Minutes of the Computer System Security and
Privacy Advisory Board Meeting


December 2-3, 1998
National Institute of Standards and Technology
Gaithersburg, MD


Wednesday, December 2, 1998

A quorum being present, Chairman Willis Ware called the meeting to order at 9 
a.m.  In addition to the Chairman, members present were:  Genevieve Burns, John 
Davis, Addison Fischer, Joe Leo, John Sabo, Randy Sanovic, George Trubow, Linda 
Vetter, Jim Wade and Rick Weingarten.

The Board Secretary, Ed Roback, welcomed the members and reviewed the agenda and 
handout material that had been provided to the members.  As with all Board 
meetings, all sessions were open to the public.  At the start of the meeting 18 
members of the public were in attendance.

Briefing on Trust in Cyberspace Report
Fred Schneider, Editor and Chair
Committee on Information Systems Trustworthiness
Computer Science and Telecommunications Board
National Research Council (NRC)

Mr. Schneider briefed the Board on the recently published NRC study Trust in 
Cyberspace prepared by a committee of 12 members from industry and academia.  
Nine meetings and three workshops were held over a two-year period.  The report 
is a research agenda covering Public Telephone Network (PTN) and Internet 
Trustworthiness, software for network information system, reinventing security, 
constructing trustworthy systems from untrustworthy components and the 
accompanying economic and public policy context.

Mr. Schneider explained that trustworthiness in a network information system 
(NIS) could be obtained if a system works correctly despite environmental 
disruption, human user and operator errors, hostile attacks or design and 
implementation errors.  Trust in cyberspace does not exist today because of the 
lack of the technology and science base for building NISs trustworthy enough for 
use in critical infrastructure systems.  He emphasized that an aggressive 
research agenda must be pursued.   Funding levels should be based on current 
population of researchers and on realistic projections of increases in coming 
years.  Improvement depends on the ability and success of new research efforts.  
He did state, however, that Internet trustworthiness is evolving.  Building 
trustworthy NIS software is difficult for COTS software, for non-functional 
requirements and for integration and determining critical components.  Research 
is not currently addressing these topics.

There is a need for new policies to enforce availability, integrity and 
application-level security.  New structures are needed to manage foreign code, 
extensible software systems, and black-box components.  There are problems to be 
solved in network-wide authentication and the need for encryption and 
authentication/integrity algorithms.  In the area of computer and communications 
security new security options are needed to partition the enforcement of 
responsibility between system and application.  New paradigms include add-on 
technologies using combined multiple technical approaches.

Two philosophies are at odds: pragmatists versus purists.  It is time to 
reinvent computer security around a new paradigm.  Improved trustworthiness may 
be achieved by the careful organization of untrustworthy components.  There are 
a number of promising ideas, but few have been vigorously pursued.  Imperfect 
information creates a disincentive to invest in trustworthiness for both 
consumers and producers leading to a market failure.  Standards may mitigate 
some of the difficulties that arise from imperfect information because standards 
can simplify the decision making process for the purchasers and producers by 
narrowing the field of choices.  Security criteria may also improve the level of 
information available to both consumers and producers of components.  The 
federal government needs to work to develop trust in its relationships with the 
private sector with some emphasis on U.S.-based firms.  Major security research 
has been funded by DARPA in the past.  They could enhance research in the areas 
of containment, denial-of-service attacks and cryptographic infrastructures 
through mechanisms already in place.

Requirements for Key Recovery Products
Edward Roback
Computer Security Division, NIST

Ed Roback reported that the Technical Advisory Committee to Develop a Federal 
Information Processing Standard for the Federal Public Key Infrastructure held 
its final meeting in November.  The committee is in the process of offering 
editorial comments to the draft to be submitted to the Secretary of Commerce.  
The final draft version will be available on the NIST website once the editing 
is completed.

