LETTER TO(Sanitized) FROM FRED ASSELIN
Document Type:
Collection:
Document Number (FOIA) /ESDN (CREST):
CIA-RDP78M02660R000300020012-1
Release Decision:
RIPPUB
Original Classification:
K
Document Page Count:
4
Document Creation Date:
December 16, 2016
Document Release Date:
January 25, 2005
Sequence Number:
12
Case Number:
Publication Date:
August 3, 1976
Content Type:
LETTER
File:
Attachment | Size |
---|---|
![]() | 232.83 KB |
Body:
ABRAHAM R Id1GAt11G.rOa1 ~U tNRelease 2005/02/10: CIA-RDP78M02660R000300,p,2,001 ` ~a d ~-~
JOHN L MC CLELLAN, ARK. /''~~/~/'~ CHARLES H. PERCY, ILL.
~~ J(~-- (..-
HENRY M JACKSON WASH JACOB K JAVITS NY
AT
EDMUND S. MUSKIE, MAINE WILLIAM V. ROTH, JR., DEL.
LEE METCALF, MONT. BILL BROCK, TENN.
JAMES B. ALLEN, ALA. LOWELL P. WEICKER, JR., CONN. ,yy tf t( ~y }(
LAWTON CHILES, FLA. Gl~z1 C j`~Zf of eZ enaf e
SAM NUNN, GA.
JOHN GLENN, OHIO
RICHARD A. WEGMAN
CHIEF COUNSEL AND STAFF DIRECTOR
COMMITTEE ON
GOVERNMENT OPERATIONS
WASHINGTON, D.C. 20510
August 3, 1976
Assistant Legislative Counsel
Central Intelligence Agency
Washington, D.C. 20505
AT
This is in connection with the preliminary staff
investigation of the Senate Government Operations Committee
concerning problems associated with computer technology
in federal programs and private industry.
The draft presentation submitted by you July 30, 1976
in preparation. for a final presentation to be made a part
of the hearing record touches on virtually all of the points
which we had discussed earlier. In that regard, the draft
is satisfactory. However, there are aspects of the draft
which Phil Manuel and I hope can be further developed.
The Committee's hearing record, for example, will be
enhanced if it could be established as to which specific
legislative acts, directives and other executive orders can
be construed to affect computer operations at the Central
Intelligence Agency. It would be useful if you would
incorporate the specific language from these specific acts,
directives and orders into your final statement.
You note in the draft statement that the Agency's
computer security program was formalized in 1967. Because
the Agency's requirements for computer security are of
a high priority, it would be informative if the Committee's
hearing record could reflect the manner in which the Agency
formalized its computer security program. Independent
inquiry by the Committee staff has indicated that those
agencies with national security objectives such as yours have
been leaders within the executive branch in terms of pro-
tecting their automatic data processing systems and related
components against compromise and mismanagement. Not all
agencies within the executive branch require security stan-
dards as strict as yours. However, that is not to say that
these other agencies could not benefit from your own exper-
ience in formalizing your computer security program.
Approved For Release 2005/02/10 : CIA-RDP78MO266OR000300020012-1
IN I
Approved For Release 2005/02/10 : CIA-RDP78M02660R000300020012-1
Moreover, independent inquiry by the Committee staff has
demonstrated that there has, to a certain extent, been an
absence of a formalized program of computer security in
certain agencies. For that reason, a further development
in your statement of how it happened and was occassioned
that the Agency formalized its computer security program
could be of considerable help to those agencies whose
computer security procedures could be strengthened.
With respect to personnel security requirements at
the CIA, can a felon be cleared to work on any computer-
related operation? Does a criminal background disqualify
any individual from employment in or access to computer-
related operations at CIA? If so, why? These questions are
asked because the Committee staff in its preliminary inquiry
has been unable to determine if there are any government-
wide standards for personnel working on computer-related
projects,-, either directly for the government or in a
government contractor capacity.
