KEYNOTE ADDRESS COMPUTER SECURITY INITIATIVE
Document Type:
Collection:
Document Number (FOIA) /ESDN (CREST):
CIA-RDP91-00901R000500290004-1
Release Decision:
RIPPUB
Original Classification:
K
Document Page Count:
11
Document Creation Date:
January 4, 2017
Document Release Date:
April 28, 2008
Sequence Number:
4
Case Number:
Publication Date:
August 10, 1981
Content Type:
SPEECH
File:
Attachment | Size |
---|---|
![]() | 868.59 KB |
Body:
F_
Approved For Release 2008/04/28: CIA-RDP91-00901 R000500290004-1
KEYNOTE ADDRESS
COMPUTER SECURITY INITIATIVE
August 10, 1981
speak briefly
It is a pleasure to welcome you to this Seminar and to / with you about
computer security, the recent developments within the Department of Defense and
the Intelligence Community and the challenges that lie ahead.
As Dr. Gerald P. Dinneen, former Assistant Secretary of Defense for C31
defined at the first of these Seminars two years ago, a "trusted" computer
system is one with sufficient hardware and software integrity to allow its use
for the simultaneous processing of multiple levels of classified or sensitive
information.
The need for trusted computer systems is very real and growing rapidly.
Factors influencing this need are-
- the growing use of automated information handling systems throughout
the DoD and the Intelligence Community and in particular the linking
of these systems into major networks;
- increasing requirements for controlling access to compartmented and
sensitive information;
- the requirement for broader dissemination of information both within
and beyond the community;
- growing difficulties with obtaining-required numbers of cleared
personnel, both military and civilian.
Despite continuing internal efforts to develop special purpose trusted
systems for unique needs, we already rely very-heavily on the products of the
computer industry to meet our information processing requirements, and this
Approved For Release 2008/04/28: CIA-RDP91-00901 R000500290004-1
Approved For Release 2008/04/28: CIA-RDP91-00901 R000500290004-1
dependence will continue to grow significantly in the future. It is therefore
very gratifying to observe the progress being made by the computer industry in
applying computer security technology as represented by the industry presenta-
tions at this and the previous Seminars.
It is very important, also, that the Department of Defense and the
Intelligence Community develop sufficient expertise to be able to evaluate the
integrity of computer software and systems developed by industry and
government, and that we be able to.determine suitable physical and
administrative environments for their application. We have had scattered
efforts over the past several years to evaluate specfic systems for specific
installations. But these efforts have always been more or less ad hoc, and
because of the extensive technical background required, expensive to carry out.
I am very pleased therefore to announce today the establishment of a
Computer Security Techn_i_ca_l Evaluation Center for the Department of Defense and
the Intelligence Community at the National Security Agency. Last fall, as
Director of NSA, I enthusiastically endorsed the establishment of this Center
at NSA as a new and separate function. I am very pleased with the progress
being made in setting up the Center and I remain strongly committed to its
success.
I would like to make several observations about the Center and some of its
relationships:
- Because the private sector computer manufacturing community is the
primary source of ADP systems, the Center's role will be to work
with the manufacturers, deriving as much system integrity as possible
from 'industry developed systems. This is a rather sharp contrast to
the NSA's more traditional communications security role where the
government has the dominant technical role.
Approved For Release 2008/04/28: CIA-RDP91-00901 R000500290004-1
Approved For Release 2008/04/28: CIA-RDP91-00901 R000500290004-1
- The Center will have a difficult task developing procedures which
assure protection of sensitive portions of a system which the
government does not own. Simply classifying security related
portions of a system built by industry won't work since the govern-
ment represents such a small portion of the overall market that the
manufacturers may well decide not to sell to the government rather
than accepting the limitations imposed by classification. This,
in the end, might lead to a highly undesirable situation where private
sector users (e.g., banks, insurance companies) have higher integrity
systems than the government.
But sensitive portions of systems and the known vulnerabilities
that remain must be protected, in the interests of both the government
and the manufacturers. It is quite likely therefore that the most
sensitive portions of the government's analyses will be both classified
and proprietary to the manufacturer. Careful, reasoned interaction
between the government and industry will be needed to work out
suitable working relationships.
The Center will act in the interests and for the benefit of the
-
Department of Defense and the Intelligence Community. Its evaluation
will not be intended for use by other than the Dog. It will not make
general product endorsements. But as with the Qualified Products list
procedures (as prescribed in the Dog Defense Acquisition Regulations),
the relative merit of a system in the hierarchy of evaluated products
may be available publicly in order to provide incentive and
encouragement for manufacturers to develop trusted systems and private
sector users to employ them.
