Homeland Security Watch

The new Administration will inherit a multi-billion dollar National Cyber Security Initiative with lead roles served by DHS and its component agencies, the Director of National Intelligence, and the Defense Department. In practice, all agencies will serve some role in reducing cyber-based threats. To address some of the governance and strategy issues in this context, the Center for the Study of the Presidency (CSP) and IBM’s Global Leadership Initiative today convene the next Homeland Security Roundtable on the topic of “DHS Cyber Security Plans, Progress, and Strategies for Success.”

Since 2001, CSP has convened senior leadership from the Executive Branch and leading minds from the policy community and private sector to address critical homeland security issues in an invitation-only, off-the-record setting. Today, I’ll facilitate this roundtable as I used to when I was at CSP as director of homeland security projects. A group of leading experts from the policy community and private sector will join me and our lead discussant, Mr. Andrew Cutts, director of cyber security policy at the Department of Homeland Security. Participants include:

• Steven Bucci, Cyber Lead, IBM Global Leadership Initiative, IBM Global Business Services, and former Deputy Assistant Secretary of Defense – Homeland Defense

• Frank Cilluffo, Associate Vice President for Homeland Security and Director, Homeland Security Policy Institute, The George Washington University, and Former Special Assistant to the President for Homeland Security

• P.J. Crowley, Senior Fellow and Director of Homeland Security at the Center for American Progress, and former Special Assistant to the President of the United States for National Security Affairs, serving as Senior Director of Public Affairs for the National Security Council, and former Principal Deputy Assistant Secretary of Defense

• Andrew Cutts, Director, Cyber Security Policy, U.S. Department of Homeland Security

• Jonah J. Czerwinski, Senior Fellow, Homeland Security, IBM Global Leadership Initiative, and Senior Adviser Homeland Security Projects, Center for the Study of the Presidency

• Bryna Dash, IBM Public Sector – DHS/NPPD

• W. Scott Gould, Partner and Vice President, IBM Global Business Services, , Public Sector , and former Assistant Secretary of the Treasury, former Assistant Secretary of Commerce

• Job Henning, Director, Political and Legal Affairs, Project on National Security Reform and Senior Fellow, Center for the Study of the Presidency

• Henry H. Horton, Associate Partner leading the Information Assurance and Strategic Initiatives, IBM Global Services, Public Sector, and former Federal Special Agent in Charge of a strategic counter-espionage and counter-terrorism organization, Director of Security for an Independent Federal agency.

• Daniel B. Prieto, Partner and Vice President, IBM Global Business Services, Public Sector

Mr. Cutts will provide a substantive overview of where the DHS efforts currently stand, what remains as defined goals, and areas that should receive better focus. This session will be held at the unclassified level and is not for attribution. All comments are off the record and so, unfortunately, I will not be posting here about the roundtable.

In a meeting yesterday that comes as DHS kicks off its first National Cyber Security Awareness Month, Secretary Chertoff responded to a range of questions from a group of invited homeland security bloggers. The discussion focused on the Department of Homeland Security’s cyber security initiatives.

I asked about governance issues, budget priorities, and the gradual shift from passive defense to “active defense” in the Department’s role in dealing with cyber threats to the .gov environment.

Chertoff explained that “from our standpoint in the next year, the $350 million in the FY 09 appropriations for DHS cyber programs is actually slightly more than we requested. And what we’re doing is we’re building the basic infrastructure.”

That basic infrastructure includes the following:

• Deploying Einstein 2.0

• Equipment, personnel (recruiting over 100 programmers and operators of Einstein.)

• Additional space, leasing various utilities.

• DHS monetary contribution to support of the Cyber Security Center, which is in the process of standing up.

In the future, Chertoff references DHS plans to “get our control over the .gov domain.” He explained that “every 45 days we are reducing by half and consolidating the number of Internet connections [to the Internet from the federal computer networks.] According to the Secretary, DHS plans to consolidate federal Internet connections “from what started at as a thousand and we hope will be in the neighborhood of a hundred or two.”

This will enable more effective deployment of the DHS cyber security program called Einstein 2.0, which is designed to obtain “real time detection warning,” Chertoff said. The intention here would be to provide characterization of cyber intrusions or other threats as they occur so that an immediate response can be executed to counter the attack in some way. It is unclear if DHS also is responsible for the countermeasures.

