INTELLIGENCE INFORMATION HANDLING COMMITTEE MINUTES OF FOURTH MEETING, 15 JULY 1968

Approved For ase 2005/02/14: CIA-RDP79B00314W0300070002-0 1HC-M-4 17 July 1968 INTELLIGENCE INFORMATION HANDLING COMMIE Minutes of Fourth Meeting, 15 July 1968 Members or Representatives Present Chairman DIA CIA NSA State Army Navy Air Force F31 AEC Secretary others . Pre sent Secret Service (Observers) X HC Support Staff ID YA - 171 CIA - 63 ALT Force - 3 Navy m S State 0 5> ACDA 2 AEC 13 F3I c 14 NSF 4 I. Army S NSA o ~& NPXC m 5L 25X 25X1 GROUP I Excluded from automatic downgrading and declassificatiouo Approved For Release 2005/02A4.C14. 9B00314A000300070002-0  Approved For Sase 2005/02/14: CIA-RDP79B00314 0300070002-0 S-E-C-R-E-T 25X1 25X1 25X1 25X1 who served as Executive Secr etarTy for C?DX39 introduced The new Executive SecMtery and the other five meebers of the Support Stofff who were pwasento was the only a mbar who was absent. L. Introduction of the XHC Su ort Stafff P1embers. 2. l3riief iina b a. I acknowledged introduction and granted on the size of the committee (approx ately 1135 people were present). b. In his prelimiircaary ccoa nts Q emphasized that the views he would present were not those of on official government agency,, He urged the attendees not to make operational decisions based on this talk. The concept of remote access camputiing was briefly introduced and cited as a major influence in this security Investigation,, co then presented a series of viewgraphs which portrayed the potential security problems in a system which has remote consoles9 a switching computer,, and a processing computer along with standard components such as communication lines 9 files 9 software 9 etc. He ccoamr rated at stn length also on the capabilities of the people In the network to violate the security of the systems Inn canting on the various security violation areas and how they are being handled9 0 suAmariized present progress by saying that physicall9 personal9 communication9 and radiation security were well in hand. He said that this left the areas of hardware, soft- were, and procedures to be considered by his task force o 25X1 d, 0 then spoke of the task force he chairs and its mission. He said that it wes tere'd to identify haredware 9 software 9 and system procedures security problems and to recommend technical solutions. The task fforcen originally under ARPA9 is now under the Defense Science Board, There are two panels ?o a Technical 25X1 Panel under of Case Western and a Doctrine Panel under The former addresses what special characteristics hardware and software should have in a computer central. This panel was also concerned with Interface problems between communications and termiinalls 9 and between communications and processerso The Doctrine Panel is concerned with prrocedures9 what is the role of the security man 9 what to do in case of a security violation and so ono e a said that each panel at this time has 25X1 prepared a draft position paper. He emphasized that no one knows how to handle all of the security problems In these complex systems. Amon / ppro?eed poreOelease 0~5 ~4 :bC1A 7WB003 4A0003a~y ~007000 he cited 25 25X1 25X1 25X  Approved For lase 2005/02/14: CIA-RDP79B003141 0300070002-0 the cost to an agency of using such a system. Operational degradation through using a security system was another effect which could not be predicted. In determining the scope of the 25X1 problems to be solved, I I suggested implementing a few of these systems and learning from experience o He stressed the need for system adjustment and feedback to the task force on whiioh operational decisions were effective. f. The rol ? of the security officer in these systems 25X1 was emphasized. The suggested that the security people had to be trained in systems and EDP concepts. He sees the security officer as the security monitor in such a system, hence the need for extensive training and orientation. go In ca a ntiang on the s stem design which will be set forth by the task force, an sold that it will be sufficiently general for all federal egencies with the need for such a -apabilitya It will not be tailored to DX, CX, or any other ccmponerata As a consequence the system suggested by the Task Force must be adopted to that set of problems faced by the implementing agancya He also sussed that the system must be maintainable. In order to avoid the cost, clearance problems,, inconvenience, and iincom stability of developing system software 25X1 at each iinstalllation9 II said that the task force proposed to supply procedures (at the SECRET level or lower) which will be .particularized by the using agency to suit its needs, 25X1 25X1 25X1 25X1 ho A second ma j ors role for the security man 25X said, would be the establishment of parameters which9 when combined with these general procedures, would result in the requisite