Approved For Release 2008/04/28: CIA-RDP91-00901 R000500290004-1
Approved For Release 2008/04/28: CIA-RDP91-00901 R000500290004-1
- Because of the wide range of sensitive environments that exist for
information systems (ranging from privacy applications to canpartmenta-
ti on within the Intelligence Community, and from adjacent security
levels (e.g., Secret and Top Secret) to full multi-level systems
with Intelligence users and uncleared users), it will be vital for
the Evaluated Products List to offer a range of technical categories
and appropriate environments for specific systems. The approach of
establishing levels of technical integrity which has evolved from the
work of the Computer Security Initiative indicates the kinds of
distinctions which will be made in evaluating systems. A range of
suitable environments is possible with trusted systems because the
security accreditation of ADP systems depends upon all of the
aspects of the total system. The accreditation of a system to serve
users cleared at both the Secret and the Top Secret level is not as
difficult a problem as extending the use of such a system to
uncleared users as well. The Department of Defense is now using
Multics in such a limited environment serving both Secret and Top
Secret cleared users. The Evaluated Products List should provide
guidelines for implementing this type of operation where sufficient
technical integrity of software products can be demonstrated.
Finally, I would like to say that the establishment of an Evaluation
Center, important as it is, must not be viewed as providing by itself
the long sought answer to the computer security problem. Within the
Department of Defense and the Intelligence Community, system builders
will have to become aware of and properly employ the procedures for
development of trusted system applications. The Services and Defense
Approved For Release 2008/04/28: CIA-RDP91-00901 R000500290004-1
Approved For Release 2008/04/28: CIA-RDP91-00901 R000500290004-1
Agencies are being encouraged to establish or eniance their own
technical security test and evaluation capabilities to ensure
widespread use and availability of trusted computer systems. The
computer manufacturing community must work closely with the Center
and these Service organizations to ensure that reasonable products
are available for use in sensitive applications.
In conclusion, I would like to restate my awareness of the importance of
this problem area, my enthusiasm for the establishment of the Evaluation
Center, and my deep and continuing interest in its success. I encourage you to
participate fully in this Seminar, ask the tough questions, learn all you can,
and then go out and apply what you have learned so that we may all have trust-
worthy computers in the very near future.
Approved For Release 2008/04/28: CIA-RDP91-00901 R000500290004-1
Approved For Release 2008/04/28: CIA-RDP91-00901 R000500290004-1
OF THE
ON THE .~ .x
COMPUTER E U RITY
UOU
,A000.ST;10_- 12,1901
Approved For Release 2008/04/28: CIA-RDP91-009018000500290004-1
Approved For Release 2008/04/28: CIA-RDP91-00901 R000500290004-1
KEYNOTE ADDRESS
COMPUTER SECURITY INITIATIVE
Admiral Bobby Inman
Deputy Director of Central Intelligence.
Washington,-D.C.
It is a pleasure to welcome you to this Seminar and to speak briefly with
you about computer security, the recent developments within the Department of
Defense and the Intelligence Community and the challenges that lie ahead.
As Dr. Gerald P. Dinneen, former Assistant Secretary of Defense for C31
defined at the first of these Seminars two years ago, a "trusted" computer
system is one with sufficient hardware and software integrity to allow its use
for the simultaneous processing- of multiple levels of classified or sensitive
inforim~ation.
7h; need for trusted computer systems is very real and growing rapidly.
Factors influencing this need are:
the growing use of automated information handling systems tiirouohout
the DoD and the Intelligence Community and in particular the linking
of these systems into major networks;
- increasing requirements for controlling access to ccmpartmented and
sensitive information;
- the requirement for broader dissemination of -information both within
and beyond the co, nunity;
growing difficulties with obtaining required numbers of cleared
personnel, both military and civilian.
Despite continuing internal efforts to develop special purpose trusted
systems for unique needs, we already rely very heavily on the products of the
computer industry to meet our information processing requirements, and this
Approved For Release 2008/04/28: CIA-RDP91-00901 R000500290004-1
Approved For Release 2008/04/28: CIA-RDP91-00901 R000500290004-1
dependence will continue to grow significantly in the future. It is therefore
very gratifying to observe the progress being made by the computer industry in
applying computer security technology as represented by the industry presenta!,
tions at this and the previous Seminars.
It is very important, also, that the Department of Defense and the
Intelligence Community develop sufficient expertise to be able to evaluate the
integrity of computer software and systems developed by industry and
government, and*th.at we be able to determine suitable physical and
administrative environments for their application. We have had scattered
efforts over the past several years to evaluate specfic systems for specific
installations. But these efforts have always been more or less ad hoc, and
because of the extensive technical background required, expensive to carry out.