I asked about another program he mentioned in a separate discussion that he called Einstein 3.0, which would be shifting us even further down the spectrum from defense to offense.

Chertoff responded by saying that “we are taking our Einstein 1.0, which is our current detection tool, we are now upgrading it to Einstein 2.0 and testing it out, and we’re also in the process of looking at turning it from a passive detection to an active detection device, active meaning that we would have the ability to actually stop an attack as opposed to merely warn about an attack.

Chertoff continued:

No, it’s still defense. It’s just a blocking capability. In other words, what 2.0 does is if I know malicious code is coming in, it enables me to give a real time warning. Someone described it the other day to me; it’s like a traffic cop sitting on the highway seeing people speed and he can immediately call in and say someone with license plate XYZ is speeding, and give warning down there.

3.0 would allow the traffic cop to make the arrest right on the spot.

It would be when you detected the attack, you would stop it cold.

I’ll update this post later today with more from the exchange. Other bloggers in attendance included I’ll update this post later today with more from the exchange. Other bloggers in attendance included Ben Bain with Federal Computer Week, Jeff Fox from ConsumerReports, Jena McNeill with the Heritage Foundation, Julian Sanchez from ArsTechnica, Jeff Stein from Congressional Quarterly, and John Solomon from In Case of Emergency Blog. Full transcript can be found here.

DHS plans to go on the offensive in cyberspace. Secretary Chertoff told a group of reporters last week, including CNN, that following Einstein 2.0, which monitors and reports cyber intrusions in real time, we can expect a version 3.0 to act “like an anti-aircraft weapon, shoot down an attack before it hits its target,” Chertoff said. “And that’s what we call Einstein 3.0.”

The Bush administration introduced a National Cyber Security Initiative in January that is to be carried out by DHS, Defense, the Intel Community, and others. The role for DHS – and the extent to which it would lead any part of the Initiative – is the subject of some uncertainty. The “most immediate component” of the National Cyber Security Initiative for DHS, Chertoff said, is to increase security for federal government computer systems.

Tomorrow, Secretary Chertoff convenes a group of us from the blogosphere to discuss the DHS role in the National Cyber Security Initiative. I intend to ask about how the Department plans to deal with the implications of an offensive approach to cybersecurity, considered an escalation by some, for DHS. There is a wide spectrum of productive activity in cyber security between simply monitoring attacks and conducting the (counter)attacks. However, I’d like to know DHS is looking at this entire spectrum.

If you have questions on the topic of the National Cyber Security Initiative and the DHS role in it, please submit comments here.

What a week for DHS cyber security efforts. Congressional hearings, think tank studies, and GAO reports all arguing that the Department is underpowered and disorganized in its effort to carry out its role as a lead in the National Cyber Security Initiative, a multi-billion dollar program to protect federal and private sector internet assets against attack and exploitation.

Not to leave anything ambiguous, GAO released three new studies this week:
• DHS Faces Challenges in Establishing a Comprehensive National Capability
• DHS Needs to Better Address Its Cybersecurity Responsibilities
• DHS Needs to Fully Address Lessons Learned from Its First Cyber Storm Exercise

The pointy end of the spear is US-CERT. The US-CERT’s mission is to:

• analyze and reduce cyber threats and vulnerabilities
• disseminate cyber threat warning information
• coordinate incident response activities

They have a way to go. A new GAO report finds that US-CERT “lacks a comprehensive baseline understanding of the nation’s critical information infrastructure operations, does not monitor all critical infrastructure information systems, does not consistently provide actionable and timely warnings, and lacks the capacity to assist in mitigation and recovery in the event of multiple, simultaneous incidents of national significance.”

DHS spokesperson Laura Keehner explained that “We are undertaking something not unlike the Manhattan Project.” “Billions of dollars are going into this effort. We’re the first to admit there is more work to be done….” Of course, US-CERT was founded five years ago. In the last year, more cooks have been added to the kitchen, too. The DHS CIO has a leadership role, the Under Secretary for National Protection and Programs has a leadership role, the director of the National Cyber Security Center has a leadership role, the Assistant Secretary of Cyber Security and Communications has a leadership role.

This may be what drove James Lewis of the Center for Strategic & International Studies to tell Congress in testimony yesterday during a hearing on cyber issues that the core problems “are the lack of a strategic focus, overlapping missions, poor coordination and collaboration, and diffuse responsibility.”

