Minutes of the Meeting of the Computer System Security and 
Privacy Advisory Board
December 9-11, 1997
National Institute of Standards and Technology
Gaithersburg, MD


Tuesday, December 9, 1997

A quorum being present, the meeting was called to order by 
Chairman Willis Ware at 9:00 a.m.  The Board Secretary, Ed 
Roback, welcomed everyone and reviewed the agenda and 
related handout materials that had been provided to the 
members.  Those members in attendance were:  Genevieve 
Burns, John Davis, Addison Fischer, John Layton,  Joe Leo, 
Gloria Parker,  Randolph Sanovic , George Trubow, Linda 
Vetter, Jim Wade,  and Rick Weingarten. 
All portions of the meeting were held in open, public 
session.  Mr. Roback informed the members that a Federal Register 
notice dated December 1, 1997, had been issued calling for 
input to the planning process for 1998 activities of the 
Board.  Comments are due by January 30, 1998.   [Reference 
#1]

Annual INFOSEC Survey

Mr. Dan Woolley, Director, Mid-Atlantic Information Security 
Service, Ernst and Young, LLP, presented an overview of 
their 5th Annual Global Information Security Survey for 1997. 
[Reference #2]  This survey was conducted between July and 
August of 1997 and covered 24 countries.  The total number 
of responses received was 4,226 of which 627 responses were 
from the United States.   He cited several statistics of 
information security losses:
-- the average take of the computer-based criminal is over 
$800K compared with only $6.1K for an old fashioned bank 
robber; 
-- the cellular phone industry looses an estimated $1.5M a 
day from fraud; combined with long-distance fraud, the 
Telecom industry is loosing between $4B and $5B annually; 
and
-- U.S. companies have lost $5.2B from theft of proprietary 
information from 1993-95 with the average loss of 
information being $26M per incident.
Mr. Woolley said that they found that security awareness is 
growing.  Senior management thinks information security is 
important and in addition to having dedicated staff,  the 
top security person typically reports to a senior official.   
However, many businesses do not have formal security 
policies and procedures, do not monitor for network 
incidents, do not monitor their on-line activities or have a 
planned incident response capability.   Lack of employee 
awareness, tools, human resources, budget and management 
awareness are clear obstacles in addressing security issues.    
However, security is needed to allow companies to move into 
new areas such as electronic commerce; integrate security as 
part of the normal business process; and provide the ‘safety 
net’ businesses need to allow the freedom to operate in the 
unknown.



Electronic Commerce Enhancement Act of 1997

Mr. Daniel Bennett, Systems Manager for Congresswoman Anna 
G. Eschoo [D-CA], presented an overview of the history of 
the Electronic Commerce Enhancement Act of 1997, H.R. 2991, 
dated November 9, 1997. [Reference #3]  The intent of the 
Bill is to make it possible for citizens to do business with 
the government over the internet.  It would enhance 
electronic commerce by requiring agencies to use digital 
signatures, which are compatible with standards for such 
technology used in commerce and industry, and enable persons 
to submit federal forms electronically.    It requires that 
within three years of the Act’s passage, agencies must have 
all such forms on the internet on a website that will be 
government-controlled.  The electronic version of each form 
must be substantially identical to the existing paper copy.   
Only forms that are submitted to an agency more than 1,000 
per year and are not required to be completed in the 
presence of a federal official or at a particular location 
will be posted.   It provides for studies to be conducted on 
the use of digital signatures twice over a 5-year period.    
It addresses guidelines for acceptance of certificates, 
accreditation and trusted third party liability.   
Mr. Bennett noted the Board’s observation that the Bill did 
not contain any language as to security of the privacy of 
the information that was submitted.  He indicated that 
hearings are expected to be held in early 1998.   Having 
just been introduced, there will be a ‘look and see’ period 
over the next several months and then it is expected that 
the legislation will be referred to the joint committee.   
He encouraged further comments from the Board members.

