of "hackers", and data base management security to name just a few. It will be attended by business, academia and government and allows for critical transfer of the results of the National Computer Security Center research and the NBB research throughout government and the private sector. Important work is proceeding between MBS and the NCBC in the area of personal computers and office automation. In this regard, a Guideline on Password Management is being published by the NCSC and will become an appendix to the NBB Password Usage Standard already in existence. Additionally, the MBS has done impressive work in micro-computer and mini-computer systems security Which the NCSC is using. As a final example, MBS and the NCSC is sponsor- ing a symposium on risk analysis to examine methodologies of mutual benefit. Again, these efforts represent the high degree of inter- action between these two centers of expertise. This cooperation must continue. However, the federal audiences for their respective services is different. The NCBC's target audi- ence is the National Security Community while NBB services the ? t, VW 700 'ON SaVana Tb:bj Sanitized Copy Approved for Release 2010/04/06: CIA-RDP87M01152R001101350046-6  civilian sector. While the staffs of both organisations are highly onas specialised, there is continuing reliance by NCC$Csst;fstaff institute for Computer Sciences and Technology (ICS) expertise and vice-versa. In fact,-two m" employees currently ) are working at MRS with the purpose of transfering expertise to civilian users. This arrangement has worked remarkably well in the past and must be preserved. Lot we add that the US has taken an active role in the subcommittee on Automated Information Systems Security (BAISS) of the WTISSC. The l1BS member is the ICST Director, Mr. James surrows. Mr. furrows has been instrumental in the promulgation training anddtive b the nformation S caof the tegories recent well issuance a the issuance on defining i education. As a final point on the issue of l1SDD-145 and IIBS responsibilities, l7SDD-145 requires that IBS submit for MTISSC approval proposed computer systems security standards prior to their issuance as a Federal Information Processing System (PIPE) standard, once again, this applies only to proposed standards where national security-related matters are concerned Standards unrelated to national security are not Covered. In this regard, it is anti- cipated that, Federal Information Processing Standard No. 112, Pass- word Usage Standards, , will be the first such standard processed under the unclassified PTIOSC structure because it has classified processing environments, to both both In accordance with the preceding, I would now like to turn my attention to some of the areas in the bill that potentially could cause confusion and Vhich. I fool, could benefit from addi- tional clarification. First, on page 2 of U.K. 2889, reference is made to "sensitive" information. I suggest this be amended to read "sensitive unclassi- fied non-national security-related." Also, for clarity, this phrase should also be fee, modify the use of the term "informa- tion" as used on page 3 Second, on page 3 of U.K. 2889, Section 18 (a) should be amended to clearly sat forth that H.R. 2889 does not seek to impact Administration efforts under NBDD-145. Therefore, Ia propose the following be inserted as the last sentence of pa g p (c)s The following bB8 program shall be undertaken in consonance with those computer system security responsibilities delineated in National Security Decision Directive 145, "National Policy on Telecommuni- cations and Automated Information System Becurity?" This important adjustment minimises overlap of responsibilities between the Department of Commerce and the Department complementary Defense and recognises that both programs In closing, let me allay the fears of those who feel that NSDD-145 does in some ways shape, or form restrict current bBS Sanitized Copy Approved for Release 2010/04/06 CIA-RDP87MO1152RO0 11 01350046-6*4:bT  at for standards-sakinq efforts. rdDD-145 N sad pva1opme base already statutory rams stemming from ~ntry the !M Prog tort ?'' asationed are acs~patible and comp Computer systems security is & 'major challenge that needs all the available brainpower and resources this nation can ouster. As such, let's move ahead together in the spirit of harmony and cooperation, not oospstition. I feel H.1. 2889, with the recommended changes I proposed, is a positive step in fostering this spirit of cooperation. Accompanying me is Mr. Robert Rich, Deputy Director, 118A, who will further describe the activities of the Computer security Center and other programs now being carried out by 118A in the areas of computer systems security awareness, education, training, and research and development. Mr. Chairman, this concludes sly prepared remarks. I would be happy to answer any questions that you or the Subcommittee have. Cm" TOP *ON SM'VQOQ tv:VT 93/9T~ Sanitized Copy Approved for Release 2010/04/06: CIA-RDP87MO1152RO01101350046-6