(Italicized/highlighted portions are suggested for deletion.)
The fourth scheduled meeting of the Security Policy Board (SPB) was convened on 24 April 1995 in Room 3E928, Pentagon. Co-chairs, Dr. John M. Deutch, Deputy Secretary of Defense (DepSecDef) and Acting Director of Central Intelligence, Admiral William O. Studeman, called the meeting to order at 1010.
Ambassador Anthony C.E. Quainton, Assistant Secretary for Diplomatic Security, Department of State, Mr. Raymond hammer, Deputy Director, National Institute of Standards and Technology, Department of Commerce, Mr. Kenneth Baker, Acting Director of Non-Proliferation and National Security, Department of Energy, Mr. Bryan Smith, Office of National Security and International Affairs, Office of Management and Budget, Mr. Richard Riley, Director of Security, Department of Treasury, and Mr. Gerald Schroeder, Senior Attorney, Department of Justice, represented their respective departments and agencies.
Mr. George Tenet, Special Assistant to the President for Intelligence Programs, National Security Council was unable to attend.
A complete list of attendees in at Attachment B.
ADM Studeman deferred to Dr. Deutch for any opening comments. DepSecDef suggested going around the table for introductions. When Mr. Riley mentioned being from Treasury, DepSecDef commented that Mr. Newman was in good shape at home as he observed from a recent visit last weekend. He commented that marriage must be the thing to do. ADCI commented that the "White House was missing" to which Deutch commented "good!"
At this point, Dr. Deutch invited Mr. Saderholm, D/SPB Staff, to begin the agenda. D/SPB Staff indicated that there was a lot to cover beginning with the Joint Security Commission recommendations.
Joint Security Commission Recommendations
Mr. Saderholm referred the SPB members to their folders. He briefly explained that the recommendations originated with the Joint Security Commission (JSC) and how they were processed through the committees and the Security Policy Forum (SPF). At this point, Ed Appel, Director of Counterintelligence Programs, National Security Council arrived and Dr. Deutch welcomed him. He inquired of George Tenet's whereabouts and Appel advised that he was celebrating Greek Orthodox Easter.
Mr. Saderholm resumed his explanation and continued with the Personnel Security Recommendations. He read/paraphrased each of the recommendations from each personnel security issue, ie, #s 13, 20, 28, 32, 34 and 50. Mr. Saderholm advised that the JSC had worded #13 slightly different but that the SPF had suggested added words tying the JSC recommendation to the Executive Order on Classified National Security Information. Saderholm advised that #s 20. 28, 32 and 34 were all implemented/adopted within the draft Executive Order on Access to Classified Information. #50 has been adopted in the National Industrial Security Program Operating Manual (NISPOM) and will still require the USG to continue to certify the names of persons not under contract to contractors. Dr. Deutch asked if JSC Recommendation #34 was extended to all agencies, to include CIA, and Mr. Saderholm answered that it was once the order was signed.
There being no other questions or objections, Mr. Saderholm continued with the Facilities Protection Recommendations. He again read/paraphrased each of the recommendations from facilities protection, is. #s 45, 46, 47, 48a and 51. At this point (1019), Mr. Bryan Smith, representing Office of Management and Budget arrived.
Mr. Saderholm explained that issue #46 carried an alternative recommendation that had not been vetted within the Facilities Protection Committee (FPC) or the SPF. He advised that he did not believe that either the FPC or the SPF would object to the alternative language. In describing #47, Mr. Saderholm advised that the domestic TEMPEST policy published in late 1993 would probably be satisfactory. With respect to #51, Mr. Baker, Energy, suggested that an impact/cost study might be in order as he was not aware that one had been conducted. Mr. Saderholm indicated that SPB was looking for endorsement of the recommendation in order to go forward. Mr. Saderholm advised that the solution was close.
At this point, the ADCI asked Mr. Saderholm how many unimplemented recommendations need to be acted upon? Mr. Saderholm advised that all the JSC recommendations are on the agenda of one or another of the working groups. The ADCI asked if there were any comments on the process.
With respect to issue #51, Mr. Slocombe, Defense Policy, asked if this was to be an electronic badge since some systems in the Pentagon and some do not. Mr. Saderholm advised that there were lots of issues still involved such as format, electronic standards, and badges owned by facilities. The ADCI advised that cost was important and would probably be amortized over time. Dr. Deutch ended the discussion be saying that it sounded easy to him, just pick a badge "that goes in and let's get on with it."
Mr. Saderholm concluded this part of the agenda by describing JSC issues/SPF recommendations dealing with Training and Professional Development. Mr. Saderholm read/paraphrased issue #74.
After assuring that there was no other questions or discussions, the SPB endorsed/approved the adoption of the recommendations.
ACTION: The SPB Staff will see that the approval/endorsement of the cited recommendations is conveyed to SPF and committee representatives in order that implementation can begin (upon signing in the case of the Executive Order on Access to Classified Information).
Mr. Saderholm moved the meeting to the next agenda item concerning Information Systems Security, which took up the balance of the meeting.
Information Systems Security
Mr. Saderholm advised that this portion would begin with a briefing on the Information Systems Security issue by Mr. Bob Marquette, Deputy Manager, National Communications System.
Mr. Marquette began by describing the National Communication System (NCS). He advised that it was an organization of 23 departments and agencies chartered to ensure that the national telecommunications infrastructure is prepared to meet critical communications needs in times of national emergency. He cited NCS support of the Committee of Principals, which is a forum of 23 departments and agencies that identify and work issues of reliability, interoperability and security of telecommunications and associated information systems that affect the public switch network. The NCS is the one USG forum for addressing the vital issues of information system security.