security software. He emphasized that the security officer must be the watch dog in the system9 coping with violations and deciding the extent of a breach in security, io then spoke of an area which was not within the purview o his task. force, ioe,, the administrative problems in establishing mutually acceptable procedures and regulations, He feels that standardization coil! l be the inevitable outcome of setting common procedures for security in EDP systems, In this context9 he stressed the danger in agencies adopting official positions too early In the establishment of regulations since they may have great difficulty in retreating from these positions as time and experience provided better insight. j. then called for questions. The first question posed the problem o seduritty on consoles in uncleared space, in answering this question, spoke at length on the problem of privacy versus security. After a week?s deliberation at S~ or a 0~ ~~14cP - 7 1 0~ ~ `16 2t art  25X1 25X1 25X1 S-E-C-R-E-T Approved For se 2005/02/14: CIA-RDP79B00314 0300070002-0 PW -4- could not solve the problem of protecting the security of data in a remote access system against deliberate acts of penetration. Therefore his Task Force assumed that consoles, hardware, and so on are located in a non-hostile environment. Otherwise, he confessed, the goals of his Task Force are not achievable with today?s technological developments; The second question addressed the problem of setting up a remote console room which would be used by many system users, It was asked who had done work in this area, indicated that System Development Corporation was doing some work in this area with ADEPT-50. Also DLA has ideas on file access control for ANSRS o He suggested that initial systems should have security protection which is a bit too strong; lie feels that redundancy checks are desirable until experience dictates otherwise, in support of this he pointed out that users are never quite sure when hardware or software is completely free of errors which have been there since the system was built. Another questioner probed the problem of how much extra protection can be tolerated, The fourth question also addressed security at consoles. felt that the question related to personal security. He went on to point out that it may be desirable to establish different security controls depending on whether the console user is simply searching files or whether the user may also develop programs on that console to manipulate files. He pointed out that debugging programs may violate security safeguards quite accidentally. The fifth question was about industry's role. said that to date, lhdustry had not participated In Task Force deliberPatiions0 He feels- however, that industry will soon be faced with requirements and so should be aware of what the Task Force was rPecommendi ngo So far as he is concerned, no mmber of industry is capable of supplying a secure system at this tin The sixth question related to commercial interests, 25X1 indicated that the procedures involved In running separate systems is uneconomical and so defense contractors are interested. He went on to say that government got into the picture r regarding the design of secure systems at about the right time; The seventh questioner expressed a need to fix on procedures and security standards now, 25X1 I Isaid that his Task Force Is attempting to provide guidance to system developers In a similar position, e.g., ADEPT-50 and the AF Satellite Control Facility-at Sunnyvale. Approved For Release 2044 *RDP79B00314A000300070002-0  Approved For se 2005/02/14: CIA-RDP791300314 0300070002-0 S-H-C-R.E S The eighth question was about dlstributi papers, be decided Thursday (18 JaLy)d He, said that he would be happy to hear from people, concerned with th6 problem but did not wish to. hear from those interested in portinaythg an official position of their parent agehcjio The ninth questioner asked if the technical panel was designing a monitor. indicated that distribution of position papers, will said that he had not read the current draft from the technical. pahelo He feels that the panel will establish perforrxsnce driteria for the monitor at a general level. Detailed specifications may come- from a reconstituted panel. Howev;'er s he wo al_d prefer that to l installations handle the del:ailsa Hardware d a ls, h?wever, will probably be handled by vendors. The last question related to conflicting procedures regarding the sanitizing of disc surfaces* answer was that he had heard that triple writing of random streams constituted a secure erase of the disc surface? .However, there was disagreement on this.. This concluded the meeting. (A tape recording of the meeting is available in the IIC Support Staff office, Room 2E49, Hgsa) o 25X1 S.E-.C-R-E-T Secretary Approved For Release 2005/02/14: CIA-RDP79B00314A000300070002-0