20th National Information Systems Security Conference October 6, 1997 Pre-Conference Workshops October 7-10, 1997 Baltimore Convention Center Baltimore, MD Sponsored by: Information Technology Lab, National Institute of Standards and Technology National Computer Security Center, National Security Agency Contents Overview 2 Special Features 3 Workshops 4 Presentations 5 Closing Plenary 16 General Information 17 Sponsors 19 Registration Form 21 Housing Form 23 Map of Baltimore Inside Back Cover Overview As a leading global forum on computer and information systems security, the National Information Systems Security Conference seeks to: - bring together information security and technology professionals from industry, academia, and government; - provoke debate, dialogue, and action on major information security issues for today and tomorrow; - educate the IT community on major information security issues and solutions; - promote demand and investment in information security products, solutions, and research; and - challenge the IT community to provide solutions, research, and applied technology that are usable, interoperable, scalable, and affordable. The conference will present multiple tracks with workshops, tutorials, panels, and refereed papers in the areas of: Assurance/Criteria/Testing Internet Debate Policy/Administration/Management Electronic Commerce Research and Development Information Infrastructure Tutorials To improve the conference and increase its focus, the Program Committee has been expanded this year. The new members include Jim Schlinder, Hewlett Packard; Peter Tasker, MITRE Corporation; and Roger Quane, NSA; who have orchestrated the Electronic Commerce, Internet, and Tutorial tracks respectively. In addition, Joan Winston, Trusted Information Systems, Inc., and John Woodward, MITRE Corporation, have arranged several sessions in the new Debate Track and Critical Infrastructure Thread. Hilary Hosmer, Data Security, Inc., has provided overall guidance to the Program Committee. Conference threads will address the interests of the financial, business, academic, and government communities. Topics discussed will be directed toward: - Security professionals - Chief Information Officers - VPs and managers of engineering, R&D and technology - Information systems managers and analysts - Network managers - Webmasters - Researchers - Electronic commerce participants - Anyone with an interest in securing infor-mation systems There will be opportunities for information sharing as well as new approaches for solving management and technical issues. The conference will contribute to your professional growth as you gain new insights and knowledge, in turn assisting in your information systems security responsibilities. The formal sessions and social events will provide time to network with experts and peers across a wide spectrum of interests. This Preliminary Program contains the most current information available at the time of printing. As we add additional sessions to the program, times and dates may be changed to avoid conflicts. The final program will be distributed at the conference and will be available on the World Wide Web at http://csrc.nist.gov/nissc/. Information Systems Security Exposition (held in parallel) A parallel exposition will provide a forum for industry to showcase information systems security technology and hands-on demonstrations of products and services that are potential solutions to many network and computer security problems. The exposition, sponsored by the Armed Forces Communications and Electronics Association (AFCEA), will be presented on October 8 and 9, from 10 a.m. to 5 p.m. For exposition information, call the AFCEA at (703) 631-6200 or send e-mail to jspargo@aol.com. Special Features Monday October 6, 1997 Pre-Conference Workshops 11:00 a.m.-5:30 p.m. Pre-registration required. Cost: $100 I Risk Management for Information Systems: A Quantitative Solution II Common Criteria Protection Profile III How to Establish an Incident Handling Capability IV Connecting to the Internet Tuesday October 7, 1997 Early Bird Sessions 8:30 a.m.-10:00 a.m. Conference Overview Christopher Bythewood, National Security Agency, Chair - Recommended for first time attendees. Provides an overview of topics being presented this year. Planning Information Security Christine Trently, Lockheed Martin, Chair - Information Security is Information Security-Ira S. Winkler, National Computer Security Association - Secrets, Lies, and IT Security-Guy King, Computer Sciences Corporation - The NPS CISR Graduate Program in INFOSEC: Six Years of Experience-Cynthia E. Irvine, Naval Postgraduate School Student Papers on Electronic Commerce Nick Pantiuk, IITRI, Chair Information Systems Security Videos Roger Quane, NSA, Chair - A selection of videos used in NSA's training programs will be shown. Opening Plenary 10:30 a.m.-12 noon Ballroom I Keynote Speaker - Tom Marsh, Chairman, Presidential Commission on Critical Infrastructure Protection Award Ceremony and Reception Awards will be presented to vendors that have successfully developed security product lines that have been approved by the NIST Validation Program or the NCSC Trusted Computer System Evaluation Program. Certificates also will be presented to participants in the Systems Security Engineering Capability Maturity Model. The ceremony commences at 5:45 p.m., followed by the reception. Wednesday October 8, 1997 Banquet - Cash bar, 6 p.m. - Dinner, 7 p.m. - Dinner Speaker-Bran Ferren, Executive Vice President, Walt Disney Imagineering. Thursday October 9, 1997 Best Paper and Best Student Paper Award Ceremony and Reception Best paper and best student paper awards will be presented at the National Cryptologic Museum at Fort Meade, Maryland. Directions and bus information will be available at the conference Information Booth. An awards reception will begin at 6:30 p.m. and end at 8 p.m. in the museum. Friday October 10, 1997 Closing Plenary Ballroom Dr. Peter G. Neumann, SRI International, will lead an internationally distinguished panel on "The Future of Electronic Commerce: Risks, Realities, and Expectations." This panel begins at 10:30 a.m. Visit the vendor exposition! Over 100 INFOSEC vendors in the Convention Center Exhibition Hall Sponsored by the Armed Forces Communications and Electronics Association (AFCEA) Pre-Conference Workshops Monday October 6, 1997 Pre-registration is required. Cost: $100 per workshop 11:00 a.m.