believed that the data in the system is of very high value to others, then a degree of concern is justified.

It can be shown that the cost of intercept to the intruder as a function of his distance from the device is generally a very steep curve. His costs increase dramatically as he is forced away from the emanating device through control of the immediate surroundings. It is our belief, based on rather extensive experience in this area, that it is economically infeasible to attempt to build devices which have such a low level of emanation that no further concern for the eavesdropper is any way justified. The cost of this low emanation characteristic heavily impacts the cost of the device.

As an alternative we have decided to evaluate each new device offering a potential for this problem so as to determine the probable cost/distance relationships to be encountered by the eavesdropper so that we can. offer our customers guidance in the selection and placement of terminals and in determining the amount of geography over which they should maintain surveil lance to make improbable the loss of data in this manner. If anyone has a concern in this area, we will be glad to discuss it with him and offer appropriate guid

ance.

Now to the last item in our system integrity listcryptography. We will not discuss here the particular algorithms which we have developed. I would however, refer you to the lead article in the May 1973 Scientific American for a highly readable dissertation on that subject by Mr. Horst Feistel of our Research facility in Yorktown, N.Y. I am certain you will find that

paper quite interesting and far more understandable than any dissertation I might offer on that subject here today.

I am certain that we can agree that the only gener ally applicable solution to a wiretapping problem is to encode the data in transmission. To that end we developed algorithms which we believe to be peculiarly useful in the data processing environment. We have started introducing cryptography in those products which, by their nature, invite wiretapping. Again, we are not aware of any loss of data from any EDP system through wiretapping. We can anticipate problems in this area when other ways of achieving the same results are not available and when wiretapping becomes the most feasible means of achieving the results and the rewards are sufficiently great to justify it. We believe this to be the case with on-line cash issuing terminals. For this reason we introduced the first large scale use of cryptography in the data processing business with the 2984 and 3614 Cash Issuing Terminals in which communication between the cash issuing ter minals and the host CPU is encrypted.

This brings me to the end of this discussion of one possible approach to a better understanding of the data security problems. As we work to enhance both our un derstanding of the problem and our ability to control any problems which exist in the data security area, I am quite certain that you share with me, as professionals in an exciting business, an intense desire that our increasingly powerful systems be powerfully used and not powerfully misused.

It is clear that we are now entering into an era of distributed computing via networks. The highly successful concepts which were pioneered by the Advanced Research Projects Agency (ARPA) network and the General Electric Time-Sharing Network have now become very well known. These concepts contemplate batch or interactive processing, accomplished remotely with output being distributed to perhaps other locations. The data base may well reside in several places. As you know, such systems are very complex, requiring an immense amount of processing logic just to handle the message protocol.

Also, 1974 is the year of revolution for computer communications. The specialized common carriers are now getting their systems in full operation. Datran and MCI are realities. Two new entries in the market place, Packet Communications, Inc. and Telenet are causing quite a stir. Therefore, the continuing trend toward marriage of the computer industry and the communications industry is inevitable.

The winners, of course, have to be the users of computing power. It will be possible to hook into a network at any time; to process against remote data bases; to tie in-house computers to those of foreign governments or companies; to query remote subsets of operations; to feed data to other remote points. Yet networking will allow, and even encourage the use of "local" computing power to do those things that are purely local in nature. The development of networking technology, with a consequent rapid growth in on-line applications, expanded the role of computers well be yond the simple functions they were initially assigned.

It is very easy to get enthusiastic about the possibilities of net working and remote computing. The effect is the same whether the network is a "star" type such as GE's with centralized processing capability at one end of a world-wide communications network, or the "topological" type, in which processing is accomplished at the various nodes. Costs are going down, and use is expanding almost exponentially.