Update on Computer Security Enhancement Act of 1997

Mr. Richard Russell, Staff Member, House Technology 
Subcommittee, updated the Board on the progress of  Computer 
Security Enhancement Act.   Currently it is in the Senate 
awaiting further action.    He said that Senate counterparts 
have expressed interest in moving it along separately so as 
to bring more focus to this issue.   Mr. Russell also 
reported on two recent hearings; one on the President’s 
Commission on Critical Infrastructure Protection (PCCIP) 
report and the other on the digital signature issue.   The 
PCCIP report draws attention to the vulnerabilities of 
computer security and the protections that are necessary.   
In general, the reaction on the Hill to the Commission 
report was mixed.  However, everyone agreed that computer 
security is a pressing issue that needs to be addressed.    
The vulnerabilities affect both private and public systems.  
The Commission report also recommends significant budget 
increases to meet the challenges of computer security 
protection.    Mr. Russell believes that this fact may make 
it easier for NIST to obtain substantial increases in their 
funding for computer security.   While the current budget 
did not contain any increase in funds for NIST to enhance 
its computer security efforts, the House Committee is going 
to encourage NIST to refocus and make this a priority.  He 
also said that he believes Congress would be receptive to a 
NIST request for reprogramming funds for computer security. 
Mr. Russell said that Congressional hearings could be held 
to emphasis the role of computer security within the 
agencies and have them report on what is being done about 
computer security within their own agencies. He did point 
out, however, that they plan to first focus on 
reinvigorating NIST.    They are working with the Government 
Affairs Committee and other committees to raise this issue.
His observations of the hearings on digital signature were 
that the concerns expressed were mixed.  Some took the 
approach of do something, while others believed doing 
nothing was appropriate.   An opinion that was expressed was 
that States and countries are going their own separate ways 
on this issue and would not want the federal government to 
interfere.   Mr. Russell encouraged the Board to express 
their ideas and thoughts on this topic and stressed the need 
for commonality on this issue.    
He reported that they do not see the Y2K issue moving well.  
The learning curve is fairly steep and there is little time 
left to fully accomplish the task.     He said that while 
there is not enough time to fix the problem 100%, at least 
we are aware of the problem.   

Technical Advisory Committee to Develop a Federal 
Information Processing Standard to Develop a Federal Key 
Management Infrastructure 

Ed Roback began this briefing by stating that the current 
draft document was a work-in-progress produced by some of 
the members of the Committee after having held six meetings.    
He introduced Elaine Barker of NIST who serves as a 
government liaison from NIST to the Committee.  Ms. Barker 
presented an overview of the draft document covering the 
announcement process and intended users.    The document 
discusses a key recovery system model, supporting 
components, system policy, and interoperability.  She 
indicated that this standard will most likely have a two-
year initial review cycle based on the fact that this is a 
new technology.   The Committee continues to meet and refine 
this draft.  

Ms. Barker also showed a Key Recovery Demonstration Program 
video to the Board.     This video presented a very general 
overview of the 13 federal key recovery pilots effort.     
Other videos on each of these pilots are available and may 
be shown at the next meeting of the Board.

Discussion of 1998 Work Plan

The members discussed future action plans for consideration 
for the upcoming year.    They included:  consideration of 
holding 2-day meetings rather than 3-day meetings; 
addressing what the Board can do for federal agencies;  
inviting members of the CIO Council Security subcommittee to 
meet with the Board; enlist the assistance of OMB as the 
enforcer for making agencies accountable for computer 
security within their agencies;  ask the members of the IG 
community what they see as threats and vulnerabilities 
within their agencies with the goal of improving the quality 
of the review process to identify agency problems.   Another 
issue identified was the national ID card and its affects on 
smart cart technology and use in areas such as biometrics.    
Also, certification was suggested as another area on which 
to focus.  

There being no further business for the day, the meeting was 
recessed at 4:55 p.m.

Wednesday, December 10, 1997

The meeting was reconvened at 9 a.m.
  
President’s  Commission on Critical Infrastructure 
Protection (PCCIP) Final Report Briefing

Commission Chairman, (Ret.) General Thomas Marsh presented a 
briefing on the recommendations contained in its report, 
Critical Foundations, which was presented to the White House 
on October 21, 1997. [Reference #4]    This report includes 
a national policy, an implementation strategy, and 
recommendations that will serve to protect infrastructures 
from both physical and cyber threats and assure their 
continued operation.    The Commission’s work and report 
focused primarily on getting ahead of the cyber threat.   A 
Principals Committee composed of cabinet-level government 
officials is charged with preparing a proposal for the 
President.  It is expected that the President will receive 
the proposal early in 1998.  