-5:30 p.m. Baltimore Convention Center Workshop I: Risk Management for Information Systems: A Quantitative Solution - Greg Adams, Trident Data Systems During this course, the instructor uses a series of tutorials and interactive class exercises to give the student a comprehensive overview of the quantitative risk analysis process. At the end of the day, the student will have a thorough understanding of the phases which make up the risk assessment process and the algorithms used to calculate vulnerability, asset, threat, and risk-measures. Workshop II: Common Criteria Protection Profile - Lynn Ambuel, BDM International - Murray Donaldson, CESG, UK This workshop will provide information and instruction on using the Common Criteria to build protection profiles to express information technology security requirements. Community experience in building protection profiles will be used for this instruction. Alternative sets of related technologies will be compared and contrasted in the hope of harmonizing like requirements into generic protection profiles for given technologies (i.e., firewalls). In addition, issues arising from attempting to create protection profiles representing non-classic requirement sets will be discussed. Workshop III: How to Establish an Incident Handling Capability - Sandy Sparks, CIAC - Lawrence Livermore - Kathy Fithen, CERT/CC and FedCIRC/EAST - Marianne Swanson, NIST This workshop, which is sponsored by the Federal Computer Incident Response Capability (FedCIRC), will address many of the technical and administrative issues involved in establishing an incident handling capability. Topics to be covered include organizational structure, roles and responsibilities, technology platforms, incident handling methods, sample policy, reporting and issuing alerts, administrative and incident handling procedures, communications (users, other), and lessons learned. Workshop IV: Connecting to the Internet - Tom Christian, CIAC - Lawrence Livermore This workshop will address many of the technical issues involved in connecting to and managing systems and sites that are parts of the Internet. Current threats on the Internet and how to work with incident response teams and obtain sources for more information will be explored. Administrative information also will be given, such as the importance of setting up policies with management support. Topics to be covered include current Internet threats, securing the system, detecting intrusions, and security on the Internet. Tuesday October 7, 1997 Early Bird Sessions 8:30 a.m.-10:00 a.m. Conference Overview Christopher Bythewood, National Security Agency, Chair Planning Information Security Christine Trently, Lockheed Martin, Chair Student Papers on Electronic Commerce Nick Pantiuk, IITRI, Chair Information Systems Security Videos Roger Quane, NSA, Chair Opening Plenary 10:30 a.m.-12 noon Ballroom I Keynote Speaker Tom Marsh, Presidential Commissionon Critical Infrastructure Protection, Chair Tuesday, October 7th 2:00 - 3:30 PM Track A Electronic Commerce Business Models for Electronic Commerce A basic issue in the world of commerce on the Internet is the development of an appropriate business model. Some examples are entertainment (cable TV), telecoms, computing, and publishing. Each industry has different views based on history, economics, and technology. This session will discuss the industry's experience and their applicability to electronic commerce. Track B Information Infrastructure Infrastructure Vulnerabilities John P. L. Woodward, MITRE, Chair Panelists: Duane G. Hardy, Presidential Commission Staff Other Panelists: TBD This panel will discuss information vulnerabilities of infrastructures on which our national security depends, including telecommunications/networks, transportation systems, banking/finance systems, and electric power distribution. Audience participation - asking questions and sharing points of view - will be encouraged. Track C Debate Legal & Liability Issues for the Use of Encryption Joan Winston, TIS, Chair Panelists: TBD Increasingly, encryption is seen as a major tool for safeguarding information as it is stored or transmitted in electronic form. This session will debate the following topics: What will constitute business "best practice" for use of encryption? What will be required for "due care" in the use of encryption to safeguard stored files and records? What are the liability concerns for the use of powerful encryption products and who will bear the risks? How can these risks be mitigated? Track D Assurance / Criteria / Testing National Information Assurance Center Timothy Grance, NIST, Chair Panelists: Senior Representatives from NSA, NIST, and Industry. Reconciling the cost, quality, and timeliness of computer security testing and evaluation with the time-to-market pressures of IT vendors and the assurance needs of government and business is a daunting challenge. In response, NIST and NSA are forming the National Information Assurance Center. This session will discuss the center's goals, scope, agenda, projects, and partnership opportunities. Track E R & D Role-Based Access Control David Ferraiolo, NIST, Chair Role-Based Access Control for the World Wide Web Richard Kuhn, NIST Observations on the Real-World Implementation of Role-Based Access Control Burkhard Hilchenbach, Schumann Security Software, Inc. Track F Policy / Administration / Management Multilevel Security Ronda Henning, Harris Corporation, Chair A Multi-Level Secure Object-Oriented Database Model George Durham, University of Maryland-Baltimore County Use of SSH on a Compartmented Mode Workstation Johnny S. Tolliver, Oak Ridge National Laboratory Multilevel Architectures for Electronic Document Retrieval James A. Rome, Oak Ridge National Laboratory Track G Tutorials Introduction to Information Systems Security Diana Strickland, NSA This tutorial presents a computer-based training overview of the multi- disciplined practice of Information Systems Security (INFOSEC) guidelines and policies as well as the basic INFOSEC elements of Communications Security (COMSEC) and Computer Security (COMPUSEC). There is also a review of information processing which outlines user responsibilities for handling data being stored, transmitted, or processed. 3:30 - 4:00 PM Session Break & Social Networking 4:00 - 5:30 PM Track A Internet Security and Trust on the World Wide Web J. Miller, World Wide Web Consortium(W3C), Chair Panelists: Phil DesAutels, W3C Winn Treese, Open Market, Inc. Brian O'Higgins, Entrust Panel and Status Report to include activities of the World Wide Web Consortium (W3C) and other Web Community happenings (Digital Signature Initiative, Security Working Group, and Electronic Payments Working Group). Track B Electronic Commerce Security Architectures for Electronic Commerce Clint Brooks, National Security Agency, Chair Panelists: TBD This panel will discuss architectural requirements and examine the comparisons and applications of existing security architectures. Track C Information Infrastructure Information Warfare and the Civilian Population Charles Abzug, Institute for Computer and Information Sciences, Inc., Chair Panelists: TBD This panel will explore to what extent the U.S. civilian population must be concerned regarding the possibility of adversaries of the United States carrying out acts of information warfare against our information systems. Track D Debate Cryptography Debate Ed Roback, NIST, Chair Panelists: TBD The panelists will debate the impact of the Administration's cryptographic policies, including export controls. Industry and government perspectives will be presented and approaches to change will be discussed and created. Track E Assurance / Criteria / Testing The Systems Security Engineering Capability Maturity Model Karen Ferraiolo, Arca Systems, Inc., Chair This session will provide an overview of security and security engineering, describe the need for a capability maturity model (CMM) for security engineering, present the current SSE-CMM, and illustrate the application of the SSE-CMM using a hypothetical case study. Track F R & D New Security Paradigms Workshop '97 Robert Blakley, IBM, Chair Panelists: TBD This panel will select topics from the 1997 New Security Paradigms Workshop, reflecting one or two important themes. Track G Policy / Administration / Management Year 2000 (Y2K) Richard Lefkon, Year 2000 Committee of AITP SIG-Mainframe, Chair Panelists: Gregory Cirillo, JD, Williams, Mullen, Christian & Dobbin Daniel Miekh, Terasys Sanford Feld, TBI This panel will discuss the security implications of Year 2000 problems. What is the effect of "clock roll-over?" The panelists will provide an overview of problems and solutions with a seven-step process. Additionally, attendees responsible for Y2K issues in their organization are eligible for complementary copies of "Year 2000: Best Practices for Millennium Y2K Computing: Panic in Year Zero". Track H Tutorials A Systems Approach to INFOSEC Jim Urbanski, NSA, Chair This tutorial provides a perspective of systems methodologies with applications to INFOSEC principles and disciplines. Attendees will gain an appreciation for the systems approach to problem solving, a technique that is applicable to both technical and non-technical problems within and outside your organization. 