Critical Infrastructure Assurance Office (CIAO) Overview
Dr. Jeffery Hunker
Director, CIAO

Dr. Jeffery Hunker, Director of the CIAO, gave the Board an overview of their 
national plan [Ref. #1].  Topics covered included: information warfare threat; 
Presidential Decision Directive 63, national plan, key federal initiatives; and 
issues for industry leadership.

The national plan consists of three goals: to prepare and prevent by assessing 
and eliminating vulnerabilities to information warfare attacks both in the 
private sector and the government; detect and respond by developing systems to 
assess, warn, isolate, respond and reconstitute essential information dependent 
components of economy and government; and, to create a strong foundation for 
secure cyber systems including public-private partnership of systems operators 
and customers, sound legal footing, widespread pubic understanding of the 
importance of information assurance and security, and international cooperation.  
Under these three goals there are 18 programs.  There is a family of plans for 
the national information systems defense program covering different 
constituencies with shared goals.

Dr. Hunker reported that planned key federal initiatives for FY2000 include 
computer security applied research, creation of cybercorps and research in 
computer intrusion detection.  He solicited the Board’s assistance in 
identifying universities/colleges that could offer a solid computer technology 
curriculum that the CIAO could add to their working database.  The CIAO, Justice 
Department and Office of Personnel Management are working together to gather 
this information.  CIAO Deputy Director, Liz Verville, is leading this effort.  
Dr. Hunker also mentioned a meeting scheduled for January 13, 1999, for the 
purpose of discussing the implementation of these initiatives.  Outside 
attendees are invited.  He extended an invitation to the Board to be represented 
at this meeting.  Dr. Hunker said they are looking to the federal sector to 
serve as a model as the departments and agencies prepare their computer security 
plans.  A template is being developed by KPMG and an expert review panel is 
being established to work with the departments on their submissions.  Annual 
reviews will be incorporated through the Office of Management and Budget/General 
Accounting Office audit reporting system and the President’s Management Council.   
The process of reconstitution after any information warfare attack or incident 
is being developed jointly with the Y2K office.  They are developing crisis 
management for nationwide problems by developing an inventory of assets as well 
as prioritization of problems and utilization of existing structures.

In the area of public-private sector cooperation, Departments and agencies are 
discussing these issues with the particular private sector infrastructure 
sectors.  White House meetings will be scheduled with CEOs, sector coordinators 
and federal liaisons.  The goals are to create information sharing and 
assessment centers for intrusion monitoring networks; establish a process to 
agree upon “best practices” for computer security in each sector; develop 
processes for certification of hardware, software, firmware, computer security 
personnel; and to jointly develop an awareness and education campaign, perhaps 
thorough a new foundation or institute.

Dr. Hunker indicated that he looks forward to many future discussions with the 
Board and appreciates their offer of support to this activity.

Update on CIO Security Committee Activities
Mark Boster, Department of Justice
Chair, CIO Security Committee

Mr. Boster presented the Board with an update on the current projects of the CIO 
Council Security Committee.  These projects include system administrator skill 
sets and training; Information Technology Research Board (ITRB) -like security 
group (security assist team); federal information system security lifecycle 
website; computer security awareness day and PDD63.  A working group has been 
formed in collaboration with the Interagency Committee on Information Resources 
Management (IAC/IRM).  He reported that two meetings have been held thus far and 
another has been scheduled for after the first of the year.  Development of the 
system administrator skill sets and training requirements are planned.  The 
Working Group is also looking at putting some type of system administrator 
certification program in place.  Mr. Boster said that after the first of the 
year they plan to concentrate on identification of best practices and hope to 
have a product out by the Spring of 1999.  He also said that the Security 
Committee is seeking funding to support the development of a website containing 
information about federal information system security lifecycles.  They plan to 
have another Computer Security Awareness Day similar to the event held last 
year, which drew an audience of higher level federal officials.  With regard to 
the PDD63 effort, Mr. Boster sees the role of the Security Committee as being a 
gatherer of information, passing it on to the right areas.  He expects that over 
time, the scope of the Council’s involvement will become more clearly defined.