In that connection, it would be informative to know what
you mean in your draft statement when you refer to the
significant emphasis the CIA places on personnel security
in the computer field. Please define in your final state-
ment what qualifies a CIA employee as meeting personnel
security requirements or standards.
Independent inquiry by the Committee staff has indicated
that the CIA is one of the few agencies in the federal
government, if not the only agency, which requires personnel
to be cleared at the top secret level to have access to
computer systems as well as all other systems and facilities.
This requirement, coupled with the need to know limitation,
is designed to provide maximum security against compromise.
Your mission is unique within the government. That being
said, though, does it seem practicable to you that a similar
system of clearance and need to know limitations could be
imposed in other agencies in connection with computer
operations only? In other words, are security precautions
applicable throughout the CIA capable of being applied in
computer security operations in other federal operations?
In turn, is the concept realistic enough to be pursued any
further? Or is it your judgement that, owing to differing
objectives, procedures and overall work style, there would be
little to be gained by an effort to have other agencies
emulate yours in the computer security field?
Approved For Release 2005/02/10 : CIA-RDP78M02660R000300020012-1
Approved For Release 2005/02/10 : CIA-RDP78M02660R000300020012-1
page 3
In that same line of thinking, would it be possible,
within national security constraints, for you to comment in
your final statement on the budgetary consideration of pro-
viding computer security? You note in your draft statement
for example, that the Agency's unique security discipline
has advanced and grown with the advancement and growth
of the Agency's computer operations. would be instructive
for the Committee's hearing record to include your own
computer managers' observations as to the relative
increases over the years in the cost of computer operations
as compared to the increased costs of computer security. In
summary, has it been your experience that the costs of com-
puter-security go up faster as new systems are applied or is
it possible that the newer applications, system, hardware and
software may one day enable us to provide improved security
at less costs?
Next, the concept of security indoctrination, as cited in
your draft statement, holds the potential for application else-
where in the executive branch. The Committee hearing record
would be enhanced if, in general terms, Senators could be
briefed in your final statement, on the general procedures you
follow when introducing personnel to security considerations
concerning computers. In addition, the practice of making
this a continuing process may be one that other agencies may
wish to give consideration to.
While instructing personnel on computer security safe-
guards on a continuous basis, the CIA, according to the
draft statement, also places the entire computer program itself
under continuous scrutiny by a group of computer security
officers. Again, within the constraints of national security
considerations, is it your view that a team of computer
security officers, or a group similar, could be introduced
into the work patterns of other federal agencies whose ADP
systems, while containing sensitive data, do not require such
a strict method of securing information. The point that is
worth discussing here can be stated in question form: Does
an agency have to assume certain of the CIA's high intensity
security characteristics in order to provide adequate security
safeguards? Or is it possible to deploy several CIA proce-
dures -- the computer security officers mission, for example --
on a selective basis? As we discussed in a previous meeting,
the Agency operates in general on the assumption that not only
is there a potential for compromise in any system; it is
also likely that an attempt will be made to effect that com-
promise. Is it an achievable goal -- is it even a desirable
goal -- to seek to instill that way of thinking into agencies
outside the intelligence and defense communities. That
question is, of course, for Senators to address. But your
~Fl@j-elsetQ~/0~{~~$j:~-7j~Vl?6~34A~~9ive for the
Approved For Release 2005/02/10 : CIA-RDP78MO266OR000300020012-1
page 4
Committee's hearing record.
Independent inquiry by the Committee staff has indicated
that very many experts in ADP operations are of the opinion
that all computer systems are vulnerable to compromise,
assuming the would be violator has sufficient resources.
Do you concur in that assertion? Please elaborate on your
reply.
It is Mr. Manuel's and my view that the original draft
statement, supplemented by additional information requested
herein, will satisfy the Committee's request for your coopera-
tion. We look forward to your continued assistance.
Sincerely,
4*04 000%
Fred Asselin
Investigator
Approved For Release 2005/02/10 : CIA-RDP78MO266OR000300020012-1