Lewis serves on the Commission on Cybersecurity for the 44th Presidency along with 30+ other leading lights in this area, including Pete Allor of IBM and Paul Kurtz of Good Harbor. They make a pretty straight forward recommendation: If this is to be a truly national cyber initiative, move it to the White House. Getting this effort bogged down in DHS, the intelligence community, and DOD risks hobbling the whole endeavor, which is far too important.

Whatever happened to the public-private partnership? There may be a disconnect between what the private sector says is necessary to better secure cyber space and what the government is willing to do, according to a piece the LA Times runs today highlighting a rift between cyber experts among the private sector and the government, suggesting the latter is not taking the threat seriously.

Is this a symptom of Administration fatigue, wherein the political appointees assume they can’t make progress this late in the game so why try? Or is this a tough love approach wherein the Administration actually wants the private sector to secure its own dang databases?

Jerry Dixon, the previous director of the National Cyber Security Division at DHS is quoted as assessing that “Nothing is happening.” He believes that Washington needs to do much more to protect consumers, businesses, and the government from cyber attacks by criminals, state-based or rogue.

The report suggests two reasons for how we got here: First, the government embraces the notion that the private sector is better suited to deal with this problem. Second, because so many people are in charge of cyber, no one is.

Personifying the hands-off approach, the Director of the National Cyber Security Center (located at DHS) delivered a keynote address at this month’s Black Hat convention in Vegas. His remarks there discussed economic theory, why Abraham Lincoln was the nation’s “first wired president,” and that the financial industry and others needn’t spend more on cyber security than they already do.

The LA Times quotes from his speech, “Over time, the banking industry is pretty rational. So they’re probably doing a good job on investment.” He added that “private security spending in general was probably at about the right level.”

Apparently this was not the answer experts were seeking. The story describes how executives in attendance “grumbled that Lincoln had nothing to do with protecting their corporate networks.”

We’ve covered here the ways on which DHS needs to get its own house in order with respect to organizing for the cyber security mission. But the entire cyber landscape is by design a daunting complex of authorities and interests that fail to fit neatly into a box. DHS oversees protection of government networks. The FBI and Secret Service prosecute perpetrators of cyber crimes. The State Department is involved if a case crosses national boundaries. The role of the armed services is more complicated as described in this post about how to measure cyber attacks in comparison to armed attacks. Moreover, the Internet’s infrastructure is mainly owned and operated by the private sector.

Dixon makes a point that is at the heart of the problem: lack of leadership. The private sector will not spend on security that doesn’t have an obvious and immediate benefit to the bottom line without a coordinated rationale provided by the public sector because the government has no competitive dog in the fight. (It is one thing for Citi to suggest that all banks should beef up cyber security attribution capabilities and quite another for the government to do so.)

“The biggest thing we’ve noted is the lack of a guiding Net plan that includes privacy and infrastructure security,” Dixon said. “We need an overarching cyber doctrine that’s shepherded by the White House.”

The House recently passed a bill introduced by Rep. Langevin to amend the Homeland Security Act of 2002 to grant the DHS Chief Information Officer (CIO) authority for the development, approval, implementation, integration, and oversight of certain DHS cyber security initiatives (e.g “information management and information infrastructure”). The Homeland Security Network Defense and Accountability Act of 2008 authorizes the CIO to manage the policies, procedures, activities, funding, and systems relating to DHS networked information and infrastructure, and this surely bears on the Department’s role in the National Cyber Security Initiative.

Why the CIO? The GAO issued a report in June questioning DHS’s organization for addressing its cyber missions. There is CERT. There is an Assistant Secretary for Cyber Security and Communications and the director of the National Cyber Security Center at DHS. Of course, most of the component agencies of DHS also have their own CIOs.

The new bill directs the DHS CIO to establish and manage security control testing protocols to protect DHS’s and contractors’ information infrastructure against cyber-based attacks. It also tasks the DHS Inspector General with determining the effectiveness of the Department’s cyber security policies and controls. Moreover, the Secretary – through the CIO – has to determine that any contractors have their own cyber security policies and protections in place before entering into or renewing a covered contract.