Board Discussion Period

The Board reviewed the November 16, 1998, letter from NIST Director, Ray Kammer 
[Ref. #2] requesting the Board’s assistance on several topic areas. There were 
four main items: (1) Security Metrics and Reference Data Sets; (2) 
Identification of Top IT Security Research Issues; (3) Federal Agency 
Improvement; and, (4) Privacy in the System Life-Cycle.  Board member Genevieve 
Burns raised the need for a single, government-wide taxonomy of terms for 
computer and security privacy.  Board member Jim Wade stated that industry is in 
need of benchmarks.  It was suggested that at the March Board meeting, we hear 
from ITL representatives on what they are hearing from outside the government 
about what their needs are and to determine if NIST has speculated on these 
needs or other issues.  Also mentioned was the possibility of the Board 
conducting a workshop on this specific topic and developing a white paper of the 
results learned and/or developing a survey/questionnaire that would be sent to 
vendors, industry, etc. to obtain this similar information.

Update on GITS Security Champion Activities
Richard Guida, Department of the Treasury
Federal Public Key Steering Committee Chairman

Mr. Guida opened his discussion with a comment on the Board’s prior conversation 
regarding the description of computer definition [taxonomy of terms].  He 
strongly agreed with the need for such data and volunteered to take the input 
from the Board effort to the GITS Committee and develop an end product.  He 
distributed advance copies of the Access with Trust report.  Once it is 
released, it will be available on the GITS website.  He mentioned that page 6 of 
the report contained a description of various computer terminology and welcomed 
the Board’s review and comments on the definitions.  His presentation [Ref. #3] 
covered the federal bridge certification authority; key recovery demonstration 
project, electronic signature guidance and U.S.-Canadian cooperative efforts.

The federal bridge certification authority will serve as a non-hierarchical 
“hub” for federal and non-federal interoperability.  The National Technical 
Information Service (NTIS) will serve as the host.  Funding has been provided, 
and it is anticipated that it will be operational by January 2000.  As currently 
envisioned, after the program is up and running, funding for this effort will 
have to be sustained by other agency contributions.  The PKI Steering Committee 
will produce five draft-supporting documents and they will be posted on the GITS 
website for comment. Mr. Guida stated that while agencies are not required to 
use the bridge certificate authority, they would be encouraged to do so.

The Committee is currently working to secure funding for the key recovery 
demonstration project (phase II) effort.  However, it is proving difficult at 
this time because of the immediate need to focus on the Y2K activity and the 
Administration’s focus on recent encryption export control updates.  As a 
result, there is no definite prognosis at this stage.  However, they are hopeful 
for a resolution within the next several months.

Next, he covered the progress of Electronic Signature Guidance.  He said that 
OMB plans to issue guidance on electronic signatures as required by the 
Paperwork Elimination Act of 1998.  The federal PKI Steering Committee is 
working on this.  The focus will be on how to select technology appropriate for 
particular applications.  It is expected that the guidance will be issued as a 
document in a format similar to OMB Circular A-130.  The Board will be invited 
to comment on the draft guidance.  They anticipate finishing this effort ahead 
of the March 2000 deadline.

In August 1998, the PKI Committee met with the Canadian Interdepartmental PKI 
Task Force.  The Canadians are ahead of the United States in the areas of 
infrastructure and policy and the United States is ahead in the applications 
area.  A liaison group was formed with the plans to work on directory issues, 
harmonizing CPs, and other matters.  They anticipate developing a pilot effort 
through the U.S. Patent and Trademark Office and the Canadian Intellectual 
Property Office.  A copy of the report of the August 1998 meeting is available 
on the FPKI website.