Mr. Marquette advised that NCS also supports the National Security Telecommunications Advisory Committee (NSTAC) a presidential advisory committee made up of 29 CEOs/Presidents of major corporations.
Mr. Marquette advised that he is here today to urge the SPB to address the information security issue in a comprehensive and integrated fashion because he believes that the issue is larger than the sum of the collective efforts presently being dedicated to it across government. He advised that the issue needs the active support of all the agencies and departments, both DoD and non-DoD, to assure that the critical areas affecting information security are clearly identified and properly addressed by the SPB.
After citing several vulnerabilities and anecdotes regarding the national infrastructure, he concluded his presentation by recommending that the SPB endorse the SPF as the vehicle to address the information systems security problem in a comprehensive manner. He advised that we need to get together, work together and get on with it.
Dr. Deutch next turned to Keith Hall, Co-chair of the SPF, and asked him for comments. Mr. Hall advised that a number of attempts to discuss the issue have run into a "firewall" established by the civil side. He indicated that the SPF has made no progress. Given the overall priorities to this in the JSC recommendations, he and Mr. Haver, SPF Co- chair, decided to bring the issue to the SPB. He continued that from the perspective of the civilian agencies, there is a concern that the SPB is "too heavily weighted" to the DoD/Intelligence Community. We need to get SPB views on this issue and resolve across the classified/sensitive but unclassified spectrum.
The ADCI offered that input needs to come from right representation level. He advised that it was clear from the Computer Security Act of 1987 (CSA/87) that the Hill clearly meant for the sectors to be segregated. There are a lot of issues involved to include technology involving NSA and the National Institute for Standards and Technology (NIST), threat assessments, common architecture and policy/standards. He opined that the public wouldn't understand a USG organized into a "left hand, right hand" response to the issue.
Mr. Schroeder, Justice, advised that Justice was prepared to support a common approach but cautioned that great sensitivity needs to be given to the issues that led to the CSA/87, specifically the civil liberties, privacy matters.
Mr. Kammer, NIST/Commerce, advised that once the issues are clearly defined, there is a great potential for "intentional distortion by some people."
Dr. Deutch advised that we have a "very, very big national problem. That is very, very expensive to do something about." He indicated that the problem is not well differentiated and is "ideally designed for the USG not to be able to cope with it." He indicated that technology is much different but accepts that the other side looks with suspicion on the SPB. He advised that the SPB is trying to take the first steps to address the issue. In his opinion, it makes sense to take an interagency look at the problem; it is not the DoD/IC versus civil agencies. It is all mixed up together.
Mr. Kammer opined that in the final analysis the recommendation may not be all that easy to do citing the American Civil Liberties Union (ACLU) as one problem. He supported the proposition that the SPB had more a national security caste, but agreed that this is a problem that needs to be addressed.
Dr. Deutch advised that we need to go for the common good. ADM Owens, JCS, inserted the opinion "shame on us if we don't." Dr. Deutch commented that was right but the problem is complicated. He asked Mr. Hall if there were a terms of reference (TOR). Mr. Hall advised that there was not. Mr. Marquette asked if there ought to be a chair by a non-DoD/IC agency. Dr. Deutch answered yes. ADCI advised that the principal challenge is dealing with the "optics," but we do need to have some togetherness on the issue. He indicated that it seems to be about how best to organize and that the answer may not even be at this table.
Mr. Saderholm advised that the optics are nothing more that the last sentence of the information systems security recommendation issue paper (Last Sentence: As a first step, Board members should provide a representative to participate in meetings to compile a listing of major information systems security issues that should be addressed, and require that the meeting group provide its listing to the Board within 60 days.) He suggested establishing a working group to craft a TOR.
Dr. Deutch proposed drafting a TOR that would include agency representatives of the SPB who care about the subject, and a representative from the Office of Science and Technology Policy (OSTP). He further proposed that the co- chairs be DoD and Commerce and that the study include timeliness and be signed off by no lower than the deputies of each agency. He then stated that separation is not a real option any longer and that the initial inquiry be "no holds barred."
Mr. Haver, Co-chair SPF, advised that the "political optics" are different. He indicated that we can tee the issue up for them because the political center may be different, citing a new chair of the House Judiciary Committee. He also cautioned about civil liberties. And he thought it could be done as an SPF matter.
Mr. Smith, OMB, stated that the TOR sounded good to him particularly as a statement of what we have.
Dr. Deutch asked rhetorically what's deliverable, what's the schedule and was concerned about the "taxonomy" of the problem. He wanted to know what's deliverable where and when.
Mr. Hall stated that a TOR would be prepared and that a special meeting of the SPF would be called with the specific request that SPB members send a representative. Mr. Riley, Treasury, stated that this administration looks at particulars differently. AMB Quainton, State, advised that State has been dealing with the situation overseas for sometime and will be glad to help. Mr. Marquette indicated that NSTAC would certainly be on-side about this.
Dr. Deutch concluded by stating "let's try it and see where it goes." He implored the membership that if they "don't want to do it, speak up." He added that "we won't be successful if we all don't want to do it." He added it shouldn't get into endless sessions. Mr. Saderholm opined that it will be difficult to do with everybody's cooperation and impossible without their cooperation.
ACTION: The SPB Staff will convene a special working group on information systems security that will compile a terms of reference regarding major information systems security issues that should be addressed, and require that the meeting group provide its listing to the Board within 60 days.
There was no other business brought to the Board's attention.
Dr. Deutch thanked the members for attending and adjourned the meeting at 1104.
SUMMARY OF ACTION ITEMS
The following action items were noted by the Secretariat:
Next meeting will be scheduled at the call of the co-chairs.