That’s a lot on the CIO. The bill therefore sets forth a list of qualifications for the CIO. These quals include at least five years of executive leadership and management experience in IT and information security.

First, a sincere thank you to PJ Crowley, James Carafano, Clark Ervin, and Peter J. Brown for their contributions to HLSwatch during this past week. James’ piece on the cyber attacks conducted on Georgia during its confrontation with Russia over South Ossetia raised questions about not only who was to blame, but how Georgia should respond.

Both The Washington Post and The Wall Street Journal ran stories this past week about how cyber attacks on government and private sector entities of Georgia are invoking a debate about whether offensive measures in cyber space amount to acts of war. Because the cyber attacks occurred during the military offensive between Russia and Georgia, it begs the question about whether and how a government should respond to attacks on its cyber assets by way of the electromagnetic spectrum.

Finely-calibrated responses to attacks involving traditional kinetic methods has existed and evolved over the centuries. But measuring the appropriate response to a cyber attack is a unique challenge because information operations (IO) use digital weapons, new methods of attack, and novel targets.

Michael N. Schmitt, author of Computer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework, (1999), offers perhaps the most concrete way of answering the difficult question: “When does the attack rise to the level of a ‘use of force’ under international law?”

The Schmitt analysis applies a quantitative scale (1 to 10) to each of seven factors in order to determine if a cyber attack equates to an armed attack and to characterize any information operation as being closer to one end of a spectrum or the other. These seven factors are:
• Severity
• Immediacy
• Directness
• Invasiveness
• Measurability
• Presumptive Legitimacy
• Responsibility

This amounts to a modern adaptation of Just War Theory. One of the latter’s tenets is “always in response.” Let’s see whether that makes it into practice in the 21st century.

Bombs and bullets are not the only thing flying around in the Russia-Georgian war that broke out over the weekend. According to a recent story in The Telegraph, the Georgian Ministry of Foreign Affairs claimed “[a] cyber warfare campaign by Russia is seriously disrupting many Georgian websites, including that of the Ministry of Foreign Affairs.” That is not the first time Russia has been accused of cyber warfare.

A widely publicized cyber assault against Estonia in 2007 increased suspicion that Russia is using online malicious activity as a tool of national policy. The assault disrupted public and private Estonian information networks with massive denial-of-service attacks. The Estonia attacks targeted the Web sites of banks, telecommunication companies, media outlets, and government agencies, eventually forcing the country to block all foreign Internet traffic. Many Web sites were shut down by denial-of-service attacks, in which the attacker uses thousands of hijacked computers to bombard a Web site with use­less information until it is overloaded. Estonia’s defense minister described the attacks as “a national security situation…. It can effectively be compared to when your ports are shut to the sea.” The Estonia and Georgian attacks testify to the dis­ruptive power of a coordinated cyber offensive

Russia is not the only one. China uses “cyber-spying” as a matter of course -and America is one of their prime targets.

U.S. government information systems are attacked every day from sources within the country and around the world. Some of these intrusions have been extremely serious, compromising security and costing millions of dollars. Penetration of computer networks at the National Defense University proved so pervasive that the university was forced to take the entire computer network offline and install new information system defenses.

These attacks come from states, criminal networks, “hackivists” (online political activists) and other malicious actors.

In addition, bad people exploit the freedom of the Internet-terrorists included. They go online to gather intelligence, raise money, share tradecraft in chat rooms, and coordinate propaganda messages.

The lesson for the United States is take the challenge of cyber threats seriously. The initiatives that will likely best serve the United States and its international partners in the cyber conflicts of the 21st century are those derived from private sector experience, emerging military and intelligence capabilities for conducting information warfare, and law enforcement measures for combating cyber crime. The U.S. needs a national framework that builds on these capabilities, encouraging them to collaborate and reinforce one another. These initiatives should include:

• Adopting best practices. Both government agencies, such as the National Institute for Standards and Technology, and the private sector continue to develop best practices and lessons learned. These can be effective tools. Ensuring that these are refreshed and applied should be government’s first priority.

• Employing risk-based approaches. All information programs must include assessments of criticality, threat, and vulnerability as well as measures to efficiently and effectively reduce risks.

• Fostering teamwork. Cybersecurity is a national responsibility requiring international cooperation. The United States must maintain effective bilateral and multinational partnerships to combat cyber threats.

