Monitoring federal networks, global supply chain part of cyber initiative

Cybersecurity Chief Howard Schmidt said he wants the U.S. to become "stronger through stronger technology." Lawrence Jackson/White House

The Obama administration divulged on Tuesday details about the highly classified cybersecurity plan that was first introduced under President Bush, including information about the latest version of the federal government's intrusion detection system and a more secure approach to managing the global supply chain.

In an effort to improve transparency of federal activities, White House Cybersecurity Coordinator Howard Schmidt directed the release of a summary description of the largely classified National Security Presidential Directive 54 and Homeland Security Presidential Directive 23. The directives are more commonly known as the Comprehensive National Cybersecurity Initiative, which the Bush administration established in January 2008. Schmidt announced the release during a keynote at the RSA security conference in San Francisco on Tuesday.

"Transparency is particularly vital in areas where there have been legitimate questions about sensitive topics like the role of the intelligence community in cybersecurity," Schmidt said in a White House blog posting on Tuesday. "We will not defeat our cyber adversaries because they are weakening; we will defeat them by becoming collectively stronger through stronger technology, a stronger cadre of security professionals and stronger partnerships."

The declassified document included descriptions of the dozen sections that comprise the initiative, aspects of which were released previously.

Among the more significant details included was confirmation that the National Security Agency would support the Homeland Security Department in protecting federal networks. Einstein 3, which is the latest version of the intrusion prevention system managed by the U.S. Computer Emergency Readiness Team within DHS, will monitor in real time network traffic entering and leaving federal networks to detect cyber threats before harm is done. The system will support enhanced information sharing through automated alerts of intrusion attempts and, when deemed necessary by DHS, alerts to the NSA of any threat. The content of the communications will be stripped out to ensure privacy.

According to the document, Einstein 3 "makes substantial and long-term investments to increase national intelligence capabilities to discover critical information about foreign cyber threats." DHS will be able to adapt threat signatures, which instruct the system to search for known malicious patterns in network code, according to NSA, Defense Department and the intelligence community.

"Einstein 2 relies on signature based intrusion detection, [while] Einstein 3 looks for anomalous activities that are not already in the signature database, enabling analytical assessment about whether certain network traffic represents a threat," said Michael Jacobs, who served as information assurance director at the National Security Agency until his retirement in 2002. "It's a lot more complicated."

Jacobs said it is noteworthy that the new released information mentions "a multipronged approach for global supply chain risk management." According to the document, risks stemming from the domestic and global supply chain "must be managed in a strategic and comprehensive way over the entire life-cycle of products, systems and services," which will require greater awareness of the threats, vulnerabilities and consequences associated with acquisition decisions. Plans also must include development of tools to mitigate risk by retiring products, creation of new acquisition policies, and partnership with industry to establish and adopt supply chain and risk management best practices.

"The ability of the users to understand where this [product] they're relying on comes from, and infer the motivation of the originator of that [product], is extremely important," Jacobs said, noting that the origin of many products entering the supply chain, including those used to secure computer networks and systems, often is masked and marketing and sales are managed by a U.S. company, while code is written in another country.

"There have been too many examples where you acquire these products in good faith, only to find that there are anomalous features you can't explain, and neither can or will the vendor," he added. "There needs to be an assessment that defines the origins and ownership of the products, as well as the composition of boards of directors, so those in the business of acquiring products can make value judgments."

The risk of cyberattack against the nation's critical infrastructure, which largely is owned and operated by the private sector, is attracting the attention of the Obama administration. The declassified portion of the initiative notes plans to better define the federal role for improving cybersecurity efforts in those sectors, including transportation and energy, through short-term and long-term recommendations that increase resiliency and operational capabilities and encourage public-private information sharing about cyber threats and incidents.

"This is a good step toward building better credibility with the private sector," said Gregory Garcia, who served as assistant secretary of cybersecurity and telecommunications at DHS during the Bush administration and now runs his own information security consulting firm, Garcia Strategies. "The next step is to provide better, more timely and more actionable information [that can be used to] develop a truly national incident response capability. I know that is one of [Schmidt's] priorities."

Although security experts applauded the release of the information, some questioned why so many of the initiatives remain in preliminary stages.

"The public release version of the Comprehensive National Cybersecurity Initiative is welcome, [but] the initiatives are not new. Many of us were pushing them with the Clinton administration around the time of the first Critical Infrastructure Protection Commission" in 1997, said Tom Talleur, a forensic technologist who worked for 31 years as a federal criminal investigator with NASA and the Defense Department identifying the source of cyberthreats and tracking down hackers. "What's really alarming is that they are still in planning stages more than a decade later. These initiatives should have been well along by now."

The federal government will continue to struggle to meet the challenge of cybersecurity until the necessary funding is allocated to increase the workforce, Schmidt said. Among the programs he called underfunded and underutilized is Cyber Corps, which provides education and living expenses to college students studying cybersecurity, as well as internship opportunities with federal agencies to learn about computer security issues. The initiative includes among its priorities the expansion of cyber education through a national strategy, similar to the effort to upgrade science and mathematics education in the 1950s.