White House lifts the veil on Bush cybersecurity initiative

Much of the Comprehensive National Cybersecurity Initiative is declassified

SAN FRANCISCO -- Much of the Comprehensive National Cybersecurity Initiative created by the Bush administration has been declassified and made publicly available, said White House Cybersecurity Coordinator Howard Schmidt.

"The administration has updated the classification guidelines for the Comprehensive National Cybersecurity Initiative," Schmidt said during comments at the RSA Security Conference.

Information on 12 unclassified initiatives under the plan will be available on the White House Web site at www.whitehouse.gov/cybersecurity.

The move is part of President Barack Obama's commitment to open government, Schmidt said, and an effort to ensure that critical information is available for those who need to participate in the effort to secure the nation's and the world's information infrastructure.

The audience greeted the announcement warmly. The security community widely sees the declassification as a positive step. One of the continuing themes of discussion at the conference is the needed for expanded government and industry cooperation. Despite lip service being paid to public and private partnerships, the lack of trust between the parties is repeatedly cited as a stumbling block to creating a really robust and workable national cybersecurity policy.
 
The administration's unilateral decision to make classified information is seen as a step toward establishing the trust needed for meaningful information sharing.
 
Schmidt acknowledged the need for better cooperation not only within the government but between the public and private sectors.
 
"I'm working across all the aspects of federal government," to establish a harmonized cybersecurity policy, he said. "We recognize all the vulnerabilities are shared."
 
He also said that his shared responsibilities with the National Economic Council are important to cybersecurity because of the part IT security plays as an economic driver.
 
Schmidt also said that some long anticipated changes are in the works for compliance with the Federal Information Security Management Act.
 
"You can be FISMA compliant and still not be secure," he said. He said that next month the Office of Management and Budget will announce new performance metrics for FISMA, so that agencies can move from static, compliance-based security to risk management based on real-time monitoring and analysis.

The Bush administration designated much of the CNCI to be secret, which brought criticism from many quarters. One of the most visible elements of it has been the Trusted Internet Connection initiative, under which the government is moving to limit and better control the number of connections federal networks have to the public Internet.

More controversial has been the Einstein initiative, an effort to enable real-time deep-packet inspection on government networks that has been seen as a threat to privacy.

When Obama first announced his intention to appoint a cybersecurity coordinator, in May 2009, he emphasized that his approach to protecting the nation's information systems would not include any violations of civil liberties, wrote Kim Zetter in Wired News. “Our pursuit of cybersecurity will not include — I repeat, will not include — monitoring private sector networks or Internet traffic,” Zetter quoted Obama as saying. "We will preserve and protect the personal privacy and civil liberties that we cherish as Americans.”

The portions of the plan that have been declassified do not discuss cyberwarfare, Zetter reported.

Before his formal presentation, Schmidt told the New York Times that the purpose of the declassification is to show that the government has a good strategy for protecting the nation’s computer systems.

“The CNCI was shrouded in a lot of classification,” Schmidt told the Times. “The president has said very specifically that we need to make sure the administration is transparent with not only the American public but with an international audience as well.”

Featured

Reader comments

Tue, Mar 9, 2010

As someone who has worked with classified material over the past 28 years, I can tell you that secret material is usually mundane with nothing special about it. What makes it classified is what particular approach or method is being used. It is like a combination to a lock. There is nothing special about the numbers or even the combination - but combining the combination with the lock and what the lock protects is what makes it secret. As a good security measure, you try to hide everything so that the enemy is not able to collect all the pieces and put them together. This method has been done a lot in the past to uncover secrets. So for those who do not work closely with secret material, please try be a little more cautious about what can be sensitive.

Mon, Mar 8, 2010 Zack in the belly of the beast - inside the beltway

I concur with Radagast. The only think sensitive is that we've classified the obvious...

Thu, Mar 4, 2010 Radagast

Have any of you knuckleheads complaining that we're giving away secrets to the enemy actually read the CNCI as posted by the White House? There is nothing in there that will help the enemy. It doesn't deal in specifics, it's a set of policy statements, like "deploy intrusion detection systems." How does that help anyone attack U.S. systems? If they have 2 brain cells, they'll already assume such systems are in place. Can the hysteria and the hyper-partisan b.s. and actually read the document. It's on that new fangled thing called the "internet".

Thu, Mar 4, 2010 Andy

As a citizen I'm offended by any unnecessary security disclosures, because the knowledge imparted falls easily into the hands of those wishing us ill (or dead). As a taxpayer, I'm offended (read alternately as stunned by the arrogance and ignorance) because I'm educating the crap heads by allowing them insight into our security processes. In other words, the next security apparatus we develop will necessarily be more expensive by virtue of needing to be more highly sophisticated. Am I out of line in this thinking? I'm glad, no thrilled, that the rocket surgeons in Washington are working so diligently to protect us. Yikes, I'm thinking about getting born again.

Thu, Mar 4, 2010 No California

How on earth could any one make anything a "US only" release. There's this new thing called the internet that allows instant global communication. And playing the 'helps our enemies' card only prevents open, rational communitaion.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above