Public Participation Period

Mr. Tim Bass, principal engineer with The Silk Road Group, Ltd. presented an 
update to the Board on the activities regarding the Langley Cyber Attack.  (He 
had briefed the Board on this at their September meeting.)  Next, he discussed a 
draft tutorial article on the emerging Advanced Encryption Standard that he is 
producing as an invited paper for the Proceedings of the IEEE.  He invited the 
Board to review the outline presented [Ref. #4] annd provide him any assistance 
they deemed appropriate.

Board Discussion Period Continuation and 1999 Work Plan Development

The Board resumed their discussion of the correspondence received from the 
Director of NIST.  Chairman Ware reiterated the early dialogue relevant to Item 
1: Security Metrics and Reference Data Sets.   He said that pending having 
discussion with NIST/ITL representatives at the March 1999 meeting and any 
relevant outcome as a result of it, the Board would have no advice to offer on 
this topic.

Returning to the discussion of the development of taxonomy of critical computer 
security/privacy definitions/terms, the suggestion was made to ask NIST to 
research how these terms should be used throughout the federal government.  
Another suggestion was to have a discussion paper developed to present to 
Director Kammer and ultimately be produced as an ITL bulletin.  Format for this 
product should include the definition and an example of it.

Next, Item 2: Identification of Top IT Security Research Issues was discussed.  
Chairman Ware indicated that he would draft a letter from the Board to be sent 
to the William Wolf, President of the National Academy of Engineering, to 
suggest that NAE conduct a workshop for the purpose of focussing on this 
specific issue.  It was also suggested that a NIST representative be invited to 
the next meeting to brief the Board on how NIST is responding to the efforts of 
the CIAO activities and to ascertain what NIST has planned in the information 
technology arena specifically.  Additionally, it was proposed that the Board set 
aside one of its future meetings for the purpose of collecting and analyzing 
research and development needs of various computer security issues. [ACTION:  
Chairman]

As time was not available to sufficiently discuss the remaining items of the 
NIST request, Chairman Ware will prepare a reply to the Director of NIST 
acknowledging the receipt of his November 16, 1998 letter to the Board. [ACTION:  
Chairman]

The meeting was recessed at 5 p.m.


Thursday, December 3, 1998

The meeting was reconvened at 9:05 a.m.

Office of Management and Budget (OMB) Update
Glenn Schlarman
Information Technology Branch

Mr. Schlarman’s overview covered an update of OMB’s Office of Information and 
Regulatory Affairs (OIRA) recent activities.  With regard to the current budget 
season, currently OMB is in the pass back process.  In general terms, Mr. 
Schlarman said, agency budget submissions came in at many, many billions of 
dollars over the target budget to maintain a balanced budget.  He said that the 
focus is on critical infrastructure this season.  Across the board, interest and 
awareness of these needs have been elevated to a new level.  He sees that as 
good news.  He indicated that in the President’s budget, the Critical 
Infrastructure Protection effort would be culled out as a specific management 
objective.  The bad news is that there appears to be a rush to present proposed 
programs that are not mature/ripe enough for prime time.  In many cases, there 
has not been adequate review, scrutiny or proper prioritization.  Difficult 
situations are created if everything is labeled a top priority.  Mr. Schlarman 
stated that in the development of the national security program the blurring of 
the distinction between the classified and unclassified computer security arena 
has been reintroduced.  Privacy is taking a backseat as a priority.  However, 
its priority should be equal to that given to computer security.  Government 
needs to get industries’ input.  Industry should be leading the privacy effort 
with the government serving in a supporting role.  To get industry to understand 
our goals, the government will have to establish itself as a model.  There 
should be an effort to coordinate and tie together all previous relevant 
legislation as they pertain to the PDD activities.

Mr. Schlarman indicated that there are no plans by OMB to revise OMB Circular A-
130 because it is believed to already meet the requirements of critical 
infrastructure programs.  However, he said, they will entertain serious revision 
recommendations and give them appropriate consideration.

