
Minutes of the Meeting of the Computer Systems
Security and Privacy Advisory Board
March 4-5, 1998
National Institute of Standards and Technology
Gaithersburg, MD


Wednesday, March 4, 1998


A quorum being present, the meeting was called to order by 
Chairman Willis Ware at 9:05 a.m.  The Board Secretary, Ed 
Roback, welcomed everyone and reviewed the agenda and 
related handout materials that had been provided to the 
members.    He discussed the proposed meeting schedule for 
calendar year 1999 and asked that the Board review the 
dates for any potential scheduling conflicts.    In 
addition to Chairman Ware, those members in attendance 
were: Genevieve Burns, John Davis, Addison Fischer, Joe 
Leo, Gloria Parker, Randy Sanovic, George Trubow, Linda 
Vetter, Jim Wade, and Rick Weingarten.


Chief Information Officers (CIO) Security Committee 
Perspective Briefing

Committee Co-Chairmen, Mark Boster, Department of Justice 
and Howard Lewis, Department of Energy, briefed the Board 
on the activities of the Committee [Reference #1].   The 
Office of Management and Budget  (OMB) and Congress are 
looking to the CIO Council to focus on the important issue 
of computer security and indicated that the CIO Council 
Chairman, Ed DeSeve, is very supportive of the Security 
Committee.   The Security Committee’s priority is to ensure 
implementation of security practices within the federal 
government that gain public confidence and protect 
government services, privacy and sensitive and national 
security information.  Their objectives are to promote 
awareness and training especially among the CIOs 
themselves.  They will be working with the GITS Board to 
avoid duplication of activities, identify best practices by 
partnering with others such as GAO and the PCIE to develop 
best practice for the federal agencies and address 
technology and resource issues.   Mr. Boster said that they 
are interested in the continuance of the FedCIRC effort.   
He would like to see a more mature FedCIRC mechanism in 
place that would provide for an overarching governmentwide 
approach to include DOD and the civilian sector together.   
While there is a huge need to share and cooperatively 
develop computer security awareness and training, Boster 
indicated that the immediate emphasis would be on computer 
security awareness among the leadership.   Another 
important area this Committee will focus on is the 
identification of technology resources for computer 
security and recommended solutions to increase the funding 
in agency budgets for security.  They plan to work with the 
Interagency Advisory Council (IAC) in order to identify 
innovative ways to fund computer security programs. 


FedCIRC Update

Marianne Swanson, NIST, presented an overview of what 
FedCIRC is currently doing [Reference #2].   In response to 
the previous presentation by Mr. Boster regarding the 
FedCIRC activities, Ms. Swanson stated that NIST does not 
typically take on operational agency work, and it was not 
the mode under which NIST established FedCIRC.  She agreed 
that it is time for FedCIRC to move on to an operational 
agency and stated that NIST is a facilitator working with 
CIAC and CERT through the vehicle of the FedCIRC.

Ms. Swanson thanked the Board for the efforts of their 
recent resolution stressing the continuation of the FedCIRC 
work to the CIO Council and others.


During the pilot program of FedCIRC strong partnerships 
have been developed with the DOD through efforts with CERT 
and CIAC.     There has been and continues to be a steady 
increase in the number of incidents handled.    She 
provided the Board with the first quarter summary of 
incidents handled by FedCIRC and NASIRC (NASA).   [See 
Reference #2] 

NIST believes that FedCIRC has been a success.  Computer 
security level managers have agreed that FedCIRC is a 
capability that is needed and should be continued, but 
governmentwide acceptance of this concept is essential for 
its success.  The operational concept should include scope, 
management/resources and funding.    Though NIST does not 
see itself as the operational arm of this effort, Tim 
Grance, NIST ITL Group Leader, stated they would be willing 
to continue to manage and direct the effort.  In any case, 
he said that NIST is committed to working with whatever 
entity takes over this program to help ensure its success.

Ms. Swanson also reviewed the FedCIRC seminar series that 
had taken place to date and offered to provide copies of 
the meeting material to the Board.

Board member, Jim Wade, recommended that the Board draft a 
letter commending the CIO Security Committee for their 
efforts on the continuation of FedCIRC and identify other 
key efforts. 


Status of PCCIP Report Recommendations

Irwin Pikus, PCCIP Commissioner, briefed the Board on the 
summary of the public comments received on the critical 
infrastructure assurance report [Reference #3].     There 
were a total of 26 responses received.  Of these, only 
three were negative in nature.  Others were congratulatory, 
a critical review, highlighted Y2K, addressed 
encryption/key recovery, and miscellaneous topics such as 
geomagnetic storm effects on power grid, information 
sharing in industry and overriding federal 
responsibilities.  Mr. Pikus said that the Commission 
received the expected reactions from privacy and 
libertarian communities and industry; no innovative 
solutions or suggestions were elicited in the comment 
process; no fatal errors emerged; and obstacles to success 
will be very large but can be dealt with through concerted 
and cooperative efforts.  A draft Presidential Decision 
Directive (PDD) has been crafted but it is unclear as to 
when it will become official.  It is also anticipated that 
an Executive Order will be issued that will implement 
certain aspects of the PDD.  