I am very pleased therefore to announce today the establishment of a
Computer Security Technical Evaluation Center for the Department of Defense and
.the Intelligence Community at the National Security Agency. Last fall, as
Director of NSA, I enthusiastically endorsed the establishment of this Center)
at NSA as a new and separate function. I am very pleased with the progress
being made in setting up the Center and I remain strongly committed to its
success.
I would like to make several observations about the Center and some of its
relationships:
Because the private sector computer manufacturing community is the
primary source of ADP systems, the Center's role will be to work
with the manufacturers, deriving as much system integrity as possible
from industry developed systems. This is a rather sharp contrast to
the NSA's more traditional communications security role where the
government has the dominant technical role.
Approved For Release 2008/04/28: CIA-RDP91-009018000500290004-'
*wvp
a
Approved For Release 2008/04/28: CIA-RDP91-00901 R000500290004-
The Center will have a difficult task developing procedures which
assure protection of sensitive portions of a system which the
government does not own. Simply classifying security related
portions of a system built by industry won't work since the govern-
ment represents such a small portion of the overall market that the
manufacturers may well decide not to sell to the government rather
than accepting the limitations imposed by classification. This,
in the end, might lead to a highly undesirable situation where private
sector users (e.g.,'banks, insurance companies) have higher integrity
systems than the government.
But sensitive portions of systems and the known vulnerabilities
that remain must be protected, in the interests of both the government
and the manufacturers. It is quite likely therefore that the most
sensitive portions of the government's analyses will be both classified
and proprietary to the manufacturer. Careful, reasoned interaction
between the government and industry will be needed to work out
suitable working relationships.
The Center will act in the interests and for the benefit of the
Department of Defense and the Intelligence Community. Its evaluation
will not be intended for use by other than the DoD. It will not make
general product endorsements. But as with the Qualified Products List
procedures (as prescribed in the DoD Defense Acquisition Regulations),
the relative merit of a system in the hierarchy of evaluated products
may be available publicly in order to provide incentive and
encouragement for manufacturers to develop trusted systems and private
sector users to employ them.
B-3
Approved For Release 2008/04/28: CIA-RDP91-00901 R000500290004-1
Approved For Release 2008/04/28: CIA-RDP91-00901 R000500290004-1
Because of the wide range of sensitive environments that exist for
information systems (ranging from privacy applications to compartmenta-
tion within the Intelligence Community, and from adjacent security
levels (e.g., Secret and Top Secret) to full multi-level systems
with Intelligence users and uncleared users), it will be vital for
the Evaluated Products List to offer a range of technical categories
and appropriate environments for specific systems. The approach of
establishing levels of technical integrity which has evolved from the
work of the Computer Security Initiative indicates the kinds of'
distinctions which will be made in evaluating systems. A range of
suitable environments is possible with trusted systems because the
security accreditation of ADP systems depends upon all of the
aspects of the total system. The accreditation of a system to serve
users cleared at both the Secret and the Top Secret level is not as
difficult a problem as extending the use of such a system to
uncleared users as well. The Department of Defense is now using
Multics in such a limited environment serving both Secret and -fop
Secret cleared users. The Evaluated Products List should provi.de
guidelines for implementing this type of operation where sufficient
technical integrity of software products can be demonstrated.
Finally, I would like to say that the establishment of an Evaluation
Center, important as it is, must not be viewed as providing by itself
the long sought answer to the computer security problem. Within the
Department of Defense and the Intelligence Community, system builders
will have to become aware of and properly employ the procedures for
development of trusted system applications. The Services and Defense
Approved For Release 2008/04/28: CIA-RDP91-00901 R000500290004-1y
Approved For Release 2008/04/28: CIA-RDP91-00901 R000500290004-1
Agencies are being encouraged to establish or enhance their own
technical security test and evaluation capabilities to ensure
widespread use and availability of trusted computer systems. The
computer manufacturing community_ must work closely with the Center
and these Service organizations to ensure that reasonable products
are available for use in sensitive applications.
In conclusion, I would like to restate my awareness of the importance of
this problem area, my enthusiasm for the establishment of the Evaluation
Center, and my deep and continuing interest in its success. I encourage you to
participate fully in this Seminar, ask the tough questions, learn all you can,
and then go out and apply what you have learned so that we may all have trust-
worthy computers in the very near future.
Approved For Release 2008/04/28: CIA-RDP91-00901 R000500290004-1