 Conclusions reached over the year and a half of this work 
effort included:

-- protecting our infrastructures is a public-private 
undertaking that requires a new partnership;
 
-- protecting our infrastructures will take time and will 
require long-term efforts and a new way of thinking;
 
-- that infrastructure protection is a shared 
responsibility; and
 
-- waiting for a disaster is a dangerous strategy—now is the 
time to act to protect our future.
The recommendations fall generally into three categories:

-- actions the federal government must take;
-- actions the owners and operators of infrastructures must 
take; and
-- actions that require partnership between government and 
industry.
The recommendations focus on protection of proprietary 
information and ensuring anonymity when necessary; reviewing 
legal impediments to information sharing, such as antitrust 
provisions and the Freedom of Information Act; and creating 
information sharing mechanisms both within and between 
industry and government.

The consensus among all the experts is that cyber threat is 
sure to evolve because daily we see numerous unauthorized 
intrusions resulting in damage to systems, whether they be 
publicly or privately owned.  This situations will evolve on 
an accelerated basis because no foreign nation since the 
Gulf War will take us on the battlefield, but rather seek a 
means to do our country harm in other ways.   General Marsh 
said that within the next five years this kind of threat 
will become real, and we need to take action now.   Warning 
centers should be established and in place within the next 
3-4 years, and there should be a “stand-up” now even though 
we may lack the tools or know when the threats and attacks 
will occur or how to block them effectively.

General Marsh encouraged the Board  to raise this subject to 
the agency heads stressing the need for education and 
awareness of this threat.  He also said that NIST should  
give this problem a higher priority, put more of its 
resources behind it, and be the leader and role model for 
both the civil and private sector to follow.   He also 
stated that he believed that the Director of NIST appeared 
willing to see that appropriate funding be made available to 
increase the NIST computer security efforts.

PCCIP Final Report – Information and Communications R&D 
Needs

Board member, John Davis, representing the PCCIP, presented 
his observations of the research and development issues 
identified in the report.  [Reference #5]  The report found 
that new technologies are needed to effectively deal with 
the current and future vulnerabilities and that research 
investment is inadequate and progress is too slow.    The 
Commission looked at the entire infrastructure including the 
physical and well as cyber threats.   Interdependent R&D 
studies were also reviewed.   Research is needed to secure 
information while stored, in transit and in process to 
monitor and detect active threats and notify in real time.    
More long term research on new concepts needs to expand to a 
national scale via the government.   Tools, techniques, 
methods and equipment need to be created and offered for 
sale by the private sector and installed to upgrade existing 
infrastructures.   The recommendations made were:

-- conduct a detailed analysis of infrastructure R&D needs 
and priorities prior to establishing a final National R&D 
program for infrastructure assurance;
 
-- designate appropriate government departments and agencies 
to manage infrastructure-specific R&D efforts;
 
-- promote the “science” of complex, interdependent systems 
and conduct in-depth research that addresses national 
infrastructure issues;
 
-- establish a national repository of validated 
infrastructure-related models and data ;
-- create forums that bring together researchers, 
infrastructure owners and operators, and government to 
discuss common problems, requirements, and solutions; and
 
-- promote education, training, and certification programs 
to ensure proper implementation and utilization of new 
technologies, methods and tools.

FedCIRC Update

Marianne Swanson of NIST briefed the Board on the current 
status of the Federal Computer Incident Response Capability 
(FedCIRC).     She thanked the Board for the resolution that 
they had passed at the last Board meeting in support of the 
continuance of this activity and need to have funding 
stability.   She reported that they are continuing to work 
the funding problem with support from the Director of NIST, 
correspondence to the Department of Commerce, meetings with 
the CIO Security Council and GITS and dialogue with OMB 
officials.     Without any additional financial commitment, 
the FedCIRC will have spent its allotted funds by the end of 
September 1998 and will have to begin shutting down late 
this summer.   Ms. Swanson said that  NIST will continue to 
do what it can to have this capability continue whether it 
be at NIST or elsewhere in the government.