While it may have been possible to remain complacent about security and privacy of data in the byegone days of stand-alone, in-house dedicated systems and batch processing, today, institutions are putting increasingly sensitive data into sysms that can be accessed from a host of geographically dispersed locations. The November 1973 meetings here at NBS focused on the need to develop mechanisms for security and privacy in computer systems. One recurring theme was that today's systems aren't designed with security in mind, and that technical solutions are yet to come. This is only partially true on both counts. There is no doubt that the needs for proper protection have not been sufficiently addressed by either manufacturers of hardware or users of systems. It is also true that networking represents a greater threat to security than a simpler type of dedicated system. However, I hope to show you that an adequate level of security is possible, today. To achieve it requires far more attention to the subject than most people have been willing to give. We will propose some possible safeguards and solutions to problems of security and privacy, and then devise some principles to consider when designing a system or submitting a request for proposal.

Is Network Security Possible?

The increased exposure to threats faced by on-line, remote computer networking was covered very well in the November NBS Conference. In essence, remote entry allows a would-be intruder the mask of anonymity, and communications lines themselves are vulnerable to capture, passive infiltration or the problems of misroute, transmission error, etc. Jerry Hammett of Ohio summed up the conventional wisdom of the day when he stated that "interactive processing threatens security." It is true that if one looks at the vulnerabilities of a dedicated, batch oriented system and compares a remote access, time-shared, networked system, the difference in exposure is probably that of one order of magnitude greater. The following list exemplifies the additional leakage that accrues uniquely to remote computing.

1. Physical access to the computer cannot be isolated to the environs of a machine room. Multitudes of users will be accessing the central system (s) from all over the world. If dial-up lines are used, there can be no assurance that the remote location will have any semblance of physical security.

2. The communications lines themselves are vulnerable to tapping or passive monitoring of emanations. Crosstalk between communications lines or within the switching centrals can present a vulnerability.

3. Any secure system is based on the concept of isolating any one individual from all elements of the system to which he has no need for access. Normally, this is done by denying physical access to those without "clearance." In a networked system, a large population of users with varying

needs to know, will be interacting simultaneously with the system. This places a heavy burden on the overall security mechanisms to control the spread of information, or its misrouting to the wrong user.

4. The complexity vulnerability has already been mentioned. The more extensive the network, the greater the probability of system error and vulnerability to rational intrusion.

5. Another problem also refers to size and scope. It is virtually impossible to verify that any large software system is completely free of errors and anomalies. Also, the state of design is such that frequent changes to the system can be expected. Errors, compounded by frequent changes, can cause frightful security problems when multiplied over a large network, in which there are multitudes of large systems, all interconnected and reliant on another large system (the interfacing processors and communications protocol) to tie them all together.

The obvious question is that with so much going against it, is there really any hope for adequate protection in such systems? As we shall explore, there is some hope not only in the future, but even now, with today's systems. Much of the hope depends on what the user or owner can do on his own.

The first step toward achieving any kind of security in a resource shared system is to apply those principles of protection that would be normally put in a local, batch, stand-alone system. If the basic principles of physical and administrative security, as well as adequate audit trails and backup are followed, then the necessary groundwork will have been laid for implementation of protection throughout the network. It is imperative, however, that each location submit to the rudimentary standards of security. Such standards must be a top management concern, because nothing will defeat a security program faster than to have an independent and recalcitrant appendage off in the boondocks thumbing his nose at all the controls floating down from above.

There are many protective measures that surveyors of networks can install into their system software and hardware, to help enhance the possibility of achieving security. The next section will explain some of the measures already existing in commercially available systems.

Current knowledge about protection technology is already at a pretty sophisticated level. People like Bob Abbott of Lawerance Radiation Labs, Clark Weissman of SDC, Hilda Faust of NSA, Butler Lampson of XDS, Larry Robert ex of ARPA and Roger Schell of the Air Force know their way around the gut technical issues of the day. They know how to design secure operating systems or secure computer/communication architecture. The development cycle is already under way. At least two major mainframe manufacturers have heavy commitments in system security design efforts. I firmly believe that within one to three years we will see com

mercially available secure systems that go a long way toward providing the kind of environment in which data can be kept totally private, even in a vast, resource-sharing network.