• Exploiting emergent private sector capabilities. These may come from many sources, such as small companies and foreign countries. The U.S. government must become a more agile consumer of cutting-edge commercial capabilities.

• Focusing on professional development. Most government information programs underperform because, due to inattentive senior leadership, they lack clear requirements and hold unrealistic projections of the resources required to implement those requirements. National security professionals must have familiarity with a number of diverse security-related disciplines and practice in interagency operations, working with different government agencies, the private sector, and international partners.

• Developing robust offensive capabilities to respond to cyber attacks and malicious acts by either state or non-state threats using the full range of military, intelligence, law enforcement, diplomatic, and economic means.

What is needed, however, is not massive reorganization, massive government bureaucracy, massive infusions of government cash, or massive intrusions into the marketplace and the lives of Americans. What is needed is long-term commitment and sound initiatives based on better and faster acquisition of commercial services; better and smarter management of military, intelligence, and information technology programs; and better and sustained professional development of federal, state, local, and private sector leaders.

James Jay Carafano, Ph.D., is Assistant Director, Kathryn and Shelby Cullom Davis Institute for International Studies and Senior Research Fellow, Douglas and Sarah Allison Center for Foreign Policy Studies at The Heritage Foundation in Washington, DC.

Barack Obama today delivered remarks at Purdue University in which he laid out a set of national security priorities. He specifically identified “nuclear, biological, and cyber threats – three 21st century threats that have been neglected for the last eight years.”

He explains in the speech — in so many words — that by “neglected” he means underinvested in and deserving of greater priority. It can be said that when everything’s a priority, nothing is. But if you read the whole speech Senator Obama makes the case that its wiser to focus on the ways in which we are vulnerable as opposed to focusing on the specific enemies. Sounds weird, but it makes sense to suggest that, while national security is broadly defined, we must focus on the threats that can be presented, regardless of the adversary.

For example, while it may be al Qaeda that seeks to use bio-terrorism, we need to focus on defeating that threat if it is employed by any enemy. Same goes for nucs and cyber. And since I’m still here at Maxwell AFB for the Air Force Cybersecurity Symposium, following are Obama’s proposals on addressing cyber threats:

Every American depends – directly or indirectly – on our system of information networks. They are increasingly the backbone of our economy and our infrastructure; our national security and our personal well-being. But it’s no secret that terrorists could use our computer networks to deal us a crippling blow. We know that cyber-espionage and common crime is already on the rise. And yet while countries like China have been quick to recognize this change, for the last eight years we have been dragging our feet.

As President, I’ll make cyber security the top priority that it should be in the 21st century. I’ll declare our cyber-infrastructure a strategic asset, and appoint a National Cyber Advisor who will report directly to me. We’ll coordinate efforts across the federal government, implement a truly national cyber-security policy, and tighten standards to secure information – from the networks that power the federal government, to the networks that you use in your personal lives.

To protect our national security, I’ll bring together government, industry, and academia to determine the best ways to guard the infrastructure that supports our power. Fortunately, right here at Purdue we have one of the country’s leading cyber programs. We need to prevent terrorists or spies from hacking into our national security networks. We need to build the capacity to identify, isolate, and respond to any cyber-attack. And we need to develop new standards for the cyber security that protects our most important infrastructure – from electrical grids to sewage systems; from air traffic control to our markets.

For a brief speech, this was about as much detail as we can expect from a candidate. However, the next president is going to have to delve into such challenges as how effectively to draw the line between monitoring, detecting, dissuading, deterring, and defeating cyber threats. And should we actually endure an attack, we’ve yet to carve out our conops for response, recovery, and retaliation. What does it mean to retaliate for a cyber attack that steals secrets? Or one that shuts down an electrical grid, leading to actual casualties? Or one that isolates our armed services from its chain of command?

Cyber security ought to be a presidential priority and it is positive to see Senator Obama call it out as a strategic concern. We’ll see if John McCain is focused on cyber should his campaign offer a counter-speech.

The Cyberspace Information Operations Study Center hosts its first symposium “Air Force Symposium 2008 – Cyberspace” at Maxwell AFB, Montgomery, AL, this week. Co-hosted by Headquarters 8th Air Force, Barksdale AFB, LA and U.S. Strategic Command, Offutt AFB, NE, the symposium is intended to engage military, industry and academic participants on a broad spectrum of topics affecting the cyberspace mission.