Y2K Observations

Mr. Greg Swift, Deputy Director, Systems Technology Center, 
Mitretek Systems, briefed the Board on the Year 2000 problem 
in actual systems. [Reference #6]   It is a large-scale 
software maintenance problem affecting code, data, external 
interface specifications, products and embedded systems.  
Because of the level of complexity of most information 
systems, the difficulty of evaluating Year 2000 problems 
escalates.  He presented several examples of inverted 
comparison and negative interval problems that could occur.   
He reported that many popular software packages are not yet 
compliant.   Vendors often have no plans to bring old 
versions into compliance at all forcing an upgrade, and 
upgrading a system can be complex if several products must 
coexist on it.   He closed by saying that there are lots of 
errors to find:   finding them is relatively easy, tracing 
the impacts of the efforts on the IT system is harder, and 
determining the real-world impacts of the errors is very 
difficult in advance.

Board Discussion Period

Next, the minutes of the September meeting were unanimously 
approved by a motion made by Genny Burns and seconded by 
Linda Vetter.

There was discussion of a draft resolution endorsing the 
current efforts on IT security training and the development 
of a guidance document.   It was agreed that this resolution 
would be tabled until the guideline is issued as an official 
document.   

The Board discussed further action it might take in support 
of the continuance of the FedCIRC activity and empowered the 
Chairman to do whatever possible to indicate the Board’s 
endorsement of this effort and support of continued funding.    
The Board asked to receive a copy of the FedCIRC business 
plan.

NIST Computer Security Program

Dr. Stuart Katzke, Chief of the NIST Computer Security 
Division, presented an overview of the work the Division is 
doing to meet the needs of government and industry. 
[Reference #7]   He reviewed the missions of  NIST, the 
Information Technology Laboratory, and the federal mandates 
that exist for the computer security program.    Dr. Katzke 
described the Division’s work efforts which included 
security standards, the National Information Assurance 
Partnership (NIAP), advisory committees and technical policy 
support , interagency support and information exchange and 
direct agency assistance projects.  The focus for the future 
will be on electronic commerce, critical infrastructure 
protection, testing and assurance, high-payoff guidance and 
interoperability as well as other areas of 
government/industry collaboration.   The Board offered the 
following suggestions to Dr. Katzke:

-- have more dialogue between NIST and other agencies to 
better understand their need for NIST support;
 
-- consider conducting workshops for information security 
tools;
-- follow through with the development of an incident 
handling document for agency use; and
--  focus on the security posture of the federal agencies 
and the PCCIP reports aspects of the information systems 
protection.

Following Dr. Katzke’s presentation, the Board focused on 
what it could do to follow the line of money identified in 
the Commission report to push for some of it to be earmarked 
for operational functions.   It was suggested that they 
encourage NIST to take the lead to ask for the additional 
funds.   The Board also discussed NIST’s main mission and 
possible ways to increase this mission to support the 
computer security program and agency assistance. 

There were no requests for public participation, and the 
meeting was recessed at 5:00 p.m.

Thursday, December 11, 1997

The meeting was reconvened at 9:05 a.m.

AES and Crypto Update

Ed Roback advised the Board of the current Advanced 
Encryption Standard (AES) activities.  A Federal Register 
notice has been published requesting submissions by June 15, 
1998.  A conference is planned for August 1998 in California 
where all submissions will be made public.  When asked of 
the target date for the delivery of an AES, Mr. Roback 
indicated there was no fixed time but expected at least 
within a two to three year time frame.

As for the status of the current cryptography legislation, 
all bills will be carried forward to the next Congressional 
year.   He also mentioned that NIST is working with ANSI X9 
on a signature standard. 

Board discussion on miscellaneous topics followed.  Mr. Leo 
presented his views on how to broaden the NIST mission to 
include a more operational applied approach.    He suggested 
that NIST may want to consider performing a review function 
of agencies to identify their computer security 
vulnerabilities.    He also stated that security 
benchmarking is another area where NIST could have a 
significant role.

