Feedback About InfraGard

[Rodney Petersen <rpetersen () EDUCAUSE EDU>]

A recent presentation at the EDUCAUSE2002 annual conference sponsored by
the Security Task Force featured Dr. Phyllis Schneck, Chairman of the
InfraGard National Executive Board.  She indicated in her remarks that
steps were underway to address concerns about the Secure Access
Agreement that many cited as an impediment to joining InfraGard.  Below
is a message from Dr. Schneck announcing some proposed changes and
requesting feedback.  Please provide feedback to the addresses indicated
in her message.

Additionally, the Security Task Force is interested in learning more
about your experiences with your local InfraGard chapters and whether it
is a useful experience for IT security officers or other college or
university personnel.  Please post your experiences to this list
focusing on the following:

What is the most useful feature of InfraGard for college and university
IT security personnel?

What is the least useful feature of InfraGard?

Should the Security Task Force promote college and university
participation in InfraGard?

Is there any feedback that we could share with Dr. Schneck and other
InfraGard leadership to reinforce its effectiveness or improve its
overall usefulness for higher education?

Thank you for any insights that you can provide.

Rodney Petersen
Security Task Force Coordinator, EDUCAUSE

-----Original Message-----
From: Phyllis Schneck [mailto:phyllis.schneck () ecommsecurity com]
Sent: Tuesday, October 22, 2002 5:17 PM
To: 'infragard-official () listserv infragard org'
Cc: 'don () thetrainingco com'; 'don.evans () usahq unitedspacealliance com'
Subject: IMPORTANT - HELP US WITH MEMBERSHIP GUIDELINES FOR REPLACING
THE SAA!

All-

Over the past two years, an overwhelming percentage of our members and
potential members have asked that the existing "Secure Access Agreement"
(SAA) be replaced with an agreement that is closer to that to which
businesses are more familiar (such as an NDA-type agreement with some
additional structure to specifically suit InfraGard). In addressing this
concern, the IEB is working with the membership committee and the NIPC
to expedite the production of an agreement that moves us forward. Steve
Chabinksy, NIPC Counsel, poses the following suggestions (enclosed in
text below this note) to us on guidelines regarding issues such as how
is membership defined and what should determine access to InfraGard
"secure" information. These are yours to adjust as you see appropriate.

How would you modify these (for example, please note that one of the
guidelines below mentions the SAA by name, and clearly if we are to make
a change, that guideline would reflect the new agreement, making no
mention of what we currently know as the SAA). Another example is do we
want companies only for access to secure site - or do we want individual
memberships? Do we want to create a framework to enable global
information sharing in the future, thus striking the guideline barring
non-citizens from membership? Please tell us! Please also note that it
is up you, the InfraGard membership, to craft what you want our
membership agreement to do for us, as our membership guidelines will
shape your InfraGard for the future.

Also, the results are in: Out of a total of 1773 votes received, 1642
members indicated that they would be in favor of background checks as a
requirement for InfraGard membership, where all members would then have
"Secure Access." 131 members voted against.
This indicates that our membership would be in favor of backgrounding
all members, thus providing all members secure site access. Therefore, a
new agreement may need only contain standard non-disclosure provisions
and some additional language to fit to our trusted partnership. Whatever
we need, Steve can create.

We need your help. Please gather input from your constituents and tell
us what you would like to see! Don Evans (Houston - working with base of
"SAA/membership" committee) and Don Withers (Maryland) will be
collecting your input and submitting a summary of membership opinion to
the IEB. The IEB will then work with Steve to create an agreement that
reflects your comments. We are aiming to have this agreement ready for
2003. This is aggressive, but necessary.

PLEASE DO NOT RESPOND TO THIS NOTE WITH QUESTIONS.  ALL RESPONSES SHOULD
BE IN THE FORM OF INPUT TO DON&DON - again addresses are:
don () thetrainingco com and don.evans () usahq unitedspacealliance com.

All comments must be received by Don Withers and Don Evans by November
10, 2002. Many thanks - this is a tremendous milestone.

Steve Chabinsky's suggested draft membership guidelines follow.

Phyllis

Phyllis A. Schneck, Ph.D.
Vice President, Enterprise Services, eCommSecurity, Inc.
Chairman, FBI InfraGard National Executive Board
770-216-9990 x3016

_____

Draft General Guidelines for Permitting InfraGard Membership and Access
to InfraGard Secure Information

These general guidelines are for use by the FBI in determining whether
to provide an InfraGard applicant with membership, and an InfraGard
member with access to "Secure Information" as defined in the Secure
Access Agreement.

Secure Information generally refers to non-public information posted on
the InfraGard secure webpage or disseminated through the InfraGard alert
network.

I. Overview

A. The FBI generally will grant InfraGard membership and access to the
InfraGard secure webpage and InfraGard web alerts (1) to any individual
or entity who [has signed the most current version of the Membership
Application and Secure Access Agreement], (2) after conducting a records
check both on the corporate entity which is the InfraGard applicant and
the individual who is the member's Designated Representative under the
Secure Access Agreement. This holds true as well for persons lawfully in
the United States who are not U.S. citizens, and foreign controlled
corporations that are lawfully doing business in the United States.

B. Consistent with the Secure Access Agreement, for specific law
enforcement or national security purposes, the FBI, with the express
written consent of the NIPC, may grant access to Secure Information to
federal, state or local law enforcement and intelligence agencies that
are not InfraGard members, and that have not signed the Secure Access
Agreement. Under such circumstances, special attention must be paid to
the public reporting obligations of those entities.

