WHMurray@DOCKMASTER.NCSC.MIL (08/27/90)
Forwarded with permission.
#246 (79 lines):
Date: Thursday, 23 August 1990 08:24 edt
From: rhcx%beta at LANL.GOV (Robert H Courtney)
Subject: NYT Article
To: WHMURRAY at DOCKMASTER
August 19, 1990
Mr. Max Frankel,
Executive Editor
The New York Times
229 West 43rd Street
New York, NY 10036
Dear Mr. Frankel:
Your article, "Washington is Relaxing Its Stand on Guarding
Computer Security", by John Markoff, August 19, reflects a
serious misinterpretation of both the intent and the probable
effect of the new Presidential directive on computer security.
The new directive replaces NSDD #145, which was issued by the
Reagan administration in 1984. With the authority of that older
directive, and because they were not willing to accept the
utterly mundane, unexciting nature of the data security problems
in most agencies, the National Security Agency (NSA) distorted
the data security implementations of many federal civil agencies
and reduced the effectiveness of their computer security
programs.
NSA's computer security efforts were oriented exclusively about
the protection of classified data from disclosure to those who
did not have appropriate security clearances. Their development
program did not address the need for data to be complete,
accurate, timely and available. They were concerned only with the
confidentiality of data and wholly unconcerned about their
usefulness to their proper owners.
It has been an unfortunate NSA assumption that those with
appropriate security clearances can be trusted to the level of
their clearances. This ignores the damage which has been done in
recent years by Messrs Walker, Pelton, Pollard, Boyce, Smith,
Miller, et al, all of whom were cleared for access to the data
which they delivered to those who appeared, until recently, to be
the enemy. There seems to be no basis for a belief that
comparable damage has been done through technically-oriented,
foreign-directed penetrations of our systems containing
classified data.
Fortunately, the new directive relieves the civil agencies from a
requirement that they continue to accept misleading guidance in
computer security from NSA. Unfortunately, it was not issued not
until significant damage had already been done.
The Computer Security Act of 1987 gives the National Institute
for Standards and Technology (NIST) responsibility for providing
technical guidance in computer security to the civil agencies and
DoD for the protection of their unclassified data. It is
regrettable that NIST is very poorly funded for work in the
computer security area and, at the current funding levels, cannot
provide any significant amount of the technical leadership in
computer security so badly needed by the civil agencies.
Only a small portion of funds previously available to NSA for
computer security would permit NIST to provide the needed
guidance. Whether those funds are provided or not, the new and
wisely conceived directive will not result in relaxation of the
security afforded data by either DoD or the civil agencies. The
new directive rectifies a serious error of the previous
administration and makes it probable that data security in the
civil agencies will improve - not as much as it would if NIST had
adequate funding and not as much as it should, but it will be
improved. The contrary impression conveyed by your reporter is
unfortunate.
Sincerely,
Robert H. Courtney, Jr.