Declassified in Part - Sanitized Copy Approved for Release 2013/04/10: CIA-RDP89B01354R000400510013-8 LrkswEi 1 25X1 DIRECTOR OF CENTRAL INTELLIGENCE SECURITY COMMITTEE Computer Security Subcommittee DCISEC-CSS-M102 20 July 1977 COMPUTER SECURITY SUBCOMMITTEE OF THE DIRECTOR CENTRAL INTELLIGENCE SECURITY COMMITTEE Minutes of Held at CIA McLean, Va. 14 July 1977 1. The one-hundred and second meeting of the Computer Security Subcommittee Committee CIA, were: of the Director of Central Intelligence was held between 0930 and 1300 hours on 14 Security July In attenance 1977 at 25X1 25X1 Mt. Robert Kyanko, Treasury/Secret Service Member 25X1 Capt. Ron Pherigo, Air Force Member 25X1 Mr. George S. Herrmann, State Member 25X1 LCDR Dean H. Beyer, OJCS Observer 25X1 c_k fn'"'"'71 /eNt";cM: (177:173, P77_77 23-2) Ev,-yiempt ,f;7. 2: 2, Cai' kieciaz.sify ii1(1!..2,1,14,cation by tito_prigistattty 25X1 CDNPTTN11AL Declassified in Part - Sanitized Copy Approved for Release 2013/04/10: CIA-RDP89B01354R000400510013-8 fil ezencT, _ Declassified in Part - Sanitized Copy Approved for Release 2013/04/10: CIA-RDP89B01354R000400510013-8 - TC7 ET KT UtgaidG 2. The security level of the meeting was 3. The Chairman opened the meeting with a request of the Security Committee to formulate level computer system security. Specifically, presented to the members: To: John McMahon (Director IC Staff) From: Cdr. McMahon TOP SECRET SI. discussion of a DCI a policy for multi- the following note was 27 June 1977 The Director would like the NFIB to study and formulate a policy for Multi-Level Computer System Security for the Intelligence Community. Very respectfully yours McMahon " Discussion ensued on how to respond to the Director's request. The Chairman stated that he would work with IHC 25X1 and , Executive Secretary Security Committee in 25X1 preparing a written response. The DIA and Air Force members re- quested that the response be coordinated with the Subcommittee before presenting it to the DCI. 4. The Chairman solicited comments from the members on the IHC Computer Security Issue paper. The Army and State members prepared their comments in writing. They are attached to these minutes as inclosures 1 (Army) and 2 (State). The Navy and ERDA members had no comments, The FBI member advocated the appointment of an advisory group to deal with the problems of R&D and Threat. He also believes that NSA could best serve as the organization responsible for centrally advising the community on matters involving computer security. The CIA member suggested that the Subcommittee serve as a tasking agent for the Community for resolution of specific problems. The Air Force member recommended that a better definition of multi-level security be written. He advocated a single set of operat- ing modes and a single, but coordinated, R&D effort. He suggested that '7thete) be formal tasking from the Intelligence Community on computer security requirements. He felt that one Agency, such as NSA, should not be appointed a central technical authority role. 2 tfl",enfi%,0 Et7, trA, a tt. a Declassified in Part - Sanitized Copy Approved for Release 2013/04/10: CIA-RDP89B01354R000400510013-8 Declassified in Part - Sanitized Copy Approved for Release 2013/04/10: CIA-RDP89B01354R000400510013-8 v4,00-141wouli 2? 2 2.4 BUskL. The DIA member advocates that basic policy in computer security should be established. There also should be guidance on how to test and secure networks. The operational modes in net- working must be defined. DIA non-concurs in the suggestion of NSA being named the central technical authority. The NSA member suggested that the technical issues of computer security should be addressed by the Subcommittee. Also, the Subcommittee should act as the focal point for the DCI in identifying community computer security needs. The Subcommittee would then recommend to the DCI the best Agency to task for meeting the need. She further feels there should be a publication of wide dissemination on computer vulnerabilities. The Subcommittee should discuss ways of making information on the subject available to users and operators. The Treasury member agrees with the position presented by the State member. The Treasury member feels there is a fundamental communications gap in computer security, particularly the lack of definitions. He opposes the single agency concept for central technical authority and advocates an interagency group. He stated that Treasury lacks funds for R&D and therefore relys on the Intelligence Community for development in this area. 5. The meeting adjourned with the Chairman announcing a request of each agency to present its R&D programs in Computer Security for the next meeting. C Executive Secretary Computer Security Subcommittee EN 25X1 Declassified in Part - Sanitized Copy Approved for Release 2013/04/10: CIA-RDP89B01354R000400510013-8 Declassified in Part - Sanitized Copy Approved for Release 2013/04/10: CIA-RDP89B01354R000400510013-8 LiDEPARTMENT OF THE ARMY L.) DAM I-SS OFFICE OF THE ASSISTANT CHIEF OF STAFF FOR INTELLIGENCE WASHINGTON. D.C. 20310 1 3 JUL 1977 MEMORANDUM FOR: CHAIRMAN AND MEMBERS OF THE DCI COM- PUTER