Meeting with New NIST Director

Ray Kammer, newly appointed Director of NIST, spoke to the 
Board about his vision for NIST and the role of computer 
security.    The Board expressed their concerns for NIST 
role as it relates to the recommendations of the PCCIP 
report and asked what NIST was prepared to do.  Mr. Kammer 
reported that the Secretary of Commerce has stated that they 
are willing to accept the responsibilities but noted the 
strong need for funding to support this effort.    NIST 
cannot pay for this out of its funding, said Mr. Kammer, and 
he suggested that the possibility of joint agency funding 
should be considered by the CIO Council.   With regard to 
NIST shouldering the operational responsibilities,  Mr. 
Kammer indicated that NIST is willing to be a pioneer to 
establish the function but does not see them as performing 
this function on a long term basis.  When asked where these 
responsibilities should be housed, he responded that each 
agency should take the lead for their own agency.   It was 
pointed out that each agency does not have the leadership 
and expertise capabilities to carry out the responsibilities 
independently.    Mr. Kammer stated that it was his belief 
that agencies could grow into this as they have done in past 
situations, and pointed out that typically in the other 
standards-making areas of NIST, NIST does not become the 
operational entity.

On the FedCIRC topic, Mr. Kammer would like to see it fully 
established and will work with the CIO Council to see that 
policies are pushed to encourage the continuance of it.  
However, he pointed out that agencies will have to be 
willing to provide funding.    

He was asked if a separate entity were created, would there 
be any objection to portions of NIST’s programs becoming 
part of this new entity.   Mr. Kammer responded that he 
would be open to discussion if such should be proposed.

Mr. Kammer said that NIST has made proposals in the FY99 
budget cycle to increase the funding for the computer 
security program.  He said that the Commerce position is 
that they are willing and eager to be the government 
coordinator for the Commission objectives.   He said that 
the Board should feel free to recommend and include budget 
figures in support of the Commission’s recommendations.   
When asked who the Board should communicate with to help 
this process,  Mr. Kammer responded the Secretary of 
Commerce,  the policy and budget sides of OMB and the CIO 
Council.    He also informed the Board that NIST is an ex-
officio member of the CIO Council and Dr. Shukri Wakid, 
Director of the NIST Information Technology Laboratory is 
the representative.

The Chairman thanked Mr. Kammer for his time and candor with 
the Board and wished him good luck on his new position.

Board Discussion Time

It was proposed that the Board send a letter in support of 
the PCCIP report endorsing the ‘red team’ establishment 
position and increased computer security baselines for 
agencies.   Some felt that the best effect the Board could 
have would be to wait to see if there are any Presidential 
Directives or Executive Orders issued as a result of the 
reports recommendations and then address specific 
responsibilities as they are outlined.   At that time, 
letters could be developed that could be sent  to various 
agencies that could contain specific points relevant to the 
assigned actions.

The Board requested the Secretariat to continue to invite 
the members of the CIO Council to attend future meetings of 
the Board,  specifically, the co-chairs of the recently 
established CIO Subcommittee on Security. 

In the area of electronic signatures, it was suggested that 
this Board could facilitate the bringing together of the 
private sector with the civilian agencies to discuss this 
effort.

For the March agenda, it was proposed that Marjory 
Blumenthal of the Computer Science and Telecommunications 
Board of the National Research Council be invited to brief 
the Board on their trustworthiness report that is to be 
issued soon.    Other  topics for the agenda included a 
briefing on Internet 2/NGI; monitoring of the activity of 
the PCCIP report; legislative updates, especially on the 
movement of the Computer Security Enhancement Act; 
cryptography update, overview of status of smart card 
technology.    A need for a public debate of privacy of 
federal accountable information was identified.  Rick 
Weingarten and George Trubow will address some of these 
privacy issues at the March meeting.

There being no futher business, the meeting was adjourned at 
12:05 p.m.
	
References
#1	December 1, 1997 Federal Register notice 		
#2	Presentation material of Mr. Daniel Woolley			
#3	Presentation material of Mr. Daniel Bennett
#4	Presentation material of  Gen. Tom Marsh
#5	Presentation material of  Mr. John Davis
#6	Presentation material of Mr. Greg Swift			
#7	Presentation material of Dr. Stuart Katzke	


5