5:45 PM Conference Awards Reception Baltimore Convention Center Awards will be presented to vendors that have successfully developed security product lines that have been approved by the NIST Validation Program or the NCSC Trusted Computer System Evaluation Program. Certificates also will be presented to participants in the Systems Security Engineering Capability maturity Model. Wednesday, October 8th Track A Internet Critical Elements of Security Frameworks Judith Furlong, MITRE Corporation, Chair Panelists: Michael Willett, IBM Dave Aucsmith, Intel Keith Klemba, Hewlett Packard The panelists will examine the critical elements of security frameworks being proposed by computer industry leaders. They will also discuss issues to include interoperability and gaps among the different frameworks and products. Track B Electronic Commerce Secure Payment Protocols Taher ElGamal, Netscape Communications Corporation, Chair This panel will discuss implementation experiences in electronic payment systems ranging from macropayment protocols, micropayment protocol design and analysis. Example applications of electronic malls will highlight the use of electronic payment mechanisms. Track C Information Infrastructure Infrastructure Protection: Can Government and the Private Sector Work Together? Michelle Van Cleave, Senate Judiciary Subcommittee on Technology, Terrorism, and Government Information, Chair Panelists: TBD This panel will discuss and debate information sharing and cooperation among the government and private sector infrastructure providers that will be necessary to protect our critical infrastructures in the future. Audience participation - asking questions and sharing points of view - will be encouraged. Track D Debate Controlling Content on the Internet Joan Winston, TIS, Chair Panelists: TBD This session will debate the following topics: Should network- accessible information be regulated? Is the Internet more like "broadcast" media that have historically faced regulatory and/or voluntary content controls (e.g., nudity, types of advertising) or is it more like a bookstore or library? Should we rely on market-based approaches and end-user discretion (parental guidance, employer policies for use of company resources) or should we have some form of government intervention to protect vulnerable groups like children? Track E Assurance / Criteria / Testing Alternate Assurances: Implementation of Better Ways! Mary Schanken, NSA, Chair Panelists: Todd D. Schucker, LT. Renell D. Edwards, Charles G. Menk, III, NSA The panelists will discuss the Trusted Capability Maturity Model, Network Rating Model, and Systems Security Engineering Capability Maturity Model. The audience will be provided a brief overview, current status, and future goals of the three models. Time is provided for audience interaction in discussing details about these models. Track F R & D Non-Military Cryptography: Opportunities, Threats, and Implementations Bruce Schneier, Counterpane Systems, Chair From encryption to digital signatures to electronic commerce to secure voting -- cryptography has moved out of the military and into the world. The speaker will address the future of non-military cryptography, the business opportunities, the risks, and work that needs to be done. Mr. Schneier will also address some common mistakes companies make when implementing cryptography and provide tips on how to avoid them. Track G Policy / Administration / Management Certification & Accreditation Jack Eller, DISA, Chair Panelists: TBD The panelists will discuss the current perspective on strategies for the certification and accreditation process. Track H Tutorials Risk Management I: A Systems Approach to Threat Anne Brooker-Grogan, NSA, Chair This tutorial provides the first of three foundation tutorials of Risk Management. The session is designed to help attendees answer the questions: what do we really need to protect, and who or what are we protecting it from? It takes a systems analysis approach to looking at the tangible and intangible things we value and the threats to them. The tutorial provides an overview of multi-disciplined threat, threat to information systems, and an overview of information warfare. The tutorial prepares the attendee for the Risk Management II and Risk Management III sessions later in the week. 10:00 - 10:30 AM Session Break & Social Networking 10:30 AM - 12 noon Track A Internet CAPIs: Current Conventions & Commercial Capabilities -- The Developers Point of View Peter G. Neumann, SRI International, Chair Panelists: Dave Balenson, Trusted Information Systems Taher Elgamal, Netscape Communications Corp. George Fox, Intel Architecture Labs Li Gong, Javasoft, Sun Microsystems John Marchioni, Cylink Tim Moses, Entrust Amy Reiss, NSA This panel session will track progress in the emerging field of Cryptographic Application Programming Interfaces(CAPIs). Status of the major CAPIs in development and use today will be provided. In addition, vendors will discuss lessons learned from the development and utilization of these CAPIs in their products. Track B Information Infrastructure R&D for Infrastructure Protection Richard Brackney, NSA, Chair Panelists: TBD This panel will present a discussion of R&D activities needed or underway to focus technology on solving infrastructure assurance problems. Track C Debate Issue for Discussion: Should the Computer Security Act Be Repealed? Lynn McNulty, RSA Data Security, Inc., Chair Panelists: TBD This session will be devoted to a debate of the future of the Computer Security Act. Such issues as its applicability to the existing government systems environment, the impact of information warfare concepts, and the concerns of civil agencies with respect to the mandated adoption of national security community-driven standards and technologies will be examined. Track D Assurance / Criteria / Testing Integrity Engineering Donald Evans, Space Flight Operations Center, Chair Panelists: TBD This panel will discuss the identification and deployment of protection mechanisms, reduction of residual risks, and determination of the metrics of protective effectivity and efficiency for inter/intra- networked systems-of-systems. These systems are comprised of heteromorphic major applications and general support systems requiring disparate levels of integrity, consistency, and operational continuity. Track E R & D Database Security: Browsers, Encryption, Certificates and More John Campbell, NSA, Chair Panelists: Senior Technologists from Oracle, Informix, Sybase This session explores security problems and solutions with "new" database systems including those with web browsers and servers, systems requiring strong identification and authentication, single signon, multilevel systems and large mainframe and warehouse systems. Track F Policy / Administration / Management Public Key Certificate Policies Noel Nazario, NIST, Chair Panelists: Warwick Ford, Verisign Santosh Chokhani, CygnaCom Michael Jenkins, NSA The panel will discuss the current status of Public Key (PK) Certificates as defined by ITU Recommendation X.509 version 3. This discussion will be of interest to representatives from Federal agencies interested in the use of PK technology to provide services to conduct their internal operations, industry participants interested in using or providing certificate management services, and people interested in the future of electronic communications and electronic commerce. Track G Tutorials Risk Management II: Introduction to Vulnerabilities Bill Unkenholz, NSA, Chair This tutorial provides the second of three foundation tutorials of Risk Management. This tutorial continues with the methodology from Risk Management I, using a systems analysis approach to identify, analyze, and quantify system vulnerabilities. 