The National Security Council is the serving as the 
Infrastructure Coordinator with a support office residing 
within the Department of Commerce.    Each infrastructure 
sector is being assigned to a different lead agency.   An 
information protection center (IPC) has been established 
within the Federal Bureau of Investigation and the private 
sector is expected to establish an information sharing and 
analysis center (ISAC).    Mr. Pikus indicated that 
currently it has not been determined what the relationship 
will be between the IPC and the ISAC; however, it is 
expected that there will be a connection.

The Department of Commerce’s role will serve as the lead 
agency for the information and communications sector, the 
executive agent for the support office; and, work 
cooperatively with NSA and others in INFOSEC and provide 
leadership for government in standards and best practices.


Can Steganography Be Related?  Policy Questions and Hidden 
Messages

Mr. Peter Wayner, author of two books entitled Disappearing 
Cryptography and Digital Copyright Protection, gave the 
Board a brief overview of steganography and its components.    
He explained that steganography is about hiding information 
and cryptography is about sealing it.   In terms of the 
First Amendment, Mr. Wayner expressed the view that it 
cannot be regulated.   The problem is the ability to define 
it and to regulate it.    He pointed out it would be hard 
to develop a legal system that will parse everything that 
is said, sift out the nuances, punning, double entendres, 
shaded meanings and other linguistic wormholes.     Mr. 
Wayner said that copyright control was growing in 
importance and that the current copyright laws do not know 
how to handle steganography.     During his briefing, he 
demonstrated several different styles of steganography.


Tracking Updates

Ed Roback discussed several items that the Board has been 
tracking over the past year.

-- The Advanced Encryption Standard -- Current call for 
submission of algorithms with an April 15 deadline.  An 
informal query indicates that NIST may receive 
approximately 10-15 submissions, at least one-third of 
which will be from the international arena.   There is a 
conference planned for August 20-22, 1998 in Ventura, CA 
to discuss and make public those algorithms submissions 
received.

-- The Technical Advisory Committee to Develop a Federal 
Information Processing Standard for the
Federal Key Management Infrastructure is still proceeding 
with its work plan.  The Committee charter expires in 
July with the final two meetings being held in April and 
June.  The NIST website contains the current working 
documents.   The final recommendation will be forthcoming 
at the June meeting and it is expected that a Federal 
Register notice will appear soon after requesting 
comments on the Committee’s output.

-- There has been no activity in the Senate with regard to 
the Computer Security Enhancement Act, however, hearings 
on computer security have recently been held.   There 
have not been any hearings scheduled on cryptography at 
this time.  Testimonies of any hearings that take place 
will be provided to the Board when they occur.

-- There were no comments received as a result of the 
December Federal Register notice requesting any ideas for 
future directions of the Board.  Comments were to have 
been received by January 30, 1998.

-- A new Presidential Advisory Committee on Export Control 
was recently established and is to reside within DOC’s 
Bureau of Export Administration.

-- Mr. Roback said that he is developing a draft new member 
guideline and will be sending it out for Board review and 
comment.   


Privacy Issues Discussion

Board members Rick Weingarten and George Trubow led 
discussion on the subject of privacy and its definition as 
a policy issue.    Mr. Weingarten opened with his point of 
view that privacy is the social values that we take into 
account when we make public policy.    He stated that a 
broader definition of privacy might be an individual’s 
concern about the use, storage and distribution of 
information about themselves.   Proprietary, public and 
government need-to-know information are the three main 
aspects of privacy.  The CSSPAB’s focus is on government 
information practices.

Professor Trubow said that the line between the public and 
private sector is becoming blurred with the information 
technology impetus.    The federal government collects more 
and more information from individuals and he fears that 
more of this information may be made available to the 
general public in the government’s efforts to be more user 
friendly, thus unwittingly undermining individual personal 
privacy.

After further discussion on this issue, the Board decided 
that it would pursue having briefings by private sector 
privacy organizations as well as other agencies and OMB so 
that they could examine where privacy is today after twenty 
years since the passage of the Privacy Act.

The meeting was recessed for the day at 4:55 p.m.

Thursday, March 5, 1998

The Chairman reconvened the meeting at 9:05 a.m.

Board Discussion

Board members Genevieve Burns, Linda Vetter and Jim Wade 
presented a draft resolution based on the CIO Committee 
presentation.  There was discussion of the newly GITSB 
funded effort on IT training that has been given to NIST 
and whether this would include incident training 
capabilities.   Edits to the resolution were suggested for 
discussion later in the meeting.