Participants include service members, business leaders, researchers, and academics who wish to participate in advancing the U.S. Air Force mission to “fly and fight” in cyberspace. Workshops focus on Doctrine and Concepts of Operations, Policy and Law, and USAF Cyber Support to National Security.

Sessions will address, among other things, defining cyberspace and working toward establishing the domain, control and use of cyberspace. Participants will also participate in discussions of international and domestic law related to cyberspace and analyze national security and other issues from both military and civilian perspectives.

Scheduled speakers at the symposium include Gen. Kevin P. Chilton, commander, U.S. Strategic Command; Maj. Gen. Charlie Dunlap, Air Force deputy judge advocate general; and Maj. Gen. William T. Lord, commander, Air Force Cyberspace Command.

I’ll be attending as much as I can of the Policy and Law track and Track Three on nat’l security, which involves workshops focused on the question of how “U.S. capabilities and activities in the Cyber Domain can and, if developed, should contribute to national security,” according to materials.

I had to confirm my clearance to attend the conference so my ability to blog from it is going to be rather limited. I’ll do my best to post here about unclassified information and other open developments.

The Stimson Center’s Cooperative Nonproliferation Program (CNP) announced the launch of a new task force charged with leveraging national laboratory S&T for the 21st century security environment. Fran Townsend, President Bush’s former Homeland Security Advisor, and Lieutenant General Donald Kerrick, former Deputy National Security Advisor to President Clinton, will serve as co-chairs. The bipartisan group, composed of national security experts, scientists, and businesspeople, will convene for the first time on June 27th, 2008 in Washington, DC.

The Task Force is led by The Stimson Center’s Libby Turpen, with clear involvement of Ellen Laipson, who was vice-chair at the National Intelligence Council the first time I met her. She was appointed president and CEO at Stimson in 2002. Libby used to be on the Hill before she joined Stimson in 2001 to establish the Security for a New Century congressional study group.

I have the privilege of serving on this taskforce over the next several months. While the proceedings of this Task Force will be private until reporting out to sponsors at DOE and the Lounsbery Foundation, I’ll do my best to keep readers informed of the work. After our first meeting is on the 27th, we’ll be heading out to Albuquerque, New Mexico, and Livermore, California, to visit with the people at Los Alamos National Lab, Lawrence Livermore, and Sandia.

The Department of Energy and the National Nuclear Security Administration’s (NNSA) ongoing transformation from a Cold War complex to a modern national security enterprise is faced with the distinct challenge of repurposing to some extent the overall mission and focus of the nuclear labs, namely Los Alamos, Sandia, and Lawrence Livermore.

The Task Force’s key objective is to develop a strategy to ensure retention of nuclear weapons related core competencies at the national labs while better leveraging their scientific and technological capabilities to serve a broader set of 21st-century national and homeland security needs. This initiative should create a comprehensive R&D strategy to serve this objective. One can anticipate a likely slate of issues to include cybersecurity, climate change modeling, and possibly energy security issues.

Seven NATO nations signed documents last week formally establishing a Cooperative Cyber Defence (CCD) Centre of Excellence (CoE) in Talin, Estonia. The International Multilateral Partnership against Cyber-Terrorism (IMPACT) will convene at least 30 governments at its summit this week.

NATO’s new CoE will conduct research and training on cyber warfare and have a staff of 30, half of them from sponsoring countries Estonia, Germany, Italy, Latvia, Lithuania, Slovakia, and Spain.

The agreement to form NATO’s Cooperative Cyber Defence CoE comes a year after a major cyber attack on Estonian government and private sector institutions. NATO’s Defense Ministers called for the development of a NATO cyber defense policy at their October 2007. The policy was adopted earlier this year.

The policy includes a Cyber Defence Management Authority that will manage cyber defense across all NATO’s communication and information systems and could support individual allies in defending against cyber attacks in the event of an Article V (mutual defense) request.

On the other side of the world, a new public-private partnership will meet in Malaysia to bring together government leaders and industry to address global cyber security. The International Multilateral Partnership against Cyber-Terrorism (IMPACT) received about $30 million in funding from the government of Malaysia and is currently convening its multilateral summit with about 30 governments represented.