Finally, there is some good rationale for making the statement that networks can be inherently more secure than the more traditional kind of system. The reasons are as follows:

1. Fewer people are actually handling data. Consider the picture of a large batch system with the need for a Job Control Language Facility, Input/Output section, job scheduling, submission of jobs to the system by operators, collection of output and delivery to the customer. Then contrast this with a job submitted through a remote terminal, with its nature and purpose unknown by the network operators, who only hang tapes or disks with unobstrusive serial numbers and pass output to stations, not people.

2. It is easier to develop authorization schemes for people from terminals, where what they know (passwords) or what they possess (identification cards) can be used as the basis for system identification and authorization rather than a job control card entry which is easily replaced or forged. The anonomity of a remote location can be used to good security advantage in that all jobs must go through a pre-defined authorization process before alowed to use the computer resources.

3. The very protocol which is so necessary to even allow packets of information to be transmitted computer to computer or remote terminal to computer can serve as a security check. Additional authorization or identification checks can be built into the software. In addition, most networks utilize remote concentrators or interface message processors which have processing and memory capability. These offer a powerful tool to aid the processing, checking and auditing of security related information.

4. Many existing networks, contrary to popular belief, were designed from the beginning with security in mind. Their existence would have been very fragile any other way. Many service firms are not selling hardware; they are selling simul taneous and multiple access to central systems. And they would not stay in business very long if they couldn't protect the privacy and integrity of their customer's files and programs. There is a second reason for attention to security needs. Not only does the multiplicity of their customers make data security necessary, but they also make it possible. A broad customer base allows the heavy investment in security programs and procedures that are that necessary first step.

5. By their very nature, computer networks are targets for penetrators, whether they be actually intent on damage, whether they penetrate because

the network is "there," or whether they penetrate upon invitation by the network. The net result of such penetration activity is usually to close loopholes. Our own GE Time-Sharing Network has been under attack for many years. We have hired a noted consultant to try and break its security, and he has failed to do so, even though he has been quite successful against a number of advanced DOD and Intelligence community "secure" systems. We have also never had to pay off on a $5,000 internal reward to GE employees. This is one network ssytem that is secure enough to hold the personal, private data of hundreds of organizations, each of which has an in-house computer system, but wouldn't entrust the most sensitive processing; the truly competitive and proprietary information, to its own data processing facility.

Achieving Security in Network Systems

Basic Physical and Data Security-How can such a level of security be achieved? There is one necessary condition. That is that the owners and users of the network follow some simple, yet definitive guidelines in regard to physical security, procedural security, backup and audit. These are necessary, but not sufficient conditions for any computer system, but are especialy important given the increased vulnerabilities of resource sharing networks.

Physical security standards should include very strict access control to the central elements of the network; the processing systems. Facilities should be protected from exposure to fire, flooding and natural elements. by means of construction, proper drainage, protected location, fire smoke detection, suppression equipment. etc. The systems should be protected against utility unreliability by power source backup, uninterruptible power systems (UPS) and redundant air conditioning equipment. Good housekeeping should be not only required, but demanded.

Procedural protection can take many forms, to include the mechanics of how access is granted. In fact, this is one of the least understood and underestimated costs of security. In order to make protection work. detialed attention needs to be given to maintenance of system access rosters, followup of security incidents, self-inspections, updating of security policy and proce dures and training in security procedures. In every organization I know of, this is a full time job, yet very rarely is it handled by a full time person. Most security breaks down at this level; there is no one to handle the responsibility, and things don't get done. Every computer needs a Systems Security Officer, and the higher he is in the organization, the better.

The need to provide backup for systems, devices and data is self evident. As important as the backup itself is the set of procedures or rules to utilize it. Complex disaster recovery plans will do no good, if on the eve ning of a real catastrophe, the plan is locked in desk drawer in the middle of the fire with no one to remember what it was all about.