12 noon - 2:00 PM Lunch Break Visit the vendor exposition! Over 100 INFOSEC vendors in the Convention Center Exhibition Hall Sponsored by the Armed Forces Communications and Electronics Association (AFCEA) 2:00 - 3:30 PM Track A Internet Public Key Infrastructures (PKIs) Warwick Ford, Verisign, Chair Panelists: Taher ElGamal, Netscape Communications Corporation Donna Dodson, NIST This panel examines the significant issues and challenges in the development and deployment of PKIs from the perspectives of the PKI vendor and the PKI implementer. Track B Electronic Commerce Digital Money - E Cash Kawika Daguio, American Bankers Association, Chair Panelists: TBD Is "E-Cash" the future of money? This session will discuss the pros and cons of digital money from both a security acceptance and policy perspective. Topics include electronic wallets, the various types of digital money, and money laundering. Track C Information Infrastructure Information Privacy and Human Rights Wayne Madsen, Privacy International, Chair Panelists: David Banisar, Electronic Privacy Information Center (EPIC) Other Panelists: TBD This session will examine various information age threats to personal privacy and the means by which government and business can provide for the common privacy of all. Track D Debate Civilizing Cyberspace Steven Miller, CPSR, Chair Panelists: Dorothy Denning, Georgetown University Ruth Nelson, Information Systems Security Others: TBD The panelists will discuss the sociological effects 20 years from now of INFOSEC technology, law, and the customs we are putting into place now. Track E Assurance / Criteria / Testing Future Strategies Harold Highland, FICS, Chair A New Strategy for COTS in Classified Systems Simon Wiseman, Defense Research Agency, UK Outsourcing: A Certification & Accreditation Dilemma Harold Gillespie, CISSP, CTA, Incorporated The Department of Defense INFOSEC Certification and Accreditation Help Environment Barry C. Stouffer, Corbett Technologies Track F Policy / Administration / Management Cyber Terrorism Christine Axsmith, Esq., The Oakland Corporation, Chair Panelists: Mark Pollitt, Federal Bureau of nvestigation Tim Corcoran, The Oakland Group Kim Johnson, U.S. State Department This panel will highlight the realities of cyber terrorism and educate the audience on its impact. The panel will provide an educated framework in which informed analysis can take place. The type of environments that are subject to attack will be discussed. The audience will also be presented with solutions from both industry and government perspectives to cyber terrorism issues. Track G Tutorials Network Security Jack Wool, Arca Systems, Inc., Chair This tutorial focuses on network security fundamentals and threats and provides a summary of traditional computer security concerns and objectives, relating the concepts to network security concerns. Security properties required of a trusted network are described in detail per the OSI security services model. 3:30 - 4:00 PM Session Break & Social Networking 4:00-5:30 PM Track A Internet Paperless Federal Transactions for the Public Judith A. Spencer, General Services Administration, Chair Panelists: Phil Mellinger, First Data Monette Respres, Mitretek Stanley Choffee, General Services Administration The Federal Information Security Infrastructure Program is running a pilot initiative, Paperless Federal Transactions for the Public, involving PKI and applications. This panel discusses the philosophy of the pilot, how it works, what has been learned, and its future direction. Track B Electronic Commerce Who Pays if Things Go Wrong? Paul Dorey, Barclays Bank, UK, Chair Panelists: TBD This panel will discuss the threats to vendors, consumers, and service providers. They will address security attacks on electronic transactions, liability issues, and the necessary requirements for reliability and availability in electronic commerce. Track C Information Infrastructure The INFOSEC Technology Profession: A Moving Bus Virgil Gibson, Computer Sciences Corporation, Chair Panelists: TBD The panelists will address the question: Is INFOSEC a scientific or technical profession? Representatives from academia, who develop INFOSEC curricula in graduate degree programs, will discuss the options for their graduates. Practitioners will address the pros and cons of degree programs versus other paths of becoming an INFOSEC professional. Track D Debate Copyright: Should Media Matter? Joan Winston, TIS, Chair Panelists: TBD The ease of copying material in digital form continues to exacerbate the historical tensions between copyright proprietors and users of copyrighted materials. WIPO recently rejected copyright proposals that would have greatly extended copyright protections on electronic information and databases, potentially curtailing the traditional U.S. copyright provisions for fair use. This session will debate the following topics: To what extent can we continue to rely on traditional notions that evolved in an analog, paper-based world? Can principles such as fair use and the first-sale doctrine endure in the digital global information infrastructure? Track E Assurance / Criteria / Testing Awareness & Concerns Les Fraim, ANS, Chair Cyberterrorists Mark Pollitt, Federal Bureau of Investigation Protecting American Assets, Who is Responsible? Anthony C. Crescenzi, Defense Investigative Service Who Should Really Manage Information Security in the Federal Government? Alexander D. Korzyk, Sr., Virginia Commonwealth University, Ph.D. Program Track F R & D Research in Intrusion Detection Gene Spafford, Purdue University, Co-Chair Karl Levitt, UC Davis, Co-Chair Event Monitoring Enabling Responses to Anomalous Disturbances (EMERALD) Phillip Porras, SRI International An Application of Machine Learning to Anomaly Detection Carla E. Brodley, Purdue University A Process of Data Reduction in the Examination of Computer Related Evidence Mary F. Horvath, Federal Bureau of Investigation Automated Information System (AIS) Alarm System William Hunteman, Los Alamos National Laboratory Track G Policy / Administration / Management Metrics of Requirements Charles Pfleeger, Arca Systems, Inc., Chair Security Modeling for Public Service Communication Dan Gambel, Mitretek, Inc. Security Metrics - A Practical Approach Chenxi Wang, University of Virginia Connecting Classified Nets to the Outside World: Costs and Benefits Christopher P. Kocher, Lockheed Martin Corporation 7:00 PM Conference Banquet Hyatt Regency Inner Harbor Hotel Speaker: Bran Ferran, Walt Disney Imagineering Thursday, October 9th 8:30 - 10:00 AM Track A Internet Firewalls Are More Than Just Bandages Peter Tasker, The MITRE Corporation, Chair Panelists: Tom Haigh, Secure Computing Corporation John Pescatore, Trusted Information Systems, Inc. Tony Vincent, Raptor Systems