Senate Homeland Security and Governmental Affairs Committee issued an eight-page letter to Secretary Chertoff demanding details about the ministration’s new Cyber Initiative. This follows the classified hearing the Committee held on March 4.

The Comprehensive National Cybersecurity Initiative (CNCI), formally established in January, is intended to strengthen the federal government’s ability to secure the electronic networks and databases of the federal government. According to the Committee, the March hearing included a threat assessment from DHS and the National Security Agency and a review of the interagency roles and responsibilities of the CNCI. The following witnesses testified:

• Robert D. Jamison, Under Secretary, National Protection and Programs Directorate at the Department of Homeland Security;
• Melissa A. Hathaway, Cyber Coordination Executive, Office of the Director of National Intelligence;
• G. Dennis Bartko, Special Assistant to the Director for Cyber at the National Security Agency; and
• Scott O’Neal, Section Chief, Cyber Division at the Federal Bureau of Investigation.

The Administration received $115 million for FY 2008 to fund the Cyber Initiative, and another $83 million is being requested for FY09. The Committee puts this into context by explaining the budget request as a three-fold increase over the course of one year.

Here’s where things get a little tense. Senators Lieberman and Collins, chair and ranking member of the Homeland Security and Governmental Affairs Committee, respectively, yesterday released a letter they sent to Secretary Chertoff asking for specific information about the CNCI, its dependence on contractors, and the potential lack of involvement by the private sector, which owns and/or operates the majority of the nation’s cyber infrastructure.

Such basic details as the role of the National Cyber Security Center and the authority under which its director was named. In terms of metrics, the Committee would like to know how DHS will determine when the CNCI is succeeding and Einstein is measuring something tangible.

If I were a betting man, this looks like the beginning of another investigation from the GAO….

Click here to view the full text of the letter.

Richard Mangogna is the new DHS Chief Information Officer, according to a DHS press release. The announcement is noteworthy for its brevity.

Before we get into the investigation, DHS deck chairs move as follows: Mangogna succeeds Scott Charbo, who was appointed deputy undersecretary of National Protection and Programs. Since Charbo’s departure, Deputy CIO Charles Armstrong has served as acting CIO. Armstrong will support Mangogna’s on-boarding before moving over to become CIO for Customs and Border Protection.

Not a lot out there on Mr. Mangogna. He is identified in the official release as an independent consultant with the Mason Harriman Group. MHG doesn’t list any of its staff on its website. It characterizes its employees as consultants who “are 45 seasoned former C-Level executives from the Fortune 200.” Only generic contact information is available, but at least we can tell where MHG is located: Towaco, N.J.

The White House and DHS releases cite Mangogna as a former president and CEO of Covidea. You don’t know Covidea? The New York Times and Covidea announced a videotex service on September 16, 1986, with a product called New York Pulse. On December 6, 1988, Covidea closed its videotex services, Pronto and Business Banking. New York Pulse shut down the following year.

So what’s the new DHS CIO been up to for the last twenty one years? The Administration only acknowledges that Mangogna worked as executive vice president and CIO at JP Morgan Chase and was the division head of Business Re-engineering Management at Chase Manhattan Bank. I found no evidence of the Business Re-engineering Management role. In its 1999 annual report, Chase Bank refers to him as Global Bank CIO.

It is unclear why more wasn’t said about his experience there. When Chase and JP Morgan merged in 2000, a massive systems and business integration project began. As CIO for the newly created company, Mangogna co-chaired the technology and operations steering committee that guided the integration of the technology that supported the operations of about 100,000 employees with systems across the country and on six continents, involving more than 90 data and processing centers, according to a 2001 piece in InfoWorld. You might say that’s a transferable skill set.

However, DHS is a larger undertaking. With over 200,000 employees operating in a different paradigm than pre-9/11 banking, DHS represents a challenge for anyone. USCIS alone is embarking on a major overhaul of its business processes and technology foundation under its $3.5 billion Transformation program. Perhaps more details about Mangogna’s resume will come out in the press. But since the CIO at DHS doesn’t need to be Senate confirmed, it won’t come easily.

Final note: When Chase Bank purchased a major new Sun Microsystems server for about $900K back in 1999 (that was big then), Mangogna justified the investment, explaining “IT performance is a competitive weapon in the global economy.” He might easily update that assessment to include the bigger picture that DHS is responsible for.