With regard to NIST, OMB believes it is important for NIST to continue to issue 
federal guidance.  They are especially interested in seeking the development of 
technical implementation guidance so that they can call on agencies to assess 
them against compliance to these respective guidance documents.  Other guidance 
documents needed are in the area of incident response and intrusion detection 
monitoring.  OMB hopes that NIST will work with the Justice Department to 
develop the latter.  He said that they see NIST/NSA partnership and lab 
creditation as a good idea.   However, they want it to stop short of any product 
endorsement.  Mr. Schlarman asked that NIST and this Board be the “eyes” and 
“ears” for OMB in this particular area.

The Y2K problem is consuming all the funding for now.  However, this dilemma is 
forcing people to think more about computer security contingency planning.  He 
said that the President’s Y2K Conversion Council is coordinating a study on the 
Y2K effort and it is possible that a reconstitution command center will be 
created.

Mr. Schlarman said that OMB has developed a draft document listing principles 
pertaining to the use of the Internet.  He also said that the OIRA has the role 
of acting as the “privacy czar” for the government.  John Goodbomb is the 
political privacy lead from within OMB through whom OIRA passes its input.

To the question of security metrics, Schlarman indicated that with the exception 
of some work ongoing by the GITS Committee, no metrics exit elsewhere.  He does 
agree that they are needed.  He closed his briefing by encouraging the Board not 
to let privacy take a back seat.

Critical Infrastructure Protection and the Endangerment of Civil Liberties: An 
Assessment of the President’s Commission on Critical Infrastructure Protection 
(PCCIP)
Wayne Madsen, Senior Fellow
Electronic Privacy Information Center (EPIC)

Mr. Wayne Madsen distributed copies of EPIC’s report Critical Infrastructure 
Protection and the Endangerment of Civil Liberties: An Assessment of the 
President’s Commission on Critical Infrastructure Protection [Reference #5].  
The report points out shortcomings of the PCCIP’s report and encourages 
openness, not secrecy, as the key to the nation’s security and its future 
prosperity.

Mr. Madsen’s briefing covered the following critical infrastructure civil 
liberties concerns raised by the PCCIP report:

? Privacy-Employee Polygraph Protection Act
? Freedom of Information and Open Government – FOIA/FACA
? Censorship and disinformation-rapid media reaction forces
? New security classification
? Internet monitoring and surveillance
? Encryption
? Posse Comitatus Act
? FBI expanded role – Foreign Intelligence Surveillance Act (FISA) and L.E. 
integration
? Corporate liability relief
? State government liability, open government, FOIA and Privacy Acts
? Foreign corporations
? Government certification and deputizing of INFOSEC personnel

He presented examples of each of these concerns.   Mr. Madsen said that while 
EPIC may not offer a balanced solution to all of the above, closer attention is 
paid to some of the civil liberties and privacy concerns.  If the Administration 
would raise the awareness level of privacy, perhaps organizations such as EPIC 
wouldn’t be so quick to issue opposing viewpoints.  He encouraged the Board to 
issue a recommendation that the U.S. government create an Office of Privacy.

Y2K and the Social Security Administration (SSA)
Kathy Adams
Assistant Deputy Commission, SSA

Ms. Kathy Adams, Assistant Deputy Commission, Social Security Administration, 
addressed the Board on the topic of getting ready for the year 2000 at the SSA 
[Ref. # 6].  Her presentation covered the SSA background, approach, systems, 
State Disability Determination Service (DDS) systems, data exchanges, testing, 
vendor products, telecommunications, facilities, risk management and contingency 
planning and costs.  She said that in 1989 they had experienced a heads-up event 
with a Y2K problem that occurred because of a systems failure.  Their basic 
approach consisted of awareness, assessment, renovation, testing and 
implementation.  The SSA found that configuration management is the key to the 
success of the implementation of any Y2K effort.  They issued contingency plans 
to ensure continuity of operations.  They worked with the General Accounting 
Office on format for the plan and met with the Gartner Group and other private 
companies.  Ms. Adams said that the website for the SSA contains a copy of their 
contingency plans.  The website address is www.ssa.gov.

