EXECUTIVE SUMMARY The Network Security Task Force reports its accomplishments to date and describes plans to complete its assignment as scheduled for NSTAC XIV The task force continues to work closely with Government entities responding to direction from the Policy Coordinating Committee on National Security Telecommunications and Information Systems Primary efforts have focused on identifying a mechanism for security information exchange concerning risks and remedies and steps to improve flow of Government information to industry about threat to the public switched network PSN The task force has established three activities 1 a Network Security Information Exchange NSIE activity consisting of industry network security subject matter experts 2 an Alert Warning and Recovery activity providing real time notification to industry and Government about significant events regarding network security and 3 an IES subcommittee to evaluate the above two activities and to contribute to task force conclusions and recommendations to NSTAC XIV The industry NSIE is being established on a trial basis The aim of the NSIE is to foster informal collegial exchange of information some of it proprietary and sensitive concerning intrusions into software of the PSN that might I deny telecommunications service to national security and emergency preparedness users or 2 extract NS EP significant information The Government has established a Federal NSIE to work in concert with the industry group Although separate organizations both groups will meet together regularly to exchange information on vulnerabilities risks and trends In event-driven situations they will assist the alert warning recovery activities to mitigate the effects of network security events on the PSN Charters and membership lists for the two NSIEs are included in report appendices The existing joint industry Government National Coordinating Center NCC is supporting the Alert Warning and Recovery activity assisted by technical advice from NSIE members Task force evaluation of the two activities will be undertaken after some experience on which to base recommendations to NSTAC XIV In a separate effort the task force is in the process of addressing charges to recommend to Government needed for commercially applicable tools and to comment on standards activities Task force subgroup members have preliminarily identified six areas that need and perhaps new standards to improve telecommunications network security in the current PSN and in which the Government may have contributions to offer A dialogue with Government has begun to determine what Federal Agencies Departments have accomplished in the identified need areas and which Government developments might be commercially applied or adapted In addition the task force is addressing the Generally Accepted System Security Principles GSSP concept recently proposed in a National Research Council report TABLE OF CONTENTS SECTION 7 PAGE I Introduction - 1 2 Status of the Effort I 3 2 1 EstabTishment of an OperationaT TriaT of 3 Security Information Exchange 2 1 1 Task Force Approach 3 2 1 2 The Network Security Information Exchange 4 2 1 3 ATert Warning and Recovery 4 2 2 Progress On and Standards 5 Task Force Approach 5 2 2 2 Identifying Areas of Need 5 3 PTans for Future Task Force Activities 6 3 1 PTans for NSIE and Oversight Activities 6 3 2 PTans for R D-and Standards Activities 6 Appendix A Network Security Task Force Membership 7 Appendix B NSTAC NSIE Charter 8 Appendix C NSTAC NSIE Membership 11 Appendix D FederaT Government NSIE Charter 12 Appendix E FederaT Government NSIE Membership 16 SECTION 1 INTRODUCTION Since the National Security Telecommunications Advisory Committee NSTAC was established several NSTAC task forces have addressed security of US telecommunications In early 1990 Government requested that NSTAC address potential disruption of national security and emergency preparedness telecommunications through manipulation of software in the public switched network PSN An NSTAC task force evaluated the vulnerability of the current PSN to intrusions that might 1 deny telecommunications service to users or 2 extract NS EP-significant information The task force concluded recent intrusions into the PSN confirm hackers have significant capabilities to penetrate key switching and signalling system elements Individual companies are aware and are taking action the task force provided service suppliers with a checklist of steps that when followed would substantially enhance the security of their own networks The task force reported that until there is confidence that strong comprehensive security programs are in place the telecommunications industry should assume that a motivated and