Summary
On September 19, 1984 the then US President Ronald Reagan signed “the first White House policy directive on hacking” (Zapone, 2016) – The National Policy on Telecommunications and Automated Systems Security 145.
Zapone, in his blog post, states that the policy came to life after President Reagan viewed the 1983 feature film “War Games” and asked Gen. John W. Vessey Jr., the chairman of the Joint Chiefs of Staff, “Could something like this really happen? Could someone break into our most sensitive computers?” The line of inquiry that followed these questions eventually led to the birth of this policy directive.
The policy begins by acknowledging the “unprecedented growth” in the field of telecommunications, automated systems, and information processing services in both the government and private sectors. While it accepts that technology advancements have done much to improve “efficiency and effectiveness”, the policy directive is also aware of the security risks they bring and anticipates their exploitation by “terrorist groups and criminal elements”. It understands that the compromise and leak of sensitive or classified information can cause grave damage to the country and to national security.
In view of the above facts, it aims at providing policies, objectives, and an organizational structure to protect and safeguard systems containing sensitive information.
The policy identifies that the targeted systems could be those that “generate, store, process, transfer, or communicate” classified information, or unclassified systems handling “sensitive information”.
The directive establishes a Systems Security Steering Group that comprises of the Secretary of State, the Secretary of the Treasury, the Secretary of Defense, the Attorney General, and the Directory of Central Intelligence. This group is to take ownership of the objectives of this directive and oversee the implementation, monitor activities, review the program, evaluate its effectiveness, identify classification categories, and recommend additions and revisions, as deemed necessary.
This policy directive further establishes The NTISSC (National Telecommunications and Information Systems Security Committee) to provide the operational and technical implementations under the direction of the Steering Group.
Additionally, under this directive, the Secretary of Defense is to serve the extended role of The Executive Agent of the Government for Telecommunications and Information Systems Security. He is to work in cohesion with the NTISSC members to ensure the development and fulfillment of the objectives of the directive. He is also responsible for reviewing and assessing all technical recommendations and budget evaluations and providing reports to the Steering Group.
This 1984 directive instates the Director of the NSA (National Security Agency) to the role of The National Manager for Telecommunications Security and Automated Information Security.
The National Manager’s chief responsibility is to perform risk assessments on all the government telecommunications systems and automated information systems. He, further, wields the authority to examine all systems for vulnerabilities and threat agents, and to evaluate the risks present. He is also tasked with reviewing all proposed standards, guidelines, and new technology developments to these systems. Additionally, the Manager is to conduct, approve, and endorse research in the fields of cryptography, information and telecommunication security, and automated systems.
Next, the directive mentions the roles and responsibilities of the Heads of Federal Departments and Agencies, within the realm of the policy. The heads of these agencies are to ensure the implementation of the “policies, standards, and doctrines” that the directive develops, within their departments and agencies. They are also expected to provide the Steering Group, the NTISSC, Executive Agent, and the National Manager any information necessary for discharging any responsibilities as defined by this directive.
Reaction
While the National Security Decision Directive Number 145 (The National Policy on Telecommunications and Automated Information Systems Security), was signed almost 34 years ago – when information and telecommunication technology was still in its early years, many of the elements pertaining to information security uncannily hold true to date.
The White House, under President Reagan, was accurate in its analysis of technology advancements having two sides to it: the more accessibility and ease it ushers in, the more security concerns it causes.
The directive also foresees Nation State attacks, criminal activity, and terrorist attacks through information and communication channel compromise. This has only proved to be grimly true with the increasing number of Advanced Persistent Threats (APTs), the latest of which was the Dark Caracal, that the Electronic Frontier Foundation exposed only earlier this month.
The directive also does well in stating the role of the NSA in encouraging research and security education, the effects of seen are seen till today, where the NSA evaluates and recognizes centers of excellence in security education and research in the higher education arena and in research centers.
The directive, however, raises a few concerns such as the implications and effects of overlapping defense and civilian matters, the defining of “sensitive” data and the providing of justifications for their residing on unclassified systems, and the implications and effects of the adoption of private sector research and technology into government systems.
In conclusion, the 1984 directive is surprisingly accurate in its understanding and foresight of information security concerns and lays a good foundation to creating a comprehensive and coordinated security program to safeguard information in the interest of national security.
References
EFF (2018, January 18). Dark Caracal. Retrieved from https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf
National Security Decision Directive 145. (n.d.). Retrieved from http://itlaw.wikia.com/wiki/NSDD-145
White House. (1984). National Security Decision Directive Number 145 (NSDD-145): National Policy on Telecommunications and Automated Information Systems Security. 1-11. Washington, D. C,: White House.
Zappone, C. (2016, April 01). NSDD-145: the first national security directive on hacking. Retrieved from https://coldwardaily.com/2016/04/01/nsdd-145-the-first-national-security-directive-on-hacking/