Unlocking the national cybersecurity initiative
The cybersecurity initiative launched by the Bush administration earlier this year remains largely cloaked in secrecy, but it’s already clear that it could have a major and far-reaching effect on government IT operations in the future.
Everything from mandated security measures and standard desktop configurations across government to a recast Federal Information Security Management Act (FISMA) could influence the way agencies buy and manage their IT.
Overseeing all of this will be a central office run by the Homeland Security Department, the first time that the government’s efforts in cybersecurity will run through a single office tasked with coordinating the work of separate federal cybersecurity organizations.
“It’s both an effort to better organize existing cybersecurity initiatives as well as to promote a series of new initiatives,” said Amit Yoran, chief executive officer of network security vendor netWitness and a former director of DHS National Cyber Security Division. “I think it is noteworthy that there are a number of new programmatic efforts that haven’t existed before, and that will create new capabilities and functionality.”
There’s still a long way to go, and it will take a huge effort to implement the measures, but Yoran said he thinks some agencies are already starting to appreciate the effect the initiative will have, even if they still don’t have all the details.
The White House issued on Jan. 8 Homeland Security Presidential Directive 23, also known as National Security Presidential Directive 54, the policy that apparently established the cybersecurity initiative. However that wasn’t verified because the document itself was classified.
Some details emerged during the next few months through congressional testimony, lawmakers’ inquiries, and various speeches and presentations, but to date, few specifics have been made public.
In April, DHS published a fact sheet about the Comprehensive National Cybersecurity Initiative (CNCI) that listed various measures that were being taken to prevent future attacks on U.S. computer systems, including the expansion of several existing programs and the creation of a National Cybersecurity Center (NCSC), which will serve as the focus for improving federal government network defenses.
Rod Beckstrom, a well-known technology entrepreneur, was appointed the center’s director in March.
More recently, Steven Chabinsky, deputy director of the Joint Interagency Cyber Task Force, a part of the Office of the Director of National Intelligence, spoke at the Symantec Government Symposium in July and described some of the work being done under the CNCI.
That discussion was probably the most popular session during the entire symposium, said Tiffany Jones, who leads Symantec’s government relations operation in Washington.
Jones, who worked on cybersecurity initiatives with Richard Clarke when he was the Bush administration’s counterterrorism leader, said the CNCI is a set of programs that, at a minimum, places a renewed focus on cybersecurity activities.
“I’m looking on this as a catalyst to push cybersecurity much more proactively than it has been in the past,” she said.Public details
There are three programs that have been identified publicly as part of CNCI, each having immediate impact on agencies:
- Trusted Internet Connections (TIC): First announced by the Office of Management and Budget in November 2007, this program is designed to reduce the number of external connections that agencies have to the Internet to just a few centralized gateways that can be better monitored for security.
In January, more than 4,300 agency Internet connections existed, and those had been cut to some 2,700 by June. The target is less than 100 connections.
- Einstein II: Einstein is a system that automatically monitors data traffic on government networks for potential threats. As a program under the CNCI, Einstein will be upgraded to include intrusion-detection technology.
Also, participation in Einstein for those agencies managing Internet access points will no longer be voluntary, as it was before. If Einstein finds a connection is not being properly managed, DHS will be able to shut it down.
- Federal Desktop Core Configuration (FDCC): This program, initiated by OMB last year, mandates that agencies adopt a common security protocol for their desktop systems long advocated by the National Security Agency, the Defense Information Systems Agency and the National Institute of Standards and Technology.
As part of the CNCI, NIST proposed in February to extend the FDCC to other operating systems, applications and network devices beyond the existing support for Windows XP and Vista.Prepare for change
FISMA is one major element of government cybersecurity oversight that isn’t currently a part of the CNCI but could be greatly influenced by it in the future, observers say.
The five year-old law requires agencies to report on how they are following certain security processes, but critics have complained that it’s become nothing more than a check-the-box exercise for agencies and has done little to actually improve security.
There’s now talk in Congress about a reform of FISMA that could include many of the elements being proposed in the CNCI and about new ways to make security a more ingrained part of agency processes, Jones said.
Given the CNCI’s low-profile introduction, some agency officials may not appreciate the significance of the changes the program may pose, said James Lewis, a senior fellow at the Center for Strategic and International Studies.
The expansion of Einstein, for example, is a major change because it mandates the use of network security monitoring tools that are controlled by an entity outside the agencies.
“Before, they would do this [monitoring] themselves and not necessarily be forthcoming if anything happened,” he said. “Now it’s out of their hands.”
The administration has briefed some agency CIOs on what’s in store with the CNCI, but it’s likely that information has not percolated through to other levels of agencies, Lewis said.
“At some point, they will go to do things and be told they can’t do it,” Lewis said. “That’s when they’ll find that certain things have already happened.”
With such programs as TIC and FDDC now being mandates, some agencies will have to change their business practices, said Mark Gerencser, a senior partner at Booz Allen Hamilton. As the number of Internet points-of-presence are reduced, for example, what effect will that have on their mission?
“No one’s really looked at that yet,” he said. “There’ll need to be trade-offs between business needs and security, and agencies will have to manage the impact on their missions and then evolve their business models.”
Andy Singer, the principal in charge of cyber integration at BAH, said he believes the CNCI will force an alignment shift among agencies. A recently retired Navy rear admiral, he led the Navy mission integration of computer network attack, defense and exploitation.
In DOD, various sectors have learned how to work together by crossing the traditional boundaries of their authority, he said. DOD overall has treated cybersecurity as a national security issue and, as a result, has been more effective than others in this area.
“On the civilian side, each agency has up to now been responsible for its own little [security] realm,” Singer said. “Now they’ll have to start doing it all together with the DHS in the lead.”
Bob Frisbie, vice president of cybersecurity at Northrop Grumman, noted that there have been past efforts to improve government cybersecurity measures. But none of them attempted to put anyone in charge of a central office responsible for coordinating efforts, he said, something DHS is now trying to establish.
“The metrics for cyber defense have been very elusive so far,” he said. “The way to measure how successful [the CNCI] will be is when the Cyber Center gets fully up and running, which will probably be some time late next year.”
However, before then, a major indication of eventual success will be how Congress handles the administration’s request for CNCI funding.
Although no firm figures are available, published reports suggest the multiyear CNCI could eventually cost anywhere from $18 billion to $30 billion. DHS has asked for about $200 million in the fiscal 2009 budget to fund its CNCI efforts.
And it’s also not clear how much oversight DHS and other agencies involved in CNCI will be willing to cede to Congress as a necessary quid pro quo for lawmakers committing to the initiative.
With the lessons of other attempts to enforce better security throughout government without the necessary funding, such as HSPD-12, many people are naturally skeptical of this new effort. So the first hurdle it has to leap over is next month’s decisions by Congress on fiscal 2009 appropriations bills.
Will there be real money attached to the CNCI?
“That’s what we are all waiting to see,” Jones said.