resourceful adversary in one concerted manipulation of network software could degrade at least portions of the PSN and monitor or disrupt the telecommunications serving users The NSTAC in December 1990 approved the task force report and directed a follow-on Network Security task force see Membership in Appendix A to complete the following for consideration by NSTAC XIV in mid 1992 1 Identify a mechanism and provide an implementation plan for security information exchange concerning risks and remedies 2 Recommend steps to Government agencies that will improve the flow of Government information about threat to industry 3 Recommend to the Government research and development needed for commercially applicable security tools and 4 Evaluate existing industry wide standards activities for network security and make recommendations The NSTAC charged the task force to work closely with and in support of the Government Network Security Subgroup GNSS The GNSS was established in 1990 by the Office of the Manager National Communications System OMNCS responsive to direction from the Policy Coordinating Committee on National Security Telecommunications and Information Systems The GNSS is chaired by the Deputy Manager of the NCS and has representa tives from Federal departments agencies and other entities that have Report of the Network Security Task Force November 1990 National Communications System Arlington VA Executive Summary page i Memo Chairman of the PCC-NSTIS to the Manager April 23 1990 1 particular responsibilities relevant to network security the the Central Intelligence Agency the Defense Intelligence Agency the Federal Bureau of Investigation the Federal Communications Commission the General Services Administration the National Institute of Standards and Technology the National Security Agency the National Security Council the Office of Science and Technology Policy the Office of the Assistant Secretary of Defense Command Control Communications and Intelligence and the United States Secret Service The purpose of this document is to report to NSTAC the activities and accomplishments to date of the task force and describe task force plans to complete its assignment as scheduled for NSTAC XIV SECTION 2 - STATUS OF THE EFFORT 2 1 ESTABLISHMENT OF AN OPERATIONAL TRIAL OF SECURITY INFORMATION EXCHANGE 2 1 1 Task Force Approach In addressing the first two tasks assigned by NSTAC -- that is defining a mechanism for security information exchange and improving row of information about threat the task force estabiished three activities 0 A Network Security Information Exchange activity NSIE consisting of network security subject matter experts from operations and security divisions of service providers and vendors in industry 0 An Aiert Warning and Recovery activity providing real time notification to industry and Government about significant events regarding network security 0 An IES subcommittee chaired by the Task Force Chairman to evaIuate the above two activities and to contribute to task force concIusions and recommendations to NSTAC XIV Prior to estainshing these activities the task force deTiberated the functions to be performed information to be exchanged and constraints that must be deaIt with In February a subgroup was authorized to expiore options for impIementing an information exchange Advised by the subgroup and OMNCS Tegai counsei the task force in coordination with the GNSS chose to create an NSIE rapidiy on a triaT basis by estabiishing two separate NSIE organizations -- one of representatives from NSTAC member companies the other of representatives from the GNSS Aithough separate organizations both groups meet together reguiariy to exchange information on risks and trends In event-driven situations they wiIT assist the aIert warning recovery activities to mitigate the effects of network security events on the PSN The industry NSIE is being estabiished on a triaT basis The charter of the NSTAC as an advisory body to the President precTudes estabTishment under the NSTAC of a permanent standing operationai entity Experience with the triai NSIE shouid provide insight into an appropriate Tongterm soiution The OMNCS and the GNSS working cToseTy with the task force estabiished a Federai Government NSIE to work in concert with the NSTAC NSIE The resuiting Government-industry Tiaison in joint NSIE activities is expected to improve the fiow of threat information to industry and keep Government in touch with efforts ongoing in industry to address network security DetaiIs of NSIE impiementation were deveioped in concert with GNSS and OMNCS personnei and unified crafting of compiementary charters for Government and NSTAC NSIEs was compieted within a few months A Ietter to IE3 members