Firewalls started as a relatively static first-line of defense, but they have become a more central part of providing many protection services to an enterprise. This panel will look at the present roles played by firewalls and directions for the future. Can they be effective against all of the emerging rich protocols associated with the World Wide Web? How will IPSEC affect them? What is the right mix of centralized firewall and distributed desktop protection features? Track B Electronic Commerce Smart Cards: Their Role in Electronic Commerce Diane Darrow, Smart Card Forum, Chair Panelists: TBD This session will focus on Smart Cards, Smart Card alternatives, and how they will be used in an electronic commerce environment. Track C Information Infrastructure Future Methods in a Cryptographic Environment D. Elliott Bell, Mitretek Corporation, Chair Cryptographic Algorithm Metrics Landgrave T. Smith, Jr., Institute for Defense Analyses Using Datatype-Preserving Encryption to Enhance Data Warehouse Security Harry E. Smith, Quest Database Consulting, Inc. Multistage Algorithm for Limited One-Way Functions William T. Jennings, Raytheon E-Systems & Southern Methodist University Track D Debate Technology Around the Next Corner Hilary Hosmer, Data Security Inc., Chair Panelists: TBD The telecommunications giants are investing for the long term and Bill Gates plans to defy the tradition that a leader in one computer technology era is never a leader in the next. INFOSEC executives debate what's to come in 20 years. Track E Assurance / Criteria / Testing Commercial Intrusion Detection & Auditing: Installation, Integration & Use From the Security Professional's Perspective Jim Codespote, NSA, Chair Panelists: TBD There are several intrusion detection and auditing products commercially available to help protect computer systems and networks. Panelists will discuss their experiences with installation, configuration, ease of use, scalability, and overall capabilities of the products they use and maintain. The intent of the panel is to provide insight (war stories) for those attendees looking to implement a COTS intrusion detection solution from a non-vendor (customer) point of view. Track F R & D Public Key: Differing Views Tim Polk, NIST, Chair The Use of Belief Logics in the Presence of Casual Consistency Attacks J. Alves-Foss, University of Idaho Achieving Interoperability Through Use of the Government of Canada Public Key Infrastructure Capt. John H. Weigelt, Department of National Defense (Canada) Implementation of Key Recovery with Key Vectors to Minimize Potential Misuse of Keys William J. Caelli, Queensland University of Technology, Australia Track G Policy / Administration / Management Risks of Software Applications James P. Anderson, J.P. Anderson Company, Chair Software Encryption in the DoD Russell Davis, Boeing Information Services, Inc. TRANSMAT Trusted Operations for Untrusted Database Applications Dan Thomsen, Secure Computing Corporation Methodology for Evaluating Assets for Threats from Information Warfare and Economic Warfare Attacks Roger A. Stutz, Los Alamos National Laboratory Track H Tutorials Crypto: Mechanism of Action of Modern Cryptographic Protocols Charles Abzug, Institute for Computer and Information Sciences This tutorial will present today's cryptographic protocols, the principles by which they operate, their principal advantages and disadvantages, and a sampling of products using some of these protocols. 10:00 - 10:30 AM Session Break & Social Networking 10:30 AM - 12 Track A Internet Web Security Problems Peter Coffee, PC Week Labs, Chair Go Ahead, Visit Those Web Sites, You Can't Get Hurt, Can You? James S. Rothfuss, Lawrence Livermore National Laboratory Web Spoofing: An Internet Con Game Edward W. Felton, Princeton University When JAVA Was One: Threats from Hostile Byte Codes And JAVA Platform Viruses Mark D. Ladue, Georgia Institute of Technology Java Script: Security Tricks Walter Cooke, CISSP, W. J. Cooke & Associates Track B Electronic Commerce Secure E-Malls Win Treese, OpenMarket, Inc., Chair Panelists: TBD This panel will discuss the requirements for an electronic mall as it affects small businesses, information services, and education and learning for the participants in the "Emall" stores. Track C Information Infrastructure Viruses: Today's Threats Kenneth Van Wyk, SAIC, Chair Practical Defenses Against Storage Jamming John McDermott, Naval Research Laboratory What is Wild? Sarah Gordon, IBM Secure Software Distribution System Tony Bartoletti, Lawrence Livermore National Laboratory Track D Debate The Data Encryption Standard: 20 Years Later Dorothy E. Denning, Georgetown University, Chair Panelists: William J. Caelli, Queensland University of Technology, Australia Stephen T. Kent, GTE William H. Murray, Deloitte & Touche This panel will review the significance of DES to the information security field and to infosec products and practices. Panelists will discuss the impact of DES on academic research, cryptanalysis, algorithm and product development, standards, network security, application-level security, and business practices. Track E Assurance / Criteria / Testing Criteria: International Views Marshall Abrams, The MITRE Corporation, Chair Application of the IT Baseline Protection Manual Angelika Plate, BSI, Germany The Extended Commercially Oriented Functionality Class for Network- Based IT Systems Alexander Herrigel, r3 Security Engineering ag, Switzerland The Use of Information Technology Security Assessment Criteria to Protect Specialized Computer Systems Ronald Melton, Pacific Northwest National Laboratory Track F R & D Internet: Surviving the Future Joseph Lisi, National Security Agency, Chair Security Tools - A "Try Before You Buy" Web-Based Approach Sheila Frankel, NIST Internet Protocol Next Generation: Saving the Internet in the New Millennium Robert A. Kondilas, MCI Vulnerability of "Secure" Web Browsers F. De Paoli, University of California-Santa Barbara Track G Policy / Administration / Management Risk Management Paul Woodie, National Security Agency, Chair A New Paradigm for Performing Risk Assessment Judith L. Bramlage, Computer Associates, Inc. INFOSEC Risk Management: Focused, Integrated & Sensible Donald R. Peeples, NSA Role-Based Risk Analysis LT Amit Yoran, USAF Track H Tutorials Database Security William Wilson, Arca Systems, Inc. This tutorial focuses on database security issues from the standpoint of using database management systems to meet an organization's security requirements. Topics include data security requirements, vulnerabilities, database design considerations, and implementation issues. Several architectural approaches to building multilevel database systems are presented, including integrity lock, kernalized, layered, partitioned, and distributed. Other database security issues discussed include view versus relation discretionary controls, mandatory controls, inference, aggregation, and statistical inferences. 