Cross-Industry Working Team (XIWT) Briefing
Charles Brownstein
Executive Director

Dr. Charles Brownstein, Executive Director of the Cross-Industry Working Team 
[XIWT] presented an overview of the activities of this organization [Ref. #7].   
The XIWT is made up of members from the private sector and a member from the 
National Institute of Standards and Technology.  Their goals are to foster the 
understanding, development and application of technologies that cross industry 
boundaries; facilitate the conversion of the National Information Infrastructure 
(NII) vision into real-world implementations and facilitate a dialogue among 
representatives of stakeholders in the private and public sectors.  Dr. 
Brownstein proceeded to describe the activities for information infrastructure 
robustness.  He said that there is a cross-segment of interest in computing, 
telecommunications, and information intensive services.  Areas identified as 
potential threats to the strength and dependability of the infrastructure 
included nature, human error, technology and service design deficiencies, Y2K-
software vulnerabilities, and purposeful attacks from malicious intruders, 
individual hackers, criminals and terrorists or warring nations.

The XIWT sponsored a symposium in November 1998 to bring together major players 
involved cross-industry, cross-sector efforts to improve information 
infrastructure reliability and robustness.  It was attended by more than 100 
representatives from industry, academia and government.  Dr. Brownstein said the 
results of the symposium identified the following potential cross-industry 
activities:

? information exchange activities
? consensus building activities
? collaborative operational activities
? collaborative R&D activities

Next, he presented examples of each of the respective activities topics.  He 
deemed the symposium a highly productive and interactive event with the 
challenge to get more specific, particularly in the collaborative R&D and 
experimental activities.

Dr. Brownstein stated that future XIWT activities included conducting additional 
workshops and symposia, publishing a “framework white paper” for broad industry 
view and collaborative R&D and experimental activities.  He indicated that 
third-party support would be the key factor in keeping this activity alive.

The Corporation for National Research Initiatives (CNRI) is the home for the 
XIWT effort.  They are a not-for-profit organization that was formed in 1986 to 
foster research and development for the national information infrastructure.  
The website address for the XIWT is: www.xiwt.org..  The website address for the 
CNRI is www.crni.reston.va.us.


Board Discussion Period

Chairman Ware presented framed certificates of appreciation to members Genevieve 
Burns, Linda Vetter and Randy Sanovic as their appointments on the Board expire 
during January 1999; this was their last official meeting.  He thanked them for 
their expertise and interaction on Board activities during their tenure and that 
their presence would bee missed.  Board Secretary Ed Roback also extended his 
thanks and appreciation for their participation over the past four years.  The 
outgoing members accepted the plaques and wished the Board continued success.  
They also extended special thanks to Elaine Frye for all her assistance to them 
during their time on the Board.

The minutes of the September 1998 were presented and unanimously approved.  The 
Board recapped the activities of the two-day meeting and identified topics for 
the next meeting to be held in March 1999.

Next, the Board turned their attention to discussion of a 1999 workplan.  The 
following areas were identified:

? privacy
? where it is postured in the government—is it in the right place
? scope versus surveillance
? citizen’s knowledge about federal government involvement in individual privacy
? data collection issues
? U.S. government, EU countries and others

? critical infrastructure dialogue
? CIAO collaboration
? mandate of Board’s charter

? awareness and education
? training
? government’s priorities

? legislative issues
? Computer Security Enhancement Act continuum
? Paperwork Elimination Act 


There being no further business, the meeting was adjourned at 5:00 p.m.


References:

#1	Hunker presentation
#2	November 16, 1998, letter from Ray Kammer, Director, NIST
#3	Access in Trust  report/GITS Committee
#4	Bass draft AES tutorial article
#5	EPIC’s Report on the PCCIP
#6	Adams presentation
#7	Brownstein presentation
						Edward A. Roback
						Board Secretary


						CERTIFIED as a true and accurate
						summary of the meeting


						Willis H. Ware
						Chairman


1

9