Minutes of the Computer System Security and Privacy Advisory Board Meeting September 29-30, 1998 National Institute of Standards and Technology Gaithersburg, MD Tuesday, September 29, 1998 A quorum being present, the meeting was called to order by Chairman Willis Ware at 9:00 a.m. In addition to the Chairman, those members present were: Genevieve Burns, John Davis, Addison Fisher, John Sabo, Randy Sanovic, George Spix, George Trubow, and Linda Vetter. The Board Secretary, Ed Roback, welcomed the members and reviewed the agenda and handout material that had been provided to the members. Chairman Ware discussed the recent press release on the cryptography changes. He also informed the Board of the recent death of former ITL Director, James H. Burrows. The Board was saddened to hear of his passing and said that the information technology community had lost a valuable and learned scholar. Mr. John Sabo, newly appointed Federal member, gave the Board a briefing on his background in computer security and a review of his work with the Social Security Administration. He reviewed his involvement in the public key infrastructure effort and the development of a guideline for constructing policies governing the use of identity-based public key certificates [CARAT guidelines]. He invited the Board’s comments on this draft document. Better Business Bureau Online Privacy Program Russell Bodoff General Manager and Vice President, BBBOnline, Inc. Mr. Bodoff presented an overview of the Better Business Bureau (BBB) and the activities of the Council of Better Business Bureaus [Reference #1]. BBB is a recognized authority in establishing marketplace self- regulatory guidelines. The BBBOnLine program began in 1997 and is the largest consumer protection program on the Internet. Their proposed privacy program will respond to needs identified by major companies, the need for protection of consumer personal data, the threat of restrictive legislation, the European Data Directive going into affect in October 1998 and the special needs for protection of children online. Mr. Bodoff indicated that in recent talks with Ira Magaziner, this effort was high on the Administration’s list. It is expected that a report on this work effort will be available in late October with a working demonstration available by mid-December. TRUSTe Briefing Roger Cochetti, IBM TRUSTe Board Member Mr. Cochetti outlined the TRUSTe program for protection of privacy on the Internet. TRUSTe is a non- profit, industry-supported, privacy program [Reference #2]. Its goals are to accelerate the growth of e- commerce by alleviating user anxiety and to stave off new government regulation and facilitate global information flow by providing a privacy program that meets self-regulation guidelines. Statistics show that privacy is the greatest inhibitor to acceptance of the Internet. Ninety-seven percent of the people are hesitant to share personal information. However, if Internet privacy was protected it is estimated that 78% of online users would increase their use and 61% of non-users would be more likely to begin. Mr. Cochetti said that the posting of online privacy policies offers some assurance but there are still a high percentage of users who have expressed distrust over the validity of these posted statements. The U.S. government does not want to regulate Internet privacy practices and believes that industry must set codes of conduct as well as demonstrated self-regulation efforts in order to avoid regulation. There has been increased action by the Federal Trade Commission on this issue. Surveys have been conducted on 1400 sites, a privacy report was submitted to Congress in June and an outline for a regulatory model was presented to a congressional committee in July. Industry has until December to demonstrate that self- regulation is working. Also affecting this is the EU Data Protection Directive that becomes effective on October 24, 1998. Mr. Cochetti said that in order to use TRUSTe site privacy, sites must notify users of their information practices, give choices to users over how their information will be used by the site, assure appropriate levels of security and assure data is accurate, timely and complete. Sites must display the TRUSTe trustmark. They must also follow a strong enforcement process that includes consequences for non- compliance. TRUSTe has issued more than 270 licenses to industry such as ABC, Disney, IBM, Microsoft and VeriSign. Federal Computer Incident Response Capability Update [FedCIRC] Michael Smith General Services Administration [GSA] Mr. Smith briefed the Board on the transition of the FedCIRC activities from the National Institute of Standards and Technology [NIST] to the General Services Administration [GSA] [Reference #3]. He reviewed the services that will be offered, the partnerships and future activities. He reported that they will offer baseline services as well as fee-based services. This effort will partner with NASA’s incident response capability, Department of State, U. S. Coast Guard, Department of Energy, DISA, Federal Aviation Administration, U.S. Air Force, U.S. Army, and U.S. Navy. Future activities include promotion of the program, monthly partners meetings, future agency forums and an outreach program. The focus will be on federal partners. They also plan to embrace the private sector and academia as well. They will also be working closely with the Critical Information Assurance Office (CIAO). Board member Genny Burns asked Mr. Smith about the continuation of a compilation of relevant statistics on incidents. She would like to see this effort continued and recommended that NIST continue to perform this function. Mr. Smith responded that GSA will be developing the compilations and work with the partners to determine what data will be collected. Federal Trade Commission’s Consumer Online Privacy Report Ori