on 17 May announced the formation of the initiaI temporary NSTAC NSIE as a means to respond to NSTAC tasking and asked for responses by interested parties by 10 June In coordin- ation with the task force the Funding and Regulatory Working Group deveioped nondisciosure agreements to protect proprietary information of NSTAC member companies who participate The NSTAC NSIE was estabiished under the aegis of the task force In paraTieI the Government NSIE was estabiished under the aegis of the EMSS An initiai NSTAC NSIE meeting heid jointiy with the Government NSIE was heId on June 25-6 1991 A second meeting was heId on September 11 12 2 1 2 The Network Security Information Exchange In the NSTAC NSIE eight NSTAC companies are providing one or two subject-matter experts in network operations and computer security The aim is to foster informai coTIegiaT exchange of information -- some of it proprietary and sensitive -- on threats incidents vuInerabiTities remedies and risks concerning software manipuiation of the PSN The NSIE wiTI aiso periodicaiiy assess security of the PSN inciuding trends successes and evoiving threats These activities wiIT be carried out in periodic NSIE meetings usuaiiy heId jointiy with the Government NSIE In another mode of operation if a significant attack shouid take pIace on the PSN or if such an attack appears imminent the NSIE experts wiII convene to foster a concerted response by affected companies Procedures for convening the group in reai time are being deveioped For further detaiT about NSIE purpose and objectives functions membership and operating principies see the Charter of the NSTAC NSIE reproduced in Appendix the Iist of NSTAC NSIE Members in Appendix the Federai Government NSIE Charter deveIoped in concert with the NSTAC NSIE Charter in Appendix and the Government Members in Appendix E 2 1 3 ATert Warning and Recovery The task force and GNSS agreed that the existing joint industry Government Nationai Coordinating Center NCC shouid support the reai time function of protecting against significant attacks on network software The mission is to assist in the initiation coordination restoration and reconstitution of teiecommunications services or It operates under the Manager NCS to provide for the rapid exchange of information and expedite teIecommunications responses The NCC has assumed its roIe in the joint approach to reaT time situations Operating procedures have been defined for Iinking the NCC and NSIEs on occasions where network security-reiated notifications are invoived 2 2 PROGRESS ON AND STANDARDS CHARGES 2 2 1 Task Force Approach The task force sees the 3rd and 4th areas of their charge that is recommending to Government needed for commercially applicable tools and evaluating standards activities -- as so interrelated that they are best addressed together Accordingly the task force has determined it will pursue the following methodology 0 Identify what network security areas need further 0 Determine what is already being addressed by Government and 0 Make recommendations on government and on public network standards 2 2 2 Identifying Areas of Need Task force subgroup members have preliminarily identified areas that need and perhaps new standards to improve telecommunications network security in the current public switched network and in which the Government may have contributions to offer A letter soliciting Government response was mailed on 18 June 1991 and a meeting with interested parties was held on 11 July 1991 A dialogue with Government has begun to determine what Federal Agencies Departments have accomplished in the identified need areas and which Government developments might be commercially applied or adapted Six areas initially proposed for discussion are 1 Mechanisms for easy portable control of access to a network element 2 A development to introduce an appropriate level of suspicion among trusted elements of the PSN 3 Solutions for reliable recovery from damage to software and databases if you have a problem how do you get well 4 Means to adequately partition memory or otherwise isolate network element software from databases that are more broadly accessed 5 Means to analyze all events in a network and highlight questionable situations e g exception reports and at a broader level 6 Tools to plan an architecture toward a long term more secure network In addition the task force is addressing a concept put forward in a recent National Research Council report that of Generally Accepted System Security Principles GSSP Computers at Risk National Research Council National Academy of Sciences 1991 SECTION 3 - PLANS FOR FUTURE TASK FORCE ACTIVITIES The task force expects to compiete its fuii assignment incTuding response in