Security Policy Advisory Board
December 8, 1999
The President
Through:
Mr. Samuel R. Berger
The White House
Washington, DC 20500
Subject: Advisory Board Annual Report
Background
The Security Policy Advisory Board (SPAB) was chartered by Presidential Decision Directive 29 of 16 September 1994 to provide a non-government, public interest perspective on actions required to streamline and improve Federal security policies and procedures. Our frame of reference has been PDD-29 and the underlying recommendations of the report of the Joint Security Commission (JSC) dated 28 February 1994. This year we add the report of JSC II, dated 24 August 1999.
Part of our charter is to provide the President, through the National Security Advisor, an annual report of our findings on the implementation of recommendations included in the JSC reports, with emphasis on the four key principles enumerated in PDD-29 that Security Policy: 1) match the threat; 2) be consistent and enable us to allocate scarce resources efficiently; 3) result in fair and equitable treatment; and 4) provide the security we need at a price we can afford.
In keeping with our tasking, we held a series of public meetings over the last year to discuss particular security issues and to solicit inputs from the public at large, with particular emphasis on industry. To encourage public participation, our meetings are advertised in the Federal Register, held in locations where there are significant concentrations of government contractors, and occasionally scheduled in conjunction with meetings, conventions, or other gatherings of industrial security organizations. This past year, meetings were held in Seattle, Washington; Minneapolis-St Paul, Minnesota; and Las Vegas, Nevada.
In this, our third year of activity, we continued to focus on personnel security issues, but also were deeply involved in the deliberations of the Joint Security Commission II (JSC II), which expanded its focus to securing government information systems. The members of the SPAB served on JSC II and concur with the recommendations in the JSC II report.
General Observations
The Security Policy Board (SPB) process continues to advance the goals of PDD-29 but progress is uneven and the process can be made more effective with some restructuring and better focus by the senior leadership. To this end, we strongly support the structural changes recommended by JSC II. The SPB co-chairs have strongly supported the need for these changes and actions to implement are underway.
There is, in key segments of the government, significantly more urgency associated with solutions to outstanding security problems than was the case at the time of last year's report. A number of developments over the past year highlighted the need for significantly increased attention to personnel security and electronic security. Both areas are receiving increased attention. On the other hand, there continues to be significant frustration on the part of industry with the slow pace of streamlining security practices and with the continuing arbitrary, burdensome, intrusive, and costly nature of some of them. We believe that the JSC II report highlighted a number of these areas where, if recommendations are adopted, significant efficiencies could result.
The attachment highlights five areas where the Advisory Board feels there is a need for increased focus and accelerated progress to meet the goals of PDD-29.
Respectfully,
[signed]
Larry D. Welch
Chairman
Security Policy Advisory BoardAttachment: As Stated
Key Areas Requiring Increased Focus and Accelerated Progress Personnel Security
Inadequate resources and management deficiencies have resulted in failure to meet agreed standards for Secret and Top Secret clearances and have created a large clearance backlog in the Department of Defense with extensive implications for the quality of personnel security, for reciprocity with other agencies, and for personnel costs for defense industry. DoD leadership has taken a series of actions to correct these deficiencies, providing both resources and leadership focus.
The Joint Security Commission II made several recommendations intended to improve both the focus and the process for personnel security. The Security Policy Board is currently acting on those recommendations. They include:
An additional area for increased focus in the personnel security area is the need to expand the current personnel security structure to include processes for establishing the suitability, reliability, and trustworthiness of individuals who have access to sensitive but unclassified government information, operations, or duties. The distinction between the sensitivity of classified information and the need for reliable and trustworthy people to deal with sensitive unclassified information is becoming less meaningful. The JSC II recommended that the SPB develop and forward to the NSC a suggested new Executive Order that establishes this more comprehensive approach to personnel security.
- Enforcing the standards now for initial clearances and re-investigations.
- Appointing a new Director of the Defense Security Service with clear guidance
- Adding resources to clear the large backlog of initial clearances
- Examining the large backlog in re-investigations to categorize the associated risks and address the highest potential risk cases first
- Providing a community-wide investigations/clearance data base to eliminate duplicative investigations and clearance procedures and to ensure a valid record of cleared individuals
Information Security -- Authority and Responsibility
National authorities, responsibilities and charters in the area of Information Security (Infosec) remain ambiguous and, in some cases, in conflict. There needs to be a much greater sense of urgency in resolving this issue within the Government. There is clear recognition that this is a complex area with multiple equities and interests involving government and the private sector. Still, there is little reason to expect progress until there is a rational and operational government organization for progress.
The current structure of authorities and charters for Infosec in the government has been evolving at a pace which has not kept up with the emerging threat. The incremental nature of the government response to this threat has resulted in legislation, regulation, policy documents, and charter assignments which are often unclear and overlapping and are sometimes contradictory. Yet there are few areas more critical to the orderly function of government than its ability to access, utilize, and rely upon its information. Responsibility for protection of this critical resource needs to be coalesced and focused. We strongly support an immediate effort to resolve this effort via Presidential Directive and/or legislation, and recommend that the National Security Advisor direct the co-chairs of the SPB to convene a panel made up of members of the SPB Executive Committee to draft the required guidance, and directives, or recommend the necessary legislation.
Information Security -- Network Defense in Depth
The Government needs to commit to developing a "Defense in Depth" Infosec posture for classified and critical unclassified networks which structures these networks to "resist-recognize-recover" when under cyber attack.
The "detect-protect-respond" model currently used to describe "Defense in Depth" places heavy emphasis on protecting data, with comparatively light emphasis on the often more difficult problems of detecting penetration or responding to attack. The "resist-recover-respond" model employed by the Computer Emergency Response Team at Carnegie-Mellon University is a more useful way to think about securing government information systems. While some government systems will require the levels of protection available only from government sources, commercial approaches can contribute much to protection of many government networks.
Even with the primary emphasis on the first line of defense -- resist penetration by access control, there are important measures available and not in widespread use in government systems. These measures include the use of tokens in place of passwords and certifications at various levels. The use of these measures is increasing rapidly in the commercial world and they are readily available. However, the government is slow to adopt these protective measures.
Similarly, technologies to support the second line of defense -- detecting anomalies inside the system caused by unauthorized access -- are developing at an accelerating pace and the government should closely actively follow and evaluate these approaches for government use.
For many government networks, the most devastating impact will come, not from disclosure of information, but from denial of service. The third line of defense -- rapid response to data compromise and rapid recovery from denial of service attacks -- needs to be a design requirement in critical networks.
The JSC II and SPAB found only minimum attention to the second and third lines of defense.
Industrial Security Guidance
The most persistent and consistent complaint at the SPAB public meetings is the continuing delay in providing information security guidance to industry. After a long delay, the SPB structure has made significant progress in completing this guidance. Still, until it is on the street and understood by industry and government, this will continue to be a significant weakness in meeting the goals of PDD-29.
Defining the Threat
The Joint Security Commission recommended a single clearinghouse for threat data to be available to the security community, with particular emphasis on ensuring that this data is readily available to industry. Still, there has been little progress in chartering and funding an organization to provide this support. We continue to believe that the National Counterintelligence Center (NACIC) is the logical entity for this responsibility, but would require an expansion of their charter and incremental staffing and funding to provide support across the spectrum of threat. The underpinnings of PDD 29 are based on an assumption that security will respond to established threats. The risk management approach called for in security directives assumes a reasonable response to understood threats. Hence, providing support in understanding the variety of threats in the variety of circumstances is critical to implementing the guidance in PDD 29. It has been more than five years since this need was widely recognized. It is time to make it happen.