Lev, Staff Attorney Division of Credit and Protection Federal Trade Commission [FTC] The Federal Trade Commission held workshops during 1995-1997 to facilitate discussion between industry, consumer and privacy advocates and government to encourage effective self-regulation to allow e-commerce to flourish [Reference #4]. Mr. Lev referred to a Georgia Tech study done in 1998 that showed the major reasons consumers are not shopping on the Web. Most consumers are concerned about giving out their credit card number, the ability to judge the quality of the merchandise and the privacy of the site contacted. The recently released FTC report to Congress summarized fair information practices and assessed industry’s self-regulatory efforts covering trade association guidelines and information collection and privacy protection online. The overall conclusions of the report indicated that industry efforts to encourage adoption of fair information practices have fallen far short of what is needed to protect consumers and that if consumer concerns regarding privacy are not addressed, electronic commerce will not flourish. The Commission recommended that there be legislation that would place parents in control of the online collection and use of personal information from their children and that an assessment of self- regulation for adults be done at year’s end. If there is no effective, widely adopted self-regulation, they recommend the adoption of privacy legislation. In the meantime, the FTC will continue to use existing authority to police privacy claims noting that industry self-regulatory agreement on look-up services takes effect on 12/31/98 and that identity theft continues to raise concerns. NIST Updates – Advanced Encryption Standard Ed Roback Computer Security Division, NIST Mr. Roback reviewed the ongoing activities of developing the advanced encryption standard (AES). His overview included what had been done to date [Reference #5]. As a result of the formal call for candidate algorithms, 21 packages were received. Six packages were found to be incomplete. The remaining 15 candidates were announced at the first AES candidate conference in August 1998. They will be open for public review until April 15, 1999. Announcement of ~five finalists will be made approximately three months later. Two additional AES conferences will be held, and it is anticipated that the selection of the AES algorithm will be made sometime in the Summer of 2000. An AES Federal Information Processing Standard should be in place the Spring of 2001. Mr. Roback reviewed the evaluation criteria of the AES, the procedures for submission of formal AES comments and NIST’s AES efficiency testing plans. Board Discussion Minutes of the June 2-4, 1998, meeting were unanimously approved. The Board voted to change the meeting dates in December from December 1-3, 1998 to December 2-3, 1998. They went on to discuss possible areas of interest for the December meeting agenda. The meeting was recessed at 4:30 p.m. Wednesday, September 30, 1998 The meeting resumed at 9:05 a.m. Board member, John Davis, NSA, spoke to the Board about the October 5-8, 1998 National Information Systems Security Conference being held in Crystal City, Virginia. This year’s conference will feature the signing of the international common criteria mutual recognition agreement. Also, the Armed Forces Communications and Electronics Association (AFCEA) will sponsor a two-day exposition in conjunction with the conference. Update on Health Care Issues and Pending Legislation John Fanning Department of Health and Human Services Mr. Fanning updated the Board on the current status of health care legislation. Several bills on health care confidentiality have been produced. There has also been proposed legislation dealing with patient care protection covering patients rights to see specialists, the appeals process and privacy provisions. Thus far, no legislation has passed. The Health Care Portability Act states that if Congress does not act by August 1999, the Secretary of Health and Human Services is required to make confidentiality rules for electronic change transactions systems but it doesn’t address health care records in general. The unique health care identifier issue is moving slowly. A white paper has been produced and public hearings are being held to provide feedback to the Secretary. Vice President Gore has stated that a final standard will not be promulgated until there are adequate privacy policies in place. Mr. Fanning also mentioned a non-health care related privacy issue regarding immigration laws. The Department of Transportation has issued a notice of rule making regarding the use of social security numbers as identification. Hearings have also been held on this issue. There has also been a notice of rulemaking published regarding security standards for electronic transactions. General Motors’ Privacy Policy Randy Sanovic Board member Randy Sanovic gave the members a briefing on the internal and external privacy processes of General Motors (GM) [Reference #6]. He covered what their information security policies should be. Their practices include the right to review, audit, or monitor in accordance with the local law all GM information, data and computing and communication resources utilized to support GM business; all business process activities, information, data, and computing and communication resources of non-GM providers that support GM business; all personal information stored within a GM computing and communication resource and they do not guarantee employee privacy with email. He also reviewed their acceptable use practice for public Internet access and their communication networks acceptable use guidelines. Other privacy related areas and issues included the assessment of the European privacy directive impact. He said that all country data protection laws