12 noon - 2:00 PM Lunch Break Visit the vendor exposition! Over 100 INFOSEC vendors in the Convention Center Exhibition Hall Sponsored by the Armed Forces Communications and Electronics Association (AFCEA) 2:00 - 3:30 PM Track A Internet Experiences with Intrusion Detection Systems Jill Oliver, Citibank, Chair Panelists: Dan Esbensen, Touch Technologies Lee Sutterfield, WheelGroup Intrusion detection (ID) systems are coming of age. Today's products include capabilities to look at intrusion detection at a system-of- systems level, report suspected intrusions to a home office, and react locally to suspected intrusions by automatically denying access to the suspected attacking node. The panelists, with experience as architects and users of these ID products, will discuss what's important and why it is for current and future capabilities. Track B Electronic Commerce Critical Components for an Electronic Solution Christine Varney, Commissioner, Federal Trade Commission, Chair Panelists: TBD This session will identify the critical components that must be in place for an electronic commerce solution to be successful in a global environment. Track C Information Infrastructure Practical Views of Network Protocols William H. Murray, Deloitte & Touche, Chair A Methodology for Mechanically Verifying Protocols Using an Authentication Logic J. Alves-Foss, University of Idaho A Practical Approach to Design and Management of Secure ATM Networks Vijay Varadharajan, University of Western Sydney, Australia Distributed Network Management Security Paul Meyer, Secure Computing Corporation Track D Debate Crime in the 21st Century: Wireless Fraud James R. Wade, AirTouch Cellular, Chair Panelists: Dennis Walters, Comcast Cellular Communications Angel Morales, Professional Security Bureau, Inc. Dave Daniels, AirTouch Cellular The panelists will discuss and debate various issues regarding wireless fraud, which is emerging as the number one crime for the 21st century. Track E R & D Issues for Security and Survivability Teresa Lunt, DARPA, Chair Panelists: Lee Badger, TIS Franklin Webber, Key Software John Knight, University of Virginia Rich Feiertag, TIS This panel will provide a brief summary of the DARPA security program goals and plans for wrappers, composition, architecture issues for security and survivability. Track F Policy / Administration / Management Cryptographic Standards for the Next Century Miles E. Smid, NIST, Chair Panelists: Burt Kukliski, RSA Laboratories Don Johnson, Certicom Corporation Jim Foti, NIST A set of standard cryptographic algorithms is needed to support services for the information infrastructure in the next century. Organizations including the National Institute of Standards and Technology (NIST), the American National Standards Institute (ANSI) and the Institute of Electrical and Electronics Engineers (IEEE), are developing cryptographic standards to address the need. The purpose of this panel is to discuss these emerging cryptographic standards. Panelists will also provide an overview of relevant cryptographic standards-making organizations and the relationship of their work to other organizations. In particular, the panelists will discuss emerging symmetric-based encryption standards specifically focusing on the Advanced Encryption Standard, Digital Signature Standards, and Public Key Based Cryptographic Key Agreement and Exchange Standards. Track G Tutorials How to be a Better Security Officer Chris Breissinger, Department of Defense Security Institute This tutorial focuses on the continued protection and accreditation of operational information systems. Topics include: virus prevention and eradication; access control evaluation and configuration; media clearing and purging; intrusion detection and handling; and dealing with risk. 3:30 - 4:00 PM Session Break & Social Networking 4:00-5:30 PM Track A Internet Virtual Private Networks (VPNs) Steve Kent, BBN, Chair Panelists: Paul Lambert, Oracle Naganand Doraswamy, FTP Software Roy Pereira, Timestep Dan McDonald, Sun Microsystems, UK This panel will discuss experiences with and lessons learned from developing and implementing VPNs, and challenges (e.g., scalability, widespread deployment) and future needs (automated key management protocols, administration tools) for VPN solutions. Although there are multiple protocols that can be used to create VPNs (e.g., IPSEC, PPTP, SSH, SSL), the focus of the panel will be on Network Layer (IP-level) VPNs. Track B Electronic Commerce Future of Electronic Commerce Hal Varian, Dean, University of California-Berkeley, Chair Panelists: TBD This session will look at the current and future directions of electronic commerce in the international environment, and the impact that it will have on business and society. Track C Information Infrastructure Case Study: Computer Security Program Management Partnership-A Success Story Mark Wilson, NIST, Chair Panelists: William D. Tate, Daniel T. Crowley, Northrup Grumman Corporation John McWhorter, Defense Investigative Service This panel will discuss how to create effective partnerships between an organization's computer security program management office, users, and auditors. The panel will help participants to fully integrate computer security awareness and responsibility throughout a business or agency. Track D Debate The Future Role of Government in International Cyberspace Vin McClelland, The Privacy Guild, Chair Panelists: TBD When national boundaries are permeable, national INFOSEC policy may be irrelevant. Track E Assurance / Criteria / Testing Impact of the International Common Criteria on U.S. Security Evaluations Steve Reichert, NSA, Chair Panelists: Margie Zuk, MITRE Tom Anderson, Kris Britton, William J. Marshall, Lou Giles, NSA The Common Criteria is the result of an integrated attempt to align the trusted product evaluation criteria and activities of Canada, France, Germany, the Netherlands, the United Kingdom, and the United States into a single document. This panel will provide critical U.S. evaluation program status information to groups that will be directly impacted as a result of CC implementation efforts. Track F R & D Survivability Technologies Teresa Lunt, DARPA, Chair Panelists: Phil Porras, SRI Dan Schnackenberg, Boeing Maureen Stillman, ORA Stuart Staniford-Chen, University of California-Davis This panel will provide a brief summary of the DARPA security program goals and plans for wrappers, composition, and architecture issues for security and survivability. Track G Policy / Administration / Management Technical Internet Security Policy Robert Bagwill, NIST, Chair Panelists: John Pescatore, TIS Others: TBD This panel will discuss a new NIST special publication on technical internet security policy. Technical policy issues include the use and configuration of firewalls, virtual private networks, and interactive software. The panel will provide an overview of the NIST publication and then discuss methods for using the guideline within organizations. Track H Tutorials Risk Management III: Introduction to Risk Assessment Tom Peltier, Computer Science Institute, Chair This tutorial provides the third of three foundation tutorials on Risk Management. This tutorial continues with the methodology from Risk Management I & II, using a systems analysis approach to identify, analyze, and quantify risks. 