C. The FBI generally will not grant membership and secure access to
individuals or entities not residing or doing business in the United
States.

D. The FBI generally will not grant membership and secure access to any
foreign government or its diplomatic mission in the United States.

E. The FBI generally will not grant membership and access to individuals
or entities if providing such information could pose a substantial risk
to the protection of law enforcement or national security interests,
including risks to the national infrastructure. The FBI, nonetheless,
will grant membership and access in those cases where the fact of not
doing so would be contrary to the FBI's law enforcement or intelligence
objectives (for example, when refusing membership and access would have
the detrimental effect of notifying the applicant of a sensitive,
pending investigation).

F. The FBI will deny membership and access only on a case-by-case basis.
As a general matter, though, the FBI -- upon determination by the NIPC,
FBIHQ - will not grant membership and access to individuals or entities
who specifically are known to have, or are strongly suspected of having,
engaged in [any felony? any felony within the past x years?] any of the
following 10 categories of conduct:

1. Acts of foreign or domestic terrorism. This includes, by way of
example, conduct in violation of:

18 U.S.C. 175 [biological weapons]

18 U.S.C. 792 - 797 [espionage]

18 U.S.C. 831 [nuclear materials]

18 U.S.C. 841 [explosive materials]

18 U.S.C. 871 - 880 [threats and extortion]

18 U.S.C. 1114 [murder of U.S. officer or employee]

18 U.S.C. 1116 [murder of foreign officials]

18 U.S.C. 1119 [foreign murder of U.S. nationals]

18 U.S.C. 1121 [murder of persons who are aiding investigations]

18 U.S.C. 2153 [sabotage]

18 U.S.C. 2331-2339B [terrorism]

49 U.S.C. 46502-46507 [hijacking aircraft]

2. Active membership in an organization that the applicant knows or
should have known to sponsor terrorism, or prior membership in such an
organization that raises significant concern about the applicant's
current ability to protect and not misuse InfraGard information.

3. Acts constituting genocide or war crimes.

18 U.S.C. 1091 [genocide]

18 U.S.C. 2441 [war crimes]

4. Acts of unlawful use of computer(s), electronic data, voice mail, or
telephone system(s). This includes, but is not limited to, conduct in
violation of:

18 U.S.C. 875(c) [interstate threats]

18 U.S.C. 1029 [access devices]

18 U.S.C. 1030 [computer fraud and related activities]

18 U.S.C. 2511 [interception of communications]

18 U.S.C. 2512 [intercepting devices]

18 U.S.C. 2701 [computer intrusions]

47 U.S.C. 223(A) [harassing communications]

5. Active participation in an organization that the applicant knows or
should have known to engage in, promote, or sponsor the unlawful use of
computers, electronic data, voice mail or telephone systems; or prior
active participation in such an organization that raises significant
concern about the applicant's current ability to protect and not misuse
InfraGard information.

6. Misuse of information, including the unauthorized disclosure of
classified information. [18 U.S.C. 798]

7. Economic espionage. [18 U.S.C. 1831, 1832]

8. Information-gathering on behalf of foreign governments, terrorists,
or others with purposes inconsistent with the protection of American
national security.

9. Unlawful entry or residence in the United States. [18 U.S.C.
1423-1427]

10. Acts in breach of InfraGard's By-Laws or the InfraGard Secure Access
Member Agreement.

II. Records Checks

A. In order for the FBI to grant membership to an InfraGard applicant,
and to determine whether an individual or entity's access to secure
InfraGard information might pose a substantial risk to the national
security, for each applicant from their respective Local Chapters, the
Field Offices will check the following with the applicant's consent: all
FBI records, the National Crime Information Center (NCIC), and the List
of Parties Excluded from Federal Procurement and Nonprocurement Programs
(available online at <http://www.arnet.gov/epls/>). An applicant's
refusal to provide sufficient identifying information about themselves
and consent for the FBI to conduct the background check will be an
automatic basis for denying membership and access to secure information.

III. Procedures for Providing or Denying Access to Secure Information

A. The FBI generally will not provide membership or secure access to an
applicant without first conducting the records check described above.

B. If an applicant fails or refuses to provide identifying information
and consent sufficient for the FBI to conduct a records check, then the
applicant's membership and access will be denied. If access is denied
for this reason, the applicant generally will be given a second
opportunity to provide the necessary information. It will be case
specific whether the FBI can conduct an adequate records check without
receiving all of the information requested on the Designated
Representative Information sheet.

C. No applicant will be denied membership or secure access, and no
applicant will be informed that they might be denied membership or
secure access, unless the following procedures are followed:

1. The Field Office must notify the NIPC immediately of any application
where a records check indicates criminal activity or pending
investigations of any type, and provide a recommendation to the NIPC
about whether the applicant should be granted membership and access to
InfraGard information.

2. If the NIPC concludes that membership and access should be denied,
the NIPC must consult promptly with all interested FBI Divisions and
Field Offices, or other agencies if appropriate, to determine whether an
applicant (or its Designated Representative) may be told the general
reason membership and access is being denied. If on national security or
law enforcement grounds the applicant (or its Designated Representative)
cannot be told the general reason for denial of membership or access,
then membership and access will be granted.

3. By letter from the NIPC, the Field Office will be responsible for
notifying an applicant whose membership and access is denied and will
provide the Designated Representative who was the subject of the records
check with the general grounds for that decision.

4. The applicant/Designated Representative will have an opportunity to
provide to the NIPC a written challenge of any notice of denial.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.