It has been more than three years since President Bush signed the presidential directive to implement the Comprehensive National Cybersecurity Initiative (CNCI). While details of the plan remain classified, his successor, President Obama, released a summary of the CNCI that identifies 12 government initiatives intended to beef up cybersecurity for the US government, as well as promote public-private sector cybersecurity efforts.
The three main goals of the CNCI are: 1) to establish defenses against immediate threats by creating or enhancing shared situational awareness of network vulnerabilities, threats, and events and developing a capability to respond rapidly to shore up vulnerabilities and prevent network intrusions; 2) to enhance US counterintelligence capabilities and increase the security of the IT supply chain; and 3) to strengthen the future cybersecurity environment by expanding cyber education, research and development efforts, and strategies to deter hostile or malicious activity in cyberspace.
The Cyberspace Policy Review, undertaken by President Obama, endorsed the CNCI and recommended that an Executive Branch Cybersecurity Coordinator be named to work with federal, state, and local governments – as well as the private sector – to strengthen the nation’s cybersecurity posture. In 2009, Obama named Howard Schmidt, a former cybersecurity advisor to Bush, as his cybersecurity coordinator.
Infosecurity asked cybersecurity experts – including current and former federal government officials – and cybersecurity vendors to assess the progress being made under the CNCI three years
out.
A Move in the Right Direction
Hord Tipton, executive director of the non-profit IT security trade group (ISC)² and former chief information officer (CIO) of the US Department of the Interior, said that the US government has made “substantial progress” in establishing defenses against threats and responses to network intrusions, particularly with the development and deployment of the Einstein intrusion detection and prevention systems. “We were the second cabinet-level department to join in and take advantage of Einstein”, he shares. “We in Interior actually started Einstein at Level 1, and now it is at Level 3”, says Tipton, who was CIO at Interior from 2002 to 2007.
Einstein 1 and 2 focused on intrusion detection for US government networks, while Einstein 3, which is being deployed this year, is designed to automatically detect and disrupt malicious network activity.
| "Cyberspace is fundamentally a civilian space, and government has a role to help protect it, in partnership with responsible partners across the economy and across the globe" |
| Janet Napolitano, US Secretary of Homeland Security |
In addition, the federal government has made considerable progress in undertaking public-private partnerships in cybersecurity, Tipton observes. His group, (ISC)², is working closely with the federal government on the National Initiative for Cybersecurity Education (NICE) to promote cybersecurity education and develop standards for the cybersecurity workforce. The draft NICE plan was released in
August 2011.
Changing the Cybersecurity Game
Donna Dodson, chief of the National Institute of Standards and Technology’s (NIST) Computer Security Division, says that the US government has made progress in research and development aspects of the CNCI, which calls on the cybersecurity community to develop “leap-ahead” technologies.
Dodson notes that the government’s Cybersecurity and Information Assurance Interagency Working Group has identified a number of research areas that the US government is pursuing to “change the game in the cybersecurity space”. They include tailored trustworthy spaces, moving targets, and cyber economics.
Tailored trustworthy spaces provide flexible, adaptive, distributed trust environments that can support functional and policy requirements in cyberspace. Research into moving target technologies will enable the government to create, analyze, evaluate, and deploy cybersecurity mechanisms and strategies that continually shift and change over time. This, in turn, will increase the complexity and cost for attackers, limit the exposure of vulnerabilities and opportunities for attack, and increase system resiliency.
| "We in the government space have a need for strong identity credentials, but that needs to fit in with a broader national effort" |
| Donna Dodson, NIST |
Cyber economics focuses on providing incentives for cybersecurity to become ubiquitous; these incentives need to be based on sound metrics, processes that enable assured development, sensible and enforceable notions of liability and mature cost/risk analysis methods, Dodson believes.
Another research area that the US government has been pursing is its National Strategy for Trusted Identities in Cyberspace strategy. The strategy proposes a system for national online identity management that will allow people to use various authentication methods to verify their identity before carrying out transactions online.
“This will be a private sector-led effort with the public sector being a component of that, meaning that we in the government space have a need for strong identity credentials, but that needs to fit in with a broader national effort”, Dodson says.
Critical Infrastructure and Cyberwars
When it comes to critical infrastructure protection – an area identified in the CNCI as needing federal intervention – Larry Ponemon, founder and chairman of information security research group The Ponemon Institute, judges that the US government is not “making the grade”. He asks: “Are we really prepared for cyberwars that might include shutting down part of the electric grid or contaminating the water supply?”
One reason for the slow progress has been the feud between the Department of Defense (DoD) and the Department of Homeland Security (DHS) over who has responsibility for critical infrastructure protection.
The Pentagon’s US Cyber Command has recently sought to expand its authority into defending civilian critical infrastructure, which has put it into direct conflict with DHS. Gen. Keith Alexander, head of the Cyber Command, told a House panel in September 2010 that the White House was examining the legal authority needed for the command to take on this broader role in critical infrastructure protection.