SECURITY SUBCOMMITTEE SUBJECT: Comments on IHC Issue Paper on Computer Security 1. The IHC Issue Paper is an excellent summarization of the automation security problems confronting the Intelligence Community today. The traditional problems plus the four additional issues enumerated in the paper are common to all the community membership and should be addressed through a unified approach. It must also be understood that these problems are not only common to the task of protecting classified information in an automated environment, but are equally applicable to the protection of the unclassified information areas which we are obliged to protect--privacy, proprietary, assets, and resources (against theft and fraud). The Intelligence Community has traditionally taken the lead in automation security because of its critical need to protect intelligence sources and methods, but the IC is only a subset of the federal government's automation agencies requiring protection. 2. A universal problem in DOD is the shortage of manpower and financial resources which can be dedicated to the automation security mission. We are all cognizant of many aspects of the overall problem which we could address if we had the resources to commit. Unfortunately, the political climate at this time is not favorable to support for any action which appears to benefit the Intelligence Community as .a whole or in its parts. 3. The new privacy directive, which we have not had the opportunity to review yet, reportedly contains requirements which demand that personal data not only must be protected, but that accesses to it must be recorded in an audit trail reviewable on demand by the subject of the data. This protection would extend to the data element level within individual automated records. If we equate these privacy protection requirements to classified information protection we find almost an exact parallel. Control of information to the data element level and maintenance of an audit trail on each access has a clear counterpart in applying the "need-to-know" principle in automated intelligence files. 4. Since there is great public (and hence, congressional) support for privacy protection, we propose that the computer security elements of the various Intelligence Community agencies get behind, encourage, and guide their privacy protection counterparts in the actions necessary to achieve protection (security) at the expense of the privacy groundswell now underway. Declassified in Part - Sanitized Copy Approved for Release 2013/04/10: CIA-RDP89B01354R000400510013-8 Declassified in Part - Sanitized Copy Approved for Release 2013/04/10: CIA-RDP89B01354R000400510013-8 DAMI-SS SUBJECT: Comments on IHC Issue Paper on Computer Security 5. The Computer Security Subcommittee (CSS) remains the most suitable vehicle for attack of our common problems. It should continue to be the forum in which general policy for community automation security is aired, argued, and established. The member agencies should then be permitted to convert that general policy to doctrine suitable for application within their jurisdictions. 6. The CSS could be made more effective by providing it with a small permanent support staff (not more than six persons) from IC resources. The support staff could function under policy control of the CSS and provide it with research, editorial, limited technical, and administrative support. 7. We agree with the initial statements of the paragraph titled "Impact on 10- Year Planning," but disagree with the implication of its penultimate sentence. Diversity of membership dictates that autocratic direction of this or any other intelligence effort is undesirable. The Intelligence Community? can solve_ its automation security problems in a "tight," cooperative confederation where each member has an equal voice in policy decisions. 8. New technology applicable to automation security is advancing in quantum leaps. Solution of our problem requires a combination of this new technology with ? imagination, initiative-, existing and developing risk and security management techniques and procedures, dedicated effort, and managerial commitment of money and manpower. Absolute automation security will never be achieved in this dynamic environment, but we can and must provide our agency heads with increasingly sophisticated levels of protection to counter the increasing risks which confront them. Our task, like the testing of the mythical King Tantalus, is an endless challenge. 