The ideal security situation is to have all data movement recorded. This is impossible with today's hardware/software, so the next best step is to consider the needs for audit trails throughout the organization. Attention to the basic principles of separation of duties and accountability for actions will at least lead to possibilities of system auditability. Much of the computer abuse that Donn Parker talks about could be avoided with even simple, rudimentary attention to audit details such as internal controls for validity checks, error handling procedures, control totals, accounting for computer time and spot verification of computer output. The internal auditor needs to play a large role in the data processing part of the agency or business. He should not only evaluate existing controls, but should recommend new ones and should be consulted in the design phase of any programming project.

All of these points are brought out very forcibly in the new NBS publication "Guidelines for Physical Security of Automatic Data Processing Facilities." It is highly recommended. It will help any agency provide that necessary first step in achieving system security.

Systems Security (Controlled Accesssability)-True network security can only be achieved today through modifications to systems software and/or hardware. As mentioned by other speakers, today's commercial systems don't have the necessary modifications. There are some systems, however, that are achieving an adequate level of sceurity. Notable is the GE Network, as well as efforts by the Air Force to develop a truly certificable versions of the Multics System. Intelligence processing networks have achieved better security than many non-DOD systems need. The principles of design. that distinguish these networks from the more mundane variety have been or will be covered by other speakers in this conference. A review of some basic principles would be in order, however.

First of all, access to the system must be rigidly controlled and enforced. This implies that the identification mechanism be one in which ambiguity is minimized and which can account for impersonations. Authentication words or techniques must be protected at the highest system level and must be changed regularly. Ideally, passwords should be random and non-mnemonic. Passwords and authetication information should be stored in protected storage, not accessible through the terminal. The terminal should be a part of the access mechanism, so that certain data/programming can be restricted from certain terminals.

Secondly, each user and process must be isolated from all other programs in the system. Hardware boundary registers, software address traps and various system states should be present.

Assembly language programming should be absolutely prohibited. All requests for data access should pass through a systems routine which mediates address requests and passes them to the supervisor as a call. This is where the inherent security of Multics or VS-2 achieves high marks for security. In addition, core and peripheral shortage should be purged or zeroed out so that there is no danger of another program or user reading the residue.

Passwords or lockwords should be assignable at least to the file level. In addition, authority for other users to access, read, write or execute private files must be expressly granted, otherwise, data is not readable by other than the "owner."

Certain groups or "cliques" should be able to further restrict access by controlling the granting of passwords and privileges, without the knowledge of systems personnel. This ability should also extend to further constrain any individual by restricting the precise programs, data files and system capabilities to which he may have access.

The adequately secured network will provide for data encryption, at least at the file level. This ensures that data as it resides in system files, on tape or on disc is secure against capture at that level.

The crucial issue in networking is the capability to encrypt data for transmission. It is a welcome sight to see the technology for encryption now entering the public domain. The advent of specialized hardware cryptographic units to interface between computers and terminals or other computers has been long needed. Their cost is presently high, but their use is growing.

Fortunately, there is hope that relatively inexpensive cryptographic transformations can be affected by modifications to terminals.

The final issue in network security is that of the transmitted packets or messages. In a star system, in which remote concentrators are used to collect, enhance and forward messages, the issue is simpler than in a distributed network, with a greater variety of routing and distribution choices. In either case the requirements are similar; to put enough routing, control and authorization information in the message protocol so that the interfacing hardware can make appropriate decisions. These decisions should be as much a part of the line discipline as the decisions regarding acknowledgement/no acknowledgement, vertical or horizontal redundancy checks and other message switching requirements.