and regulations are taken very seriously regarding compliance. They are also following legislative activities regarding the use of the social security numbers as individual identifiers. Public Participation Period Mr. Tim Bass, private consultant briefed the Board on the attack of Langley Air Force Base’s email infrastructure that occurred in 1997 [Reference #7]. During this episode, it was also discovered that the public email server for the White House had been infiltrated. Mr. Bass said that such incidents demonstrate the vulnerability of organization’s information infrastructures. The next public participant was Mr. James P. Craft, Information Systems Security Officer for the U.S. Agency for International Development (USAID) [Reference #8]. Mr. Craft presented his personal observations regarding the activities of the CSSPAB. He expressed his opinions of the strengths and weaknesses of the CSSPAB and noted several opportunities where he thought the Board and its mission could enhance the federal computer security program. In his view, the focus on unclassified issues is 95% of federal agencies’ security problems and these issues continue to grow. He offered a list of issues that the CSSPAB could address that included recommending that the CSSPAB could be instrumental in proposing the initiation of the development of model programs for all federal organizations. He described his proposed USAID model information system security program that he had developed and offered to ‘give it away’ to other government agencies. Briefing on Self-Regulation, OECD and Federal Digital Signature Statutory Developments Mark Bohannon, General Counsel Technology Administration, Department of Commerce Mr. Bohannon began his presentation addressing the developments in the area of authentication, domestic and international elements of self-regulation [Reference #9]. He discussed the framework of authentication and the establishment of transaction standards for authentication. The predominant activity is development of State laws to enable electronic signatures. He said that 33 of 49 initiatives were adopted in 1997 representing 24 of 31 States. The digital signature laws momentum is ebbing. The approaches appear to be less prescriptive with limited transactional scope where enacted. The apparent emerging focus is on criteria-based statues. He reported that through mid-1998 41 bills were introduced in 23 States predominantly to enable electronic signatures. A total of 37 States have passed laws to date. Current federal initiatives include the public key infrastructure pilot project with 40+ pilots underway. Federal legislative proposals have been introduced (HR 2937, S.1594, HR 2991, S. 1888). Digital signature standards out there now include digital signature algorithm (DSA) FIPS 186, standardized by ANSI X9F1; RSA Signature Algorithm (rDSA), which is a draft ANSI X9.31 before X9F1 currently out for reconsideration and public comment; and, the Eliptical Curve DSA, which is a draft ANSI X9.62 before X9F1 anticipating a 30-day public comment period soon. Mr. Bohannon stated that the next step is the development of key management exchange standards with international aspects at the forefront. Mr. Bohannon reviewed the U.S. proposal for international convention on electronic transactions as it relates to the framework for global electronic commerce. Governmental initiatives are in place in eleven other countries including the European Union. He said that several areas still need to be addressed. They included validity of signatures vs. security of certificates/implementations, reconciling federal-international frameworks and reconciling existing technologies and approaches with emerging applications. In the area of self-regulation, he questioned whether the choice of standards for authenticating content is statutory or contract. NIST Updates – Computer Security Planning Guide and IT SEC Training Project Fran Nielsen Computer Security Division, NIST Dr. Nielsen presented an overview of the status of the Guide for Developing Security Plans for Information Technology Systems [Reference #10]. This document originated from a guideline developed by the Federal Computer Security Program Managers’ Forum. NIST began its review of it in April 1998 and issued a revised draft in August 1998. Dr. Nielsen described the contents of the document and the security plan formats it covers. She stated that the document is intended to be a guidance document only, not a requirement. It is anticipated that the guideline will be issued as a NIST Special Publication by October 31, 1998. Next, Dr. Nielsen updated the Board on the activities of the ITSEC training project [Reference #11]. NIST was appointed the project lead in January 1998. The project plan includes development of a repository of donated training materials and direct relationship to the NIST Special Publication 800-16 training document. A website was created in July, a Federal Information System Security Educators Association (FISSEA) group was established in August and will meet in conjunction with FISSEA’s Executive Board. Dr. Nielsen reported that this working group’s program of work calls for mapping the content to SP800-16, prioritizing needs and establishing a contract for the development of additional training resources. Board Discussion and Planning for Next Meeting The Board discussed items and issues that they would like to have as part of the agenda for the December meeting. They included: an update from both the GITS and CIO Security Committees; a briefing by Dr. Jeffery Hunker, head of the CIAO; and, a briefing from the Social Security Administration on their effective resolution of Y2K compliance. They would also like appropriate time set aside for the development of a work plan for the 1999 Board year. There being no further business, the meeting was adjourned at 4 p.m.