6:00-8:00 PM Best Paper Awards National Cryptologic Museum Fort Meade, MD Buses will be available. Friday, October 10th 8:30-10:00 AM Track A Internet MISSI-Network Security Solutions-From a User & Vendor Perspective Ken Heist, NSA, Chair Panelists: Frank Hecker, Netscape Communications, Inc. Gregory Gilbert, NSA Robert Gray, Litronic, Inc. Richard Parker, NATO Consultation, Command, and Control Agency This panel will consider questions related to the implementation of Multi-level Information System Security Initiative (MISSI) products, applications, and infrastructure. The panelists have experience with current MISSI Beta Test activity, MISSI in NATO, Defense Message System pilot tests, the mid-1997 FORTEZZA infrastructure change, emerging FORTEZZA-compatible applications, and the MISSI product evaluation and approval process. Track B Electronic Commerce Copyright & Intellectual Property Issues Associated with Electronic Commerce Jessica Litman, Wayne State University, Chair Panelists: TBD This session will discuss the legal issues associated with electronic commerce regarding copyright and IP from a local, national, and international perspective. Track C Information Infrastructure Case Study: An Architecture & Approach Willis Ware, Chair Panelists: David Van Wie, Olin Sibert, James Horning, InterTrust Technologies Corporation This panel will discuss how one company executed their vision of electronic commerce, an architecture, and research directions. Track D Debate Controlling Employees' Use of the Internet Christine Axsmith, Esq., The Oakland Corporation, Chair Panelists: TBD This panel will debate the pros and cons of controlling employees' use of the Internet. Track E Assurance / Criteria / Testing Vendor Dialog on Evaluation Programs Jeremy Epstein, Tracor, Co-Chair Casey Schaufler, Silicon Graphics, Co-Chair The co-chairs will lead the audience in a discussion of their experiences in performing TCSEC/TNI/TDI evaluations, opinions of TPEP and TTAP programs, use of the RAMP program, interpretations of TCSEC, ITSEC evaluations, and the forthcoming Common Criteria evaluations. Track F R & D Manhattan Cyber Project Mark Gembicki, War Room, Chair Panelists: Manhattan Cyber Project members A few select members of the Manhattan Cyber Project will discuss their findings to date as well as future initiatives. Their mission is to improve on the availability and effectiveness of technology, people, and processes that safeguard critical infrastructure areas and U.S. corporations from the "cyber threat." The approach to accomplish this mission is based on developing and facilitating a coordinated "outreach" program with industry, government, and academia. Track G Policy / Administration / Management Keeping Pace with Threats in Networked Client/Server Environments G. Mark Hardy, AXENT Technologies, Inc., Chair Panelists: Jim Mork, BSG, Inc. Others: TBD This panel will discuss how information security managers can leverage technology to keep pace with the threat posed in the networked client/server environment. Track H Tutorials Infrastructure Security John T. Egan, National Defense University, Chair This session will cover the fundamentals of encryption and the security services that are proposed for large infrastructures such as the NII and the DII. There is a movement in some quarters for providing a common set of security services that will support both types of infrastructures even though their missions are quite different. 10:00-10:30 AM Session Break & Social Networking Closing Plenary Friday October 10, 1997 The Future of Electronic Commerce 10:30 a.m. Risks, Realities, and Expectations Peter G. Neumann, Chair SRI International Distinguished Panelists: Larry Stewart Chief Technology Officer, Open Market Steve Walker President, Trusted Information Systems, Inc. Rick Hite Director, Risk Management and Security, Visa International Helmut Kurth IAGB, Germany The future of computer-communication security will to a large extent be driven by the urgent needs of electronic commerce, while at the same time being hindered by the realities of emerging computer and networking infrastructures. This session will address those realities, and will attempt to see into the future. Its scope will be fairly broad, encompassing systems, networks, financial applications, and digital commerce generally, from the primary viewpoint of security risks and their avoidance, but also cognizant of the social issues. It will also recognize that the problems are international, not just national. Many questions might arise in the course of the discussion. What is achievable? What is likely? What are the most difficult obstacles to be overcome? What research areas are not being adequately stressed? What can we expect of technology? What are the intrinsic limitations? What are the weakest links? What non-technological issues, such as human compromisibility, must be defended against? What are the tradeoffs (for example, among cost-effectiveness, integrity, confidentiality, anonymity, accountability, and law enforcement needs)? What residual risks will necessarily remain? What should or should not governments do to ensure that electronic commerce and related applications can take place dependably? What impacts are national cryptological policies having on electronic commerce? What can be done to ensure that critical components of the national infrastructure (including telecommunications and electrical power) remain adequate? General Information Meeting Site The conference will be held at the Baltimore Convention Center, 1 West Pratt Street, Baltimore, Maryland, close to the Baltimore Inner Harbor area. The Opening Plenary Session will be held in Ballroom I, on the# Ballroom Level (enter the Pratt Street lobby). Registration and information services, and all technical sessions, will be held on the third floor Meeting Room Level. The Convention Center is conveniently located close to the meeting hotels, major highways heading into Baltimore, numerous restaurants, shops, and sight-seeing attractions. Registration The registration fee covers conference materials, coffee breaks, and admission to the banquet and award ceremony. There is an additional fee for the October 6 workshops. Early Registration $360.00 After September 8, 1997 $410.00 October 6 Workshops $100.00 To register, complete the enclosed registration form and return it with payment to: Office of the Comptroller National Institute of Standards and Technology Room A807, Administration Building Gaithersburg, MD 20899. If using a check, make it payable to NIST/20th National Information Systems Security Con-ference or NIST/20th NISSC. Mastercard or VISA for credit card payment can be faxed into the Conference office at (301) 948-2067. NIST does not accept any other credit cards. The Federal Tax ID number for NIST is 530205706. Confirmation cards will be mailed daily. To register for workshops I through IV, please check the appropriate box on the registration form. There is an additional fee for these workshops. To ensure a proper address for the participant list, badging, and confirmations, we ask each registrant to complete the registration form (training forms and/or purchase orders usually list billing address or corporate office). We encourage typed forms with complete information. Because the processing of payment sometimes can be slow, attendees can fax in registration forms with a notation "payment to follow in mail" or "will be paying on-site." Cancellation Policy: Cancellations must be made in writing by September 8 in order to receive a refund. Letters can be faxed to NIST at (301) 948-2067. Any substitute registrations are to be in writing, with an accompanying registration form for the new registrant. The registration desk at the Convention Center will be open from 6:30 p.m. to 8:30 p.m. on Monday evening, October 6, and will re-open each morning of the conference at 8 a.m. Transportation For those attendees not staying in Baltimore, daily bus service will be provided from the parking lot across from the National Computer Security Center (NCSC) Fanx III, 840 Elkridge Landing Road, Linthicum, Md. This is a convenient location for attendees staying at hotels near Baltimore Washington International airport. The buses will run in a round-robin fashion from the NCSC from 7:00 a.m. to 8:30 a.m. Buses will return to the NCSC at the end of the sessions each day, periodically throughout the awards reception, and following the banquet. Proceedings