four areas described on page 1 report its findings and make recommendations for consideration of the Principais at NSTAC XIV in the summer of 1992 3 1 PLANS FOR NSIE AND OVERSIGHT ACTIVITIES The task force beiieves that the first 4 meetings of the NSIE expected to be compieted by January or February of 1992 wiTT provide a basis for deriving task force recommendations to the Industry Executive Subcommittee IES when they meet in Tate spring 1992 As the NSIE has met onTy twice so far the task force has not yet undertaken to assess NSIE activities By the early months of 1992 the three IES members monitoring the NSIE wiIT begin to assist the task force to formuiate conciusions and recommendations about 1 whether an ongoing mechanism is needed for exchange of security information and 2 if needed what this mechanism shoqu be The NSTAC NSIE wiTI continue to operate untii NSTAC XIV in the summer of 1992 when recommendations to the NSTAC Principais wiTT be made and if appropriate recommendations to the President wiTT be proposed If requested to do so the NSTAC NSIE may continue to operate for a Iimited period beyond that time to provide a transition to a more permanent arrangement 3 2 PLANS FOR AND STANDARDS ACTIVITIES Based on the resuIts from identifying areas where is needed the task force wiIT foster contact with Government organizations having reTevant information to offer If perceived by Government and industry to have vaiue over the next han year the finaT task force report wiiT recommend ways to continue productive interaction between Government and providers suppTiers of pubTic teTecommunications beyond the Tifetime of the task force At this writing further actions in the area of standards are under consideration APPENDIX A - NETWORK SECURITY TASK FORCE MEMBERSHIP Unisys BELLCORE Boeing COMSAT GE GTE ITT McCaw MCI NTI UTI Others CSC GTE Harris Martin Marietta NTI Herb Benington Chair Dave Bush Randy SchuTz Bob SteeTe A1 Dayton Pat GTenn Jim Moore Joe Gancie Rick McEThenie Joe Cassano Jack Edwards Jay Ne150n John TittTe LoweTT Thomas Bob Domino John Hooker Bob Petrie APPENDIX - NSTAC NSIE CHARTER - MAY 1991 Section I ESTABLISHMENT The NSTAC Network Security Information Exchange hereinafter referred to as the NSIE is established under the auspices of the Network Security Task Force of the President s National Security Telecommunications Advisory Committee NSTAC The date of initial activity is June 1991 Section II PURPOSE AND OBJECTIVES The purpose of the NSIE is to provide a working forum to identify issues involving penetration or manipulation of software and databases affecting national security and emergency preparedness telecommunications In this context the NSIE will monitor network security in the public switched network PSN Two modes of operation will be followed An immediate and event-driven mode will consist of reaction in real time Another mode longer term and more reflective will be implemented by meeting on a periodic basis In reacting immediately in an event driven manner the NSIE objective is 0 To mitigate the effects of network security events on the PSN In its longer-term mode of operation the NSIE objectives are 0 To discuss and develop recommendations for reducing vulnerabilities 0 To assess network risks 0 To acquire threat and risk assessments from the Government 0 To inform the Government of relevant risks 0 To provide expertise to the NSTAC on which network security recommendations to the President can be based Section FUNCTIONS To meet its real time objectives the NSIE shall 0 Assess when alert and warning indications warrant the - potential for significant degradation of PSN services and recommend measures to reduce network impact APPENDIX NSTAC NSIE CHARTER - MAY 1991 Continued To meet its Ionger term objectives the NSIE shaii 0 Identify Tessons iearned 1 about process procedures and 2 about technoiogy systems 0 Exchange information and views on - Threats and incidents affecting the software eiements Remedies and - Consequent risks to teiecommunications 0 Recommend measures to reduce vuTnerabiIities of the PSN PeriodicaTTy assess risks inciuding trends internationai activities and key uncertainties and inform senior NSTAC and Government managers Section IV MEMBERSHIP Members of the NSIE shaii be NSTAC Member organizations NSTAC Member organizations initiaiiy participating shaIT be chosen by the Network Security Task Force Each Member may appoint two individuais to participate in the NSIE one as Reguiar Representative and the second as Aiternate Representative Representatives be subject matter experts Teiecommunications organization empioyees who are engaged fuTI time in the prevention detection and or investigation of teiecommunications network