The main points to make in regard to these measures are twofold. First of all, all the measures mentioned are available now, without having to wait for an uncertain implementation. Secondly, though implementation of all of them may not be possible, depending on the particular network in question, enough can be implemented to produce a worthwhile amount of security. It is important to emphasize that implementation of the complete set or a viable sub-set will not produce the perfectly secure computer network that can now magically begin to process the most sensitive and private data in the world. That utopia (or hell) probably will never come. There is no such thing as 100% security. With efforts currently under way, it may be possible to measure that less than 100%, and derive some useful quantification of what a system will protect against, and at what level. That is what we are all striving for. Therefore, to take a doomsday approach and claim that security is impossible to attain is as short sighted as to ignore the very real problems of network vulnerability. Good security is possible, today. But there are some very important conditions, most of them involving human and sociological issues, not technical ones.

DPMA International Vice President for Government Relations, who is attending this Conference. I would like to share these standards with all of you:

The members of the Data Processing Management Association, recognize their responsibility to:

1. Continuously strive to honor the rights to privacy of all individuals by using the information provided for their use only in the manner for which it was obtained and intended;

2. Uphold the responsibility of trust, implicit with their professional status, by maintaining the confidentiality of data entrusted to their care;

3. Avoid using information of a confidential nature to further their own personal interests;

4. Attempt to remove any misleading or inaccurate data associated with any individual, immediately upon learning that its current status is in error.

Granted, these are but words on paper . . . and in fact, have not yet been adopted. We hope, however, that they can be considered as a sort of Hippocratic Oath for Professional Data Processors who recognize their obligation to protect the citizens of this nation. We obviously see the need for stronger more effective rules, laws and procedures, but hope that a balance will be maintained to assure what many have called the greatest business development of all time-the computer will not be reduced to piles of rubble, unable to help because it's been rendered powerless to harm.

To quote another American President . . . “Come, let us reason together" and let computer users, technicians, government agencies, and citizen representatives all sit down calmly and cut a path through the looming morass of laws and regulations which could harm as well as help.

Mr. Thomas

This meeting and the conference last November focus. upon the need to bring additional understanding to the complex issues of privacy, confidentiality, and security, particularly as they relate to computer systems. Bob Courtney, the next speaker, and I appreciate this op portunity to discuss some of the areas in which IBM is active to help in the resolution of these problems.

As a manufacturer of computer systems we recog. nize our responsibility to assist our customers in achieving the data security they require. To offer systems, products, services and counsel that clearly contribute to the solution of data security problems.

Our earliest activities in the security area were prompted, frankly, more by our customers' need to secure certain business information than "privacy" motivations. Historically, customers have expressed a strong desire for broader and easier access to systems, and a relatively low level of demand for data security. Today the demand is somewhat greater and a variety of security techniques and capabilities are available to provide a level of security commensurate with the riskcost trade-offs most desire. But the demand from cus tomers for computer security features still ranks below other considerations such as price, performance and other special capabilities.

It is our feeling the awareness and identification of the needs of security will increase in the future, and demand for product features and systems solutions will grow considerably. And although certain tools and techniques are available today, we feel it would be

wrong for the industry to wait until that demand becomes pressing before taking the necessary steps to meet the problem.

As many of you know, at the 1972 Spring Joint Computer Conference, T. Vincent Learson, then Chairman of the IBM Board committed IBM to a significant investment in the study of the requirements of data security and for further development of appropriate safeguards for IBM products. For example, the cryptographic techniques included in the cash issuing termi nals of our recently announced finance communications system.

Another part of that investment has gone into a two-year joint study begun in 1972 with MIT, the State of Illinois and TRW; each giving special emphasis to a particular aspect of data security. We plan to publish the results of these study site efforts by the spring of this year. We do not expect significant technological breakthroughs; however, the results evalu ate several key factors in data security protection and identify requirements for secure systems. Further, they confirm the belief, that an effective security system must include the total environment: physical and procedural safeguards as well as those provided by hardware and software. Results are based upon actual experience with the Resource Security System and include observations and recommendations relative to identification, authorization, journaling and programming system integrity. The understanding gained on data security as a result of this work will be placed in the public domain. While only some of the pressing data