A hard copy and CD-ROM of the conference proceedings will be included as part of the registration packet for all attendees. Communications Messages will be taken for conference participants between 8 a.m. and 5 p.m., Tuesday through Thursday, and between 8 a.m. and 12 noon on Friday. Messages will be posted on a message board adjacent to the Registration/ Information Area. Attendees will not be called out of a meeting except in emergencies. The phone numbers to be used for leaving messages will be posted on the message board. Special Interest Rooms There will be a limited number of rooms available for special interest discussions ("Birds of a Feather," etc.) These rooms may be reserved in one-hour increments and must not be used for commercial purposes. Call the NCSC Conference Administrator at (410) 850-0272 to make a reservation. The originator should post notice of an open meeting on the message board. Food Functions Coffee service will be provided to all attendees during registration each morning and at mid-morning and mid-afternoon breaks. Attendees will be free at lunch time to explore the convenient restaurants or other sites near the convention center. In addition, an award reception and banquet will be held on Tuesday and Wednesday evenings, respectively. Award Ceremony and Reception On Tuesday, October 7, awards will be presented to vendors that have successfully developed security product lines that have been approved by the NIST Cryptographic Validation Program or the NCSC Trusted Computer System Evaluation Program. Certificates also will be presented to participants in the Systems Security Engineering Capability Maturity Model. The awards reception will begin at 6 p.m. in the third floor lobby. Banquet The conference banquet will be held on Wednesday, October 8, beginning with a cash bar reception at 6 p.m. and followed by dinner at 7 p.m. The dinner speaker is Bran Ferren, Executive Vice President, Walt Disney Imagineering. A coupon for this event, which may be exchanged for a dinner ticket on a first-come, first-served basis, will be included in each attendee's registration kit. Best Paper and Best Student Paper Award Ceremony and Reception On Thursday, October 9, best paper and best student paper awards will be presented at the National Cryptologic Museum in Fort Meade, Maryland. Directions and bus information will be available at the conference Information Booth. An awards reception will begin at 6:30 p.m. and end at 8 p.m. in the museum. Housing Blocks of rooms have been reserved for conference attendees at hotels near the convention center at special group rates. The hotels, with their daily rates, are listed at the right in order of their proximity to the convention center. To register for rooms at the special rates, return the enclosed hotel registration form directly to: Baltimore Convention Center and Visitors Association Housing Bureau 100 Light Street, 12th Floor Baltimore, MD 21202 or fax the form to (410) 659-7313, with a deposit of $100, no later than September 8, 1997. After this date, we cannot guarantee that rooms will be available at the special conference rate. RESERVE EARLY! Government employees please note: The number of government rated rooms is limited and will be available on a first-come, first-served basis. Please note: Reservations may ONLY be mailed or faxed. NO telephone reservations will be accepted. Because the 1997 conference overlaps with meeting dates for a large city-wide convention, sleeping rooms are extremely scarce on Sunday, October 5. Attendees to the Monday workshops should consider making travel plans to arrive in Baltimore on Monday morning. The workshops have been scheduled to start as late as 11 a.m., for this reason. Rooms are also somewhat limited for Monday evening, October 6. To get the hotel of your choice, reserve early. Single Double Rate Rate Doubletree at $129 $129 the Colonnade plus tax plus tax Code DBLCO Holiday Inn $96 $96 Inner Harbor plus tax plus tax Code HIDIN Govt. $96 incl. tax Days Inn $83 $83 Inner Harbor plus tax plus tax Code DAYSI Baltimore Hilton and Towers Code HILTN Govt. $96 inclusive Hyatt Regency $142 $150 Baltimore plus tax plus tax Code HYATT For Further Information For further information, call Tammie Grice, the Conference Registrar, at (301) 975-3883. Sponsors National Computer Security Center In 1978, the Assistant Secretary of Defense for Command, Control, Communications, and Intelligence established the Department of Defense Computer Security Initiative to ensure the widespread availability of trusted ADP systems for use within the DoD. In January 1981, the National Computer Security Center (NCSC) was established at the National Security Agency and assumed responsibility for the activities of the Initiative. The NCSC encourages the development of trusted computing system products, develops computer security standards and guidelines for interested users, and sponsors basic research in this robust field. To encourage the widespread availability of trusted systems, the NCSC has developed an industry- government relationship, called the Trusted Product Evaluation Program (TPEP). This effort focuses on the technical protection capabilities of commercially produced and supported systems, based on the Department of Defense Trusted Computer Security Evaluation Criteria (TCSEC). Three important interpretations are used to assist in this program: the Trusted Network Interpretation (TNI), the Computer Security Subsystem Interpretation (CSSI), and the Trusted Database Interpretation (TDI). The NCSC also promotes information security education and cooperates with NIST to provide computer security assistance to other government departments and agencies. In support of the above, the NCSC operates a B2-level of trust computer system that provides on-line service to the information security community. National Institute of Standards and Technology The National Institute of Standards and Technology, an agency of the Commerce Department's Technology Administration, promotes economic growth by working with industry to develop and apply technology, measurements and standards. Through its Information Technology Laboratory, NIST works to promote the development and use of information technology systems that are interoperable, easily usable, scalable and secure. NIST's information technology research concentrates on developing tests and test methods for information technologies that are still in the early stages of development-long before they're available in new products. But even once information technology products are available, tests developed by ITL provide impartial ways of measuring them so developers and users can evaluate how products perform and assess their quality based on objective criteria. Since 1972, NIST has played a vital role in protecting the security and integrity of information in computer systems in the public and private sectors. The Computer Security Act of 1987 reaffirmed NIST's leadership role in the federal government for the protection of unclassified information. NIST assists industry and government by promoting and supporting better security planning, technology, awareness and training. In addition, NIST fosters the development of national and international standards for security technology and commercial off-the- shelf security products. Finally, NIST has an active, laboratory-based research program in computer and network security with special technical emphasis in cryptography; authentication; public-key infrastructure; internetworking; and security criteria, assurance and testing.