2 Declassified in Part - Sanitized Copy Approved for Release 2013/04/10: CIA-RDP89B01354R000400510013-8 rnNPTD4TTAL Declassified in Part - Sanitized Copy Approved for Release 2013/04/10: CIA-RDP89B01354R000400510013-8 MEMORANDUM TO: bEPARTMENT OF STATE Wash,r.rtor, D.C. 70520 Chairman ..DATE: July 13, 25X1: Computer Security Subcommittee National Security Agency Fort George G. Meade, Maryland 20755 THRU: Chie Office on of Technnical Services f Security INFO: INR/DDC: Mr. William E. Berry 0/ISO: Mr. Wally W. Francis SY/PS & I: Mr. William H. Armor SY/CC: Miss Concetta Conigliaro FROM: George S. Herrmann State Member Computer Security Subcommittee SUBJECT: State Comments on IHC Computer Security Issue Paper 1. Members of the Computer Security Subcommittee have been asked to review an issue paper generated by the DCI Information Handling Committee, a copy of which is attached. Following our review of the paper, we were asked by to respo25X1 to several questions. These were: a. Should NSA be the technical accreditation agency for computer security matters, as it is for COMSEC matters? b. List the three highest priority computer security problems. c. Give an estimate of the resources your agency can bring to bear on these problems. d. After DCID 1/16 is revised and published, what further computer security policy and guidance do we need? 2. I find it rather stimulating to be asked to consider something other than another draft of DCID 1/16, and have read the IHC issue paper with interest. On my initial reading, ???? Cip.N.PT557:-TAL 25X1 Declassified in Part - Sanitized Copy Approved for Release 2013/04/10: CIA-RDP89B01354R000400510013-8 Declassified in Part - Sanitized Copy Approved for Release 2013/04/10: CIA-RDP89B01354R000400510013-8 - CONFIDENTIAL -2- the paper did not do much for me: it advances many computer security requirements without suggesting solutions. On re-reading the paper, though, .I would suggest that the IHC has done us a service ?by highlighting prominent holes in our computer security posture. Closing these holes is a proper fuhction of the Computer Security Subcommittee: it doesn't matter who points out our weaknesses, so long as we address them. Accordingly, I find the IHC issue paper a useful departure point for CSS discussion. 3. I propose the following answers to a. Accreditation Agency: questions 25X1 For my money, NSA should be the U.S. technical accreditation agency for computer security. I have had some experience in complying with NSA-estblished accreditation procedures for COMSEC installations, and I think they do a first rate job in this area. We need an accrediting agency to establish community-wide standards, and I feel that NSA has the staff, resources and interest to do a thorough job in this area. ? b. What are our computer security problems, as a community? The reconciliation of the operational requirements of the Department of Defense with the computer security requirements of our civilian intelligence-generating -agencies is the highest priority computer security problem currently facing the United States Government. We have tried to achieve this reconciliation in subcommittee work to no avail for several years, and work on this issue has quagmired qualified people who would otherwise have addressed problems like those in the IHC issue paper. If decisive action by the DCI can achieve this reconciliation, it should be suggested; if a major R&D effort is required to develop technology that will suit both sides of this issue, such an effort should be initiated. I suggest that the lack of a community-wide or even agency- wide reporting system for computer security violations is a major problem within the community. If your agency is penetrated, whom do you inform, and what means of reporting do you use? General guidelines of the nature do not Presently exist. CONFIDENTIAL Declassified in Part - Sanitized Copy Approved for Release 2013/04/10: CIA-RDP89B01354R000400510013-8 A Declassified in Part - Sanitized Copy Approved for Release 2013/04/10: CIA-RDP89B01354R000400510013-8 CONFIDENTIAL -3- We cannot wisely develop threat estimates, hardware, firm- ware or software countermeasures to penetration attempts without an effective 'i-.. ? ?-netration or hazard reporting. I think talk at the CSS June meeting was very ins ructive: a DCI-promulgated procedural guide fore reporting computer security penetrations is a pressing requirement. Computer security is a relatively new field, and expertise in this field is not widespread. We need to get this expertise into the hands of intelligence community computer system operators and managers in short order, and we need to do this effectively. I suggest that we need an inter- agency school, Provided with instructors from the various member agencies, that will train IC users in the problems of computer security. This school should work closely with private industry to keep its material current. c: Resource Estimate: The Department of State can provide little in the way of human resources to help solve computer security problems: some financial resources might be made available to support computer security research projects if other agencies were also to contribute funds. d. Further Guidance: Once DCID 1/16 is published, someone in the IC staff should be charged on a full-time basis with coordinating intelligence community compliance to the directive. This individual or office should work closely with the Computer Security Subcommittee to point out problems and help resolve them. The subcommittee should turn its attention to the development of standards for testing and accreditation. DISTRIBUTION: 1-Addressee 1-Each info addressee 1-Subject file 1-Readina file CONFIDENTIAL 25X1 25X1 Declassified in Part - Sanitized Copy Approved for Release 2013/04/10: CIA-RDP89B01354R000400510013-8