Unlocking the national cybersecurity initiative

The Bush administration slowly reveals its cybersecurity initiative — and its impact on federal IT.

The cybersecurity initiative launched by the Bush administration earlier this year remains largely cloaked in secrecy, but it’s already clear that it could have a major and far-reaching effect on government IT operations in the future.Everything from mandated security measures and standard desktop configurations across government to a recast Federal Information Security Management Act (FISMA) could influence the way agencies buy and manage their IT.Overseeing all of this will be a central office run by the Homeland Security Department, the first time that the government’s efforts in cybersecurity will run through a single office tasked with coordinating the work of separate federal cybersecurity organizations.“It’s both an effort to better organize existing cybersecurity initiatives as well as to promote a series of new initiatives,” said Amit Yoran, chief executive officer of network security vendor netWitness and a former director of DHS National Cyber Security Division. “I think it is noteworthy that there are a number of new programmatic efforts that haven’t existed before, and that will create new capabilities and functionality.”There’s still a long way to go, and it will take a huge effort to implement the measures, but Yoran said he thinks some agencies are already starting to appreciate the effect the initiative will have, even if they still don’t have all the details.The White House issued on Jan. 8 Homeland Security Presidential Directive 23, also known as National Security Presidential Directive 54, the policy that apparently established the cybersecurity initiative. However that wasn’t verified because  the document itself was classified.Some details emerged during the next few months through congressional testimony, lawmakers’ inquiries, and various speeches and presentations, but to date, few specifics have been made public. In April, DHS published a fact sheet about the Comprehensive National Cybersecurity Initiative (CNCI) that listed various measures that were being taken to prevent future attacks on U.S. computer systems, including the expansion of several existing programs and the creation of a National Cybersecurity Center (NCSC), which will serve as the focus for improving federal government network defenses.Rod Beckstrom, a well-known technology entrepreneur, was appointed the center’s director in March.More recently, Steven Chabinsky, deputy director of the Joint Interagency Cyber Task Force, a part of the Office of the Director of National Intelligence, spoke at the Symantec Government Symposium in July and described some of the work being done under the CNCI.That discussion was probably the most popular session during the entire symposium, said Tiffany Jones, who leads Symantec’s government relations operation in Washington.Jones, who worked on cybersecurity initiatives with Richard Clarke when he was the Bush administration’s counterterrorism leader, said the CNCI is a set of programs that, at a minimum, places a renewed focus on cybersecurity activities.“I’m looking on this as a catalyst to push cybersecurity much more proactively than it has been in the past,” she said.There are three programs that have been identified publicly as part of CNCI, each having immediate impact on agencies:In January, more than 4,300 agency Internet connections existed, and those had been cut to some 2,700 by June. The target is less than 100 connections.Also, participation in Einstein for those agencies managing Internet access points will no longer be voluntary, as it was before. If Einstein finds a connection is not being properly managed, DHS will be able to shut it down.As part of the CNCI, NIST proposed in February to extend the FDCC to other operating systems, applications and network devices beyond the existing support for Windows XP and Vista.FISMA is one major element of government cybersecurity oversight that isn’t currently a part of the CNCI but could be greatly influenced by it in the future, observers say. The five year-old law requires agencies to report on how they are following certain security processes, but critics have complained that it’s become nothing more than a check-the-box exercise for agencies and has done little to actually improve security.There’s now talk in Congress about a reform of FISMA that could include many of the elements being proposed in the CNCI and about new ways to make security a more ingrained part of agency processes, Jones said.Given the CNCI’s low-profile introduction, some agency officials may not appreciate the significance of the changes the program may pose, said James Lewis, a senior fellow at the Center for Strategic and International Studies.The expansion of Einstein, for example, is a major change because it mandates the use of network security monitoring tools that are controlled by an entity outside the agencies.“Before, they would do this [monitoring] themselves and not necessarily be forthcoming if anything happened,” he said. “Now it’s out of their hands.”The administration has briefed some agency CIOs on what’s in store with the CNCI, but it’s likely that information has not percolated through to other levels of agencies, Lewis said. “At some point, they will go to do things and be told they can’t do it,” Lewis said. “That’s when they’ll find that certain things have already happened.”With such programs as TIC and FDDC now being mandates, some agencies will have to change their business practices, said Mark Gerencser, a senior partner at Booz Allen Hamilton. As the number of Internet points-of-presence are reduced, for example, what effect will that have on their mission?“No one’s really looked at that yet,” he said. “There’ll need to be trade-offs between business needs and security, and agencies will have to manage the impact on their missions and then evolve their business models.”Andy Singer, the principal in charge of cyber integration at BAH, said he believes the CNCI will force an alignment shift among agencies. A recently retired Navy rear admiral, he led the Navy mission integration of computer network attack, defense and exploitation.In DOD, various sectors have learned how to work together by crossing the traditional boundaries of their authority, he said. DOD overall has treated cybersecurity as a national security issue and, as a result, has been more effective than others in this area.“On the civilian side, each agency has up to now been responsible for its own little [security] realm,” Singer said. “Now they’ll have to start doing it all together with the DHS in the lead.”Bob Frisbie, vice president of cybersecurity at Northrop Grumman, noted that there have been past efforts to improve government cybersecurity measures. But none of them attempted to put anyone in charge of a central office responsible for coordinating efforts, he said, something DHS is now trying to establish.“The metrics for cyber defense have been very elusive so far,” he said. “The way to measure how successful [the CNCI] will be is when the Cyber Center gets fully up and running, which will probably be some time late next year.”However, before then, a major indication of eventual success will be how Congress handles the administration’s request for CNCI funding. Although no firm figures are available, published reports suggest the multiyear CNCI could eventually cost anywhere from $18 billion to $30 billion. DHS has asked for about $200 million in the fiscal 2009 budget to fund its CNCI efforts.And it’s also not clear how much oversight DHS and other agencies involved in CNCI will be willing to cede to Congress as a necessary quid pro quo for lawmakers committing to the initiative.With the lessons of other attempts to enforce better security throughout government without the necessary funding, such as HSPD-12, many people are naturally skeptical of this new effort. So the first hurdle it has to leap over is next month’s decisions by Congress on fiscal 2009 appropriations bills.Will there be real money attached to the CNCI?“That’s what we are all waiting to see,” Jones said.

Editor's note

Coming up in the FCW Security Series

Sept. 29 — Securing Web 2.0

Learn how agencies are assessing and addressing the security issues associated with interactive Web 2.0 tools such as social media, blogs, podcasts and wikis.


Oct. 6 — Mastering managed security services

Find out which cybersecurity systems, operations and compliance procedures agencies are outsourcing most successfully, along with tips for selecting providers and managing performance by contractors.


























Public details




  • Trusted Internet Connections (TIC): First announced by the Office of Management and Budget in November 2007, this program is designed to reduce the number of external connections that agencies have to the Internet to just a few centralized gateways that can be better monitored for security.





  • Einstein II: Einstein is a system that automatically monitors data traffic on government networks for potential threats. As a program under the CNCI, Einstein will be upgraded to include intrusion-detection technology.







  • Federal Desktop Core Configuration (FDCC): This program, initiated by OMB last year, mandates that agencies adopt a common security protocol for their desktop systems long advocated by the National Security Agency, the Defense Information Systems Agency and the National Institute of Standards and Technology.





Prepare for change






































X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.