Information Security: Lessons Learned from Learning 
Organizations

Jean Boltz, Assistant Director, Accounting and Information 
Management Division, General Accounting Office (GAO) 
presented highlights of their recent study on managing 
information security  [Reference #4].  Believing that 
current federal operations and potential benefits from 
information technology are at risk, the Senate Committee on 
Government Affairs requested that GAO perform this study.     
With the assistance of professional organizations, auditors 
and experts, eight non-federal organizations were studied.  
The major focus was on management rather than technical 
controls.    The report identified five fundamental 
management principles:  

-- Assess risk and determine needs;
-- Establish  a central management focal point;
-- Implement policies and related controls;
-- Promote awareness;
-- Monitor and evaluate policy and control 
effectiveness.

Of these five principles, 16 practices were identified as 
key to the success of the programs of those reviewed.  Most 
of the companies that were visited had CIOs that were 
already information technology aware and held security as a 
priority, while others had experienced recent incidents 
that made them react to it.  Ms. Boltz said that GAO is 
going to incorporate these principles into their GAO audit 
methodology.    They have briefed the CIO Security 
Committee and plan to send a letter of endorsement with 
this report to the CIO Council membership.

Board member Gloria Parker added that OMB was given 
additional clout via the Clinger-Cohen Act.  If an agency 
can articulate clearly what their computer security needs 
are, they stand a better chance of getting the funding or 
not having it zeroed out.  She also expressed the further 
significance of awareness and training at the highest 
management levels.


Systems Certification Briefing

Mr. Fred Tompkins, Director of Policy Analysis, 
International Computer Security Association (ICSA) gave a 
presentation on how ICSA promotes continuous improvement of 
commercial digital security through the application of the 
ICSA Risk Framework and ICSA Dynamic Certification Model to 
certification, research and related activities [Reference 
#5].     Their mission is to continually improve security, 
trust and confidence in global computing through the 
certification of products, systems and people.   Mr. 
Tompkins identified the problems ICSA addresses and their 
supporting activities.  He described the risk framework and 
the dynamic certification model.


Patient ID – HHS Perspective

Mr. John Fanning, Division of Data Policy at the Department 
of Health and Human Services, reviewed the recommendations 
developed in accordance with the Health Data and Privacy 
under the Health Insurance Portability and Accountability 
Act (HIPAA) for the protection of health care records 
[Reference #6].    He also presented a comprehensive 
overview of background legislation and legal framework.    
Current requirements, activities and issues under HIPAA 
were also discussed.


U.S. Government Perspective on Privacy Issues

Barbara Wellbery, General Counsel, National 
Telecommunications and Information Administration, 
Department of Commerce, was scheduled to speak but had to 
cancel due to unexpected schedule conflicts.  She will be 
invited to speak at the June Board meeting.


Public Participation

The Chairman then opened the meeting for discussion by 
public participants.  Mr. John Purcell, formerly with the 
Department of the Treasury, expressed his concern for the 
apparent lack of accountability of federal managers, in 
particular as it related to computer security issues within 
agencies.  Middle managers are feeling the frustrations of 
their efforts to enforce computer security only to find 
that they do not have the support of their higher 
management.  He would like to see ADP security added to the 
core competency of the Senior Executive Service employee 
and suggested that they have an added schooling requirement 
in the computer security field.

Mr. John Tressler of the Department of Education mentioned 
the recent film produced by the Department of Justice on 
computer security awareness for high-level executives as an 
example of an awareness tool that has just become available 
and could apply to the majority of agencies.


Board Discussion Time and Planning for June 1998 Meeting

The minutes from the January board meeting were approved on 
a motion made by Jim Wade and seconded by Genevieve Burns.

The draft resolution discussed earlier in the meeting was 
presented with modifications.  After discussion and 
deliberation, the Board passed Resolution 98-1 [Attachment 
#1].  This resolution commends the members of the CIO 
Council for their increased focus on computer security and 
privacy in the federal government and formation of the 
Security Committee.  It also recommends that NIST continue 
as the provider of core services for the centrally provided 
emergency response capabilities.   It encourages the 
inclusion of a training component on incident handling and 
prevention in addition to the other core services within 
the emergency response capability consistent with the 
requirements of OMB Circular A-130, Appendix III.

Action items discussed for the focus of the June meeting 
agenda included:

-- Legislative updates on the Computer Security 
Enhancement Act;
-- Status report from the CIO Security Committee;
-- PCCIP update and status of  a Presidential Decision 
Directive;
-- Consider hearing from Richard Clark, National 
Critical Infrastructure Protection Center;
-- Brief from NIST on the GITS funding money;
-- Privacy tutorials…privacy landscape and federal 
protection;
-- PKI Initiative update;
-- Law enforcement’s views of legal prosecution of 
criminal cases dealing with digital signatures;
-- Update from NIST management on what they see as 
computer security initiatives for the future.

There being no further business, the meeting was adjourned 
at 4:50 p.m.

Attachment
Resolution 98-1


References:
#1	Boster/Lewis Presentation				
#2	Swanson Presentation				
#3	Pikus Presentation
#4	Boltz Presentation
#5	Tompkins Presentation
#6	Fanning Presentation