software penetration Teiecommunications organization empioyees who have security and investigative as a secondary or coiiaterai function - Voting rights are accorded to each participating Member organization Section V ORGANIZATION The Members of the NSIE eiect a Chair and a Vice Chair The Manager Nationai Communications System wiII serve as secretariat The Network Security Task Force working with the Nationai Coordinating Center NCC deveiop initiai operating procedures These procedures may be modified on the basis of operationai experience 9 APPENDIX - NSTAC NSIE CHARTER MAY 1991 Conciuded Section VI OPERATING PRINCIPLES The operating principIes of the NSIE are as foIIows In operating in reaI time i e providing subject matter expertise in event-driven situations the NSIE wiII coordinate with the NCC as appropriate 0 NSIE points of contact for each company wiII be notified by the company s NCC representative of any pertinent information that has been provided to the NCC from other sources 0 AIternativer the NSIE or its representatives can be the source of pertinent information that initiates NCC reiated aIert warning and response procedures The operating principies for the Tonger term i e in asseminng on a periodic basis in a more refiective mode wiTI be as foIIows 0 Due to the sensitive nature of the information that may be discussed at NSIE meetings attendance wiII be Iimited 0 Recording devices of any kind wiII not be permitted at NSIE meetings unIess specificaIIy authorized by the group 0 A nondiscIosure arrangement wiII be needed among representatives and meeting attendees 0 Summary meeting notes wiTI be prepared wiII be marked proprietary as required by the content and wiII be Iimited in distribution 0 In performing its functions the NSIE shaII - Invite the Government to participate as appropriate in assessing the potentiai for significant degradation of PSN services due to intrusion events - ReguIarIy meet jointiy with the Fedora Government NSIE to exchange information on threats vuInerabiIities remedies and risks 0 For NSIE meetings that are joint with the Government NSIE the attendees and agendas wiII be jointIy agreed to by the Chairs of the two groups The NSIE wiII operate within the requirements of a1 appIicabTe state or Federai Iaws concerning the discIosure of information 10 APPENDIX - NSTAC NSIE MEMBERSHIP UTI NTI Bellcore GTE Martin-Marietta McCaw MCI G Jay NeIson Chair Donsa Lewis James Edward Fquord Jr Vice Chair Robert E Petrie J R Dalton Robert C Rencher Jr Hank M K1uepfe1 CarI G ShowaIter James E Moake David A Fiasco M Duane HeideI Jack FarIey Robert E WiIson Bruce A 11 APPENDIX FEDERAL GOVERNMENT NSIE CHARTER 6 25 91 Section 1 ESTABLISHMENT The Federai Government Network Security Information Exchange hereinafter referred to as the NSIE is a subordinate activity of the Government Network Security Subgroup The Government Network Security Subgroup was estabTished under the auspices of the Manager National Communications System in response to tasking from the Nationai Security CounciT s PoTicy Coordinating Committee for NationaT Security TeTecommunications and Information Systems The date of initiai activity of the NSIE is June 1991 The Government NSIE is meant to compiement the NSIE of the President s Nationai Security TeTecommunications Advisory Committee NSTAC If the NSTAC NSIE is deactivated the need for continued operation of the Government s NSIE wiTT be evaTuated at that time Section II PURPOSE AND OBJECTIVES The purpose of the NSIE is to provide a working forum to identify issues invoTving penetration or manipuiation of software and databases affecting nationai security and emergency preparedness teTecommunications In this context the NSIE wiIT assess and make recommendations concerning network security on the PubTic Switched Network PSN Two modes of operation wiTT be foiiowed An immediate and event-driven mode wiTT consist of reaction in reaT time Another mode Tonger-term and more refiective wiTT be impiemented by meeting on a periodic basis In reacting immediateiy in an event driven manner the NSIE objective is 0 To mitigate the effects of network security events on needs served by the PSN In its Tonger term mode of Operation the NSIE objectives are 0 To assess network risks and deveTop approaches for reducing vuTnerabiTities 0 To provide threat vuTnerabiTity and risk assessments based on information from Government sources to the NSTAC NSIE 0 To acquire reTevant risk information from the NSTAC NSIE 0 To assist the NSTAC NSIE by providing expertise to the NSTAC on network security and 0 To provide advice to the Government Network Security Subgroup on network issues 12 APPENDIX - FEDERAL GOVERNMENT NSIE CHARTER 6 25 91 continued Section FUNCTIONS