In response, DHS Secretary Janet Napolitano stressed in a December speech that the nation’s cybersecurity effort to protect civilian critical infrastructure should be led by a civilian government agency, not by the military, or the private sector for that matter.
| "We have paid lip service to critical infrastructure protection for years, but no one has really tackled the problem" |
| Pat Clawson, Lumension |
“Now, there are some who say that cybersecurity should be left to the market”, the secretary remarked. “And there are some who characterize the internet as a battlefield on which we are fighting a war…. Not surprisingly, I take a different position. In my view, cyberspace is fundamentally a civilian space, and government has a role to help protect it, in partnership with responsible partners across the economy and across the globe.”
In calmer moments, both Alexander and Napolitano admit that protecting civilian critical infrastructure in the US needs to be a coordinated effort among DoD, DHS, and private industry. In fact, the two departments signed an agreement last year to expand their cybersecurity cooperation, including sharing personnel. The agreement involves deploying a DoD support team to DHS’ National Cybersecurity and Communications Integration Center – a cybersecurity watch and warning service for state and local governments – and a DHS support team to the DoD’s National Security Agency.
Another move that could take the Pentagon more into the private sector is the public-private Cyber 3.0 initiative announced by William Lynn, US Deputy Secretary of Defense, in a speech at this year’s RSA Conference.
“The threats we face in cyberspace target much more than military systems”, he told the audience. “Cyber intruders have probed many government networks, our electrical grid, and our financial systems. Secure military networks will mean little if the power grid goes down or the rest of the government stops functioning.”
Despite these recent government initiatives, Larry Ponemon stresses that public-private cooperation on cybersecurity needs improvement. “A lot of organizations don’t want to reveal their warts”, he contends. “They are afraid that if they are too public about what they are experiencing [in cyberspace], this is going to shed a negative light for investors and regulators. So they don’t tell others, even though that information could be really helpful.”
Pat Clawson, the chairman and chief executive of endpoint management and security firm Lumension, is also skeptical of the US government’s efforts in critical infrastructure protection.
“We have paid lip service to critical infrastructure protection for years, but no one has really tackled the problem. Most of that critical infrastructure is owned by private companies, not the public sector….The government doesn’t have the visibility into cyber defenses of our critical infrastructure because it has to reach into the private sector, and the private sector can’t legally share most of that stuff with the government”, Clawson notes.
‘Out of Sync’ with the Private Sector
Clawson believes that the US government is “totally out of sync with the private sector” on cybersecurity. As an example, he cites the US military, which has service-based IT fiefdoms. These fiefdoms lack coordination regarding their own network defenses and have little awareness of private sector infrastructure, even though an attack by a nation-state on that infrastructure could do a lot of economic damage. “We have a very disjointed approach about how we protect the critical infrastructure of the nation from a cyber perspective”, he says.
Many people in the US government have not been in the private sector and do not understand the obstacles that companies face in sharing of data on cybersecurity vulnerabilities and protection, says Clawson. “There needs to be an initiative to understand the legal barriers to sharing the data…critical to the defense of the nation”, he adds.
Jeff Hudson, chief executive of enterprise key and certificate management firm Venafi, has a more sanguine view of the federal government’s cybersecurity efforts.
“You have to follow the money”, he says bluntly. “Cybersecurity-related funding has not been cut. So this tells you where the priority is for the government….There is a realization and resources are being applied.”
The federal government is taking the initiative and reaching out to the private sector for help with cybersecurity, Hudson asserts. “We have talked to a lot of people in these [federal] departments and they say, ‘We have this problem and we’ve got to get it solved’”.
At the same time, there is a mismatch between the speed at which cyber threats appear, and the slow response of the federal government to these threats. “So you have a fast moving attacker, and a slow moving defender”, Hudson observes.
| "Secure military networks will mean little if the power grid goes down or the rest of the government stops functioning" |
| William Lynn, US Deputy Secretary of Defense |
In some cases, government cybersecurity leaders are circumventing the traditional procurement process to put technologies in place. “That is something new. I’ve never seen that before”, Hudson says.
In addition, Hudson warns about theft of US intellectual property through cyber attacks. “If you are going to build the next-generation fighter plane, and you are a nation-state that wants to do that, you can spend $50 billion and four or five years to develop that, or you can hire somebody to break into military contractor or US government systems and steal the intellectual property”, he continues.
There is “a lot of denial” about the scope of the threat on the part of the nation, Hudson believes. “I don’t think everyone gets what can really happen, and how everything is tied together. If certain things break, such as the supply chain, communications, or infrastructure, this can have a major impact. I don’t think everyone has woken up to this fact yet.”
Clawson agrees: “We are losing our intellectual property because our networks are being penetrated….Don’t we as a population deserve the right to benefit from all that ingenuity and innovation that happens here?”, he rhetorically asks.
The Lumension CEO is concerned that the economic slowdown has curbed investment in cybersecurity. He has seen estimates that the private sector is investing only 4% of its IT budget on security. Protection of data should be a high priority that should receive corporate boardroom attention, he stresses.
Hudson also cautions about cutting investment in cybersecurity. “The natural instinct is to cut everything” when the economy is going bad and budgets are tightening. “We need to be much smarter than that….There are things we have to fund because of the changing nature of the world”, he strongly asserts.
Tipton too is concerned about the impact of the economic slowdown and federal budget cuts on cybersecurity efforts. “The real test lies ahead, quite honestly, during the hard times that we have, with the economy and the federal budget”, he says. “We hope the government will stand up to the challenge and not backslide in the painful progress we have made. You can lose it in a heartbeat.”