Critics not satisfied with partial revelation of secret cybersecurity plan

The release of a summary of a classified cybersecurity program launched during the Bush era that continues to guide government computer security efforts was generally welcomed, but some say key questions about the government’s strategy still need to be answered.

Howard Schmidt, the White House’s cybersecurity coordinator, released an outline of Comprehensive National Cybersecurity Initiative (CNCI) in a blog posting March 2. The CNCI started in January 2008 when then-President George W. Bush signed National Security Presidential Directive 54/Homeland Security Presidential Directive 23.

The unclassified summary outlines 12 initiatives that make up the CNCI. Much of the information had already been reported. However, the document does provide additional detail about EINSTEIN 3, the next-generation tool that the government is developing to protect the civilian government domain.


Related story:

White House lifts the veil on Bush cybersecurity initiative


“On the one hand it’s a departure from the prior level of secrecy, and it’s more than the Bush administration was willing to disclose,” said Steven Aftergood, director of the Project on Government Secrecy for the Federation of American Scientists. “On the other hand…it’s still a sparse description of the program, the underlying directive of the program has not been disclosed and the release seems more like it was intended to reassure the public than to initiate new public discussion or debate.”

Aftergood said the document amounted to a bare-bones description, but he said the release represented movement in the right direction. “They haven’t specified exactly what [legal] authorities they are claiming to carry out this activity and that’s something I would like to know more about,” he said. “What are the limits of their legal authorities?”

One area of the government's efforts that privacy advocates have been focused on is EINSTEIN 3. The summary said that program “will draw on commercial technology and specialized government technology to conduct real-time full packet inspection and threat-based decision-making on network traffic entering or leaving these Executive Branch networks” to “identify and characterize malicious network traffic to enhance cybersecurity analysis, situational awareness and security response.”

The summary also said the new program will give the Homeland Security Department the capability to send alerts that don’t contain the content of communications to the National Security Agency in order to support DHS, the agency in charge of protecting the civilian government domain. The summary said DHS is currently conducting a pilot exercise to test EINSTEIN 3’s capabilities, based on technology developed by the NSA. The government's privacy and civil liberties officials are working with DHS to put privacy protections in place, the document said.

Gregory Nojeim, senior counsel and director of the Project on Freedom, Security and Technology at the Center for Democracy and Technology, said there was not a lot of new information in the summary but that it was good for the government to acknowledge publicly that an NSA product is part of the development of EINSTEIN 3. However, he added that the outline raises questions.

“It would be important to know the answers to questions like what will be the government’s response when it detects malicious code and will the response go beyond preventing a harm, will it include an effort to stop that code from coming in in the future, and if so what will be the parameters of that effort?”

Karen Evans, who was administrator of e-government and information technology at the Office of Management and Budget when the directive was signed and is now a partner at KE&T Partners, said the release of the summary was a step forward. She said that it’s important for people to know what’s being done and what the 12 initiatives are.

The initiatives include the reducing the government’s external Internet access points, bolstering intrusion detection capabilities, coordinating research and development efforts, putting in place a counter-intelligence plan, and improving supply chain security. The summary offers varying level of detail on the different components.

Retired Air Force Maj. Gen. Dale Meyerrose, who previously served as chief information officer at the Office of the Director of National Intelligence, said the summary showed people the balance and comprehensiveness of the government’s plans. However, Meyerrose, now the vice president and general manger of Harris Corp.’s Cyber and Information Assurance practice, said the full directive shouldn’t be released because a lot of it has to do with tactics and procedures that you wouldn’t want to give the enemy.

Gregory Garcia, who was assistant secretary for cybersecurity and communications at DHS during the Bush administration, said releasing the summary was “absolutely the right decision” and was overdue. “I think what this should do is jump-start a more collaborative engagement with the private sector,” said Garcia, who now runs the Garcia Strategies consulting firm.

Garcia said its release should be taken by the private sector as a good-faith gesture. “The document itself is less important than the iterative process…of how the strategy can be implemented by the private sector and by the government collaboratively,” he said.

But, Nojeim said the private sector needs more answers from the government. He said that if he was a company being asked to provide information, he would want to know how information he hands over is being used, what is being shared with competitors, and how his company would be helped by providing that information.

“I think that this disclosure should be seen as a necessary but not sufficient step in transparency for the cybersecurity initiative,” Nojeim said. “To gain the confidence of the private sector that is necessary for the success of this program, a lot more has to be disclosed.”

About the Author

Ben Bain is a reporter for Federal Computer Week.

Who's Fed 100-worthy?

Nominations are now open for the 2015 Federal 100 awards. Get the details and submit your picks!

Featured

Reader comments

Thu, Mar 4, 2010 Jeffrey A. Williams

As a 30 year IT security professional it is IMO necessary to have the details avaliable for review and analysis to ensure that there are no unintended consequences as well as to provide the private sector the reasonable opertunity to protect itself from unwarrented or perhaps less than legal intrusion by any government entity.

Thu, Mar 4, 2010 Flonk California

We need to know enough about what the Government is doing to verify that our civil liberties are intact. Specifics about tools and techniques are not needed. Policies, aims, and safeguards are most assuredly needed.

We can not trust politicians to behave if they are allowed to work in the dark.

Thu, Mar 4, 2010 Mike Virginia

Why should any reasonable person expect public disclosure of all security measures for the civilian government domain? A key portion of a security system should include looking for intruders that are fumbling their way through. A standard security procedure (either physical or virtual) is safeguarding both the exact nature of measures in place and any known vulnerabilities. Why would anybody expect this case to be any different - especially when those that get the information seem inclined to seek their 15 seconds of fame? I wonder if any bad-guys can read...

Thu, Mar 4, 2010

Releasing any of this makes no sense whatsoever - unless you actually want to help our enemies. Any competent defender knows that the success of an attacker hinges on how much the attacker knows about the defenses he has to overcome. Making this information public is an act of sheer folly or betrayal.

Thu, Mar 4, 2010

Yes tell them everything about your classified plans so they can pass to our enemies. Those that have a need to know should get security clearances first then if they reveal the details prosecute for espionage. Let's get tough over spying and spies in our midst.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above