To meet its reaT time objectives the NSIE separateiy or in coordination with the NSTAC NSIE wiTT 0 Assess when aTert and warning indications warrant the potentiaT for significant degradation of PSN services to needs and recommend approaches to reduce network impact on needs To meet its Tonger-term objectives the NSIE wiTT 0 Identify Tessons Tearned about 1 processes procedures and 2 technoiogy systems 0 Exchange information and views on - Threats and incidents affecting the software eTements of the PSN - VuTnerabiTities of the PSN - Remedies and Consequent risks to teTecommunications 0 Assess vuTnerabiTities of the PSN as they reTate to needs 0 AnnuaTTy assess risks inciuding trends internationai activities and key uncertainties and inform the Government Network Security Subgroup which wiTT as appropriate make the assessment avaiTabTe to the NSTAC in support of its chartered responsibiTities to advise the President 0n teTecommunmications issues Section IV MEMBERSHIP Members of the NSIE shaTT be the CentraT InteTTigence Agency the Defense InteTTigence Agency the Federai Bureau of Investigation the Genera Services Administration the Nationai Institute of Standards and Technology the NationaT Security Agency the Office of the Manager Nationai Communications System the Office of the Secretary of Defense for Command ControT Communications and InteTTigence and the United States Secret Service The Federai Communications Commission FCC wiTT designate a nonvoting Tiaison representative to the NSIE to participate in meetings as appropriate wherein the exchange of information between the FCC and NSIE woqu be mutuaTTy beneficiai 13 APPENDIX - FEDERAL GOVERNMENT NSIE CHARTER 6 25 91 continued Each Member may appoint up to two individuals preferably with each representing a different functional group within the agency to participate in the NSIE Representatives will be subject matter experts 0 Federal organization employees who are engaged in the prevention detection and or investigation of computer penetration especially telecommunications network software penetration 0 Federal organization employees who have telecommunications network security and investigative responsibilities as a secondary or collateral function Voting rights are accorded to each participating Member organization Section V ORGANIZATION The Members of the NSIE will elect a Chair and a Vice Chair The Manager National Communications System will serve as secretariat The NSIE working with the National Center NCC will develop initial operating procedures These procedures may be modified on the basis of operational experience Section VI OPERATING PRINCIPLES The operating principles of the NSIE are as follows In operating in its real time mode providing subject matter expertise in event driven situations the NSIE will coordinate with the NCC as appropriate 0 NSIE points of contact for each Government organization will be notified by the NCC of any information judged pertinent that has been provided to the NCC from any other sources 0 Alternatively the NSIE or its representatives will provide to the NCC any pertinent information that could initiate NCO related alert warning and recovery procedures The operating principles for the longer term in meeting on a periodic basis in a more reflective mode will be as follows 0 Due to the sensitive nature of the information that may be discussed at NSIE meetings attendance will be limited 14 APPENDIX - FEDERAL GOVERNMENT NSIE CHARTER 6 25 91 concluded 0 Recording devices of any kind will not be permitted at NSIE meetings unless specifically authorized by the group In order to share and discuss industry proprietary and sensitive information some form of nondisclosure arrangement may be needed among representatives and others attending the meetings Summary meeting notes will be prepared will be marked proprietary classified as required by the content and will be limited in distribution In performing its functions the NSIE will - Participate as appropriate with the NSTAC NSIE in assessing the potential for significant degradation of PSN services due to intrusion events and - Regularly meet jointly with the NSTAC NSIE to exchange information on threats vulnerabilities remedies and risks For NSIE meetings that are joint with the NSTAC NSIE the attendees and agendas will be jointly agreed to by the Chairs of the two groups The NSIE will operate within the requirements of all applicable Federal laws concerning the disclosure of information 15 APPENDIX FEDERAL GOVERNMENT NSIE MEMBERSHIP OMNCS Frederick w Herr Chair FBI James C Sett1e Vice Chair CIA w A11en Day DIA Stan1ey R Young GSA George F F1ynn J Robert Anderson NIST Dennis D Steinauer NSA Robert A 'Cava1uchi Thomas R Moyle Dave 801 - 16