When HLSWatch asked DHS Secretary Chertoff during yesterday’s meeting about his intentions for the forthcoming Cyber Initiative, which will orchestrate a cross-agency, several hundred-million-dollar, effort to combat and defend against cyberterrorism, he laid out a three part plan:

1. DHS applies a computer program called EINSTEIN
2. The US-CERT is up and running
3. Security patches to protect against cyber threats will be shared with the private sector

1. EINSTEIN is computer program that detects attacks on federal computer networks and assembles data on how to defend against them. Its been in place selectively for a few years, but now its mandatory.
2. US-CERT, the United States Computer Emergency Readiness Team was established in 2003 to support DHS cooperation with “the public and private sectors” in defense against and responses to cyber attacks. Think of US-CERT as the enforcement guys who make sure that measures are taken to defend against cyber attacks. Apparently they have more authority under the Initiative.
3. Work with the private sector to share information about cyber threats has been underway since before 9/11 through the Information Sharing and Analysis Centers, each dedicated to a specific industry. (The Financial Services ISAC was formed in late 1999 and the IT-ISAC was established in late 2000).

The Chem ISAC and Oil&Gas ISACs came in 2001 and left in 2005.

So what’s new? Its classified, actually. We’ll see what the transcript says, but it sounds like the article by Ellen Nakashima in the Post is as close as we’re going to get for now to shedding light on the Cyber Initiative.

More available here.

Eric Schmitt and Tom Shanker wrote in the New York Times about current government efforts to adapt deterrence — described in the article as a hold-over strategy of the Cold War — to the terrorist threat of today. Deterrence, the effect of dissuading an adversary from taking a certain approach, strategy, or measure at your expense — is a strategy as old as war itself. Even Sun Tzu explained over 2000 years ago that “‘The supreme act of war is to subdue the enemy without fighting.” And while the President and many other pundits said in the wake of 9/11 that terrorists could not be deterred, policy makers and practitioners have never set aside deterrence as a component of anti- and counter-terrorism programs.

The difference between Cold War deterrence, when threat of retaliation was the currency of dissuasion, and today is that terrorists are difficult to retaliate against if they die in the attack or go underground. (We’ll probably never again have the opportunity we had after 9/11 to route them in a discrete geographic domain like Afghanistan.) Terrorists today respond instead to a fear of failure.

Policy options to pursue deterrence against terrorists is the subject of work done by the Council on Foreign Relations, RAND, and others, including the Nuclear Defense Steering Committee and the Nuclear Defense Working Group from 2004 to today. Schmitt and Shanker show how deterrence never really left the scene after the Cold War’s end, even at the local level. Paul Browne, the New York City Police Department’s chief spokesman is quoted explaining how deterrence helped to prevent a 2003 attempted attack on the Brooklyn Bridge. Indeed, everyone from CENTCOM to SpecOps to the State Department invest in deterrence.

The article points out some of the more recent applications of deterrence in cyberspace. Cyberspace represents a unique challenge and opportunity. The ubiquity of anonymous social hubs throughout the net offer those seeking support, recruits, and sympathy for terrorist attacks an advantage only available in cyberspace: It is hard to capture or kill someone on the Internet. However, the cyber domain also offers us an advantage: We can track and observe the behavior of terrorist groups on the Internet without their knowing, and use the information we gain to disrupt and even deter them.

I had the opportunity to visit a nondescript office building outside of DC in 2005 where several floors were filled with government experts tracking and analyzing radical and fanatic traffic on the web. They had Arabic and Farsi translators, tech specialists, hackers, counter-terrorism experts, and cultural analysts observing targeting activity all over on the Internet that represented likely threats or threatening groups and individuals. I asked why they didn’t just shut down the sites that clearly fostered anti-American or anti-Western sentiment, or those that flat out called for recruits to attack the U.S. They told me that it was better to know where these people were (a la Afghanistan) rather than run them underground only to pop up somewhere unknown (a la Waziristan) on the net. We use information gathered from activities like this to interrupt terrorist efforts through a number of means, including disinformation. Sowing doubt among terrorists and their supporters can be as effective in gaining a deterrent value as aiming nuclear weapons at a superpower.

In a sense, the cyber domain is the closest thing we have to what Afghanistan offered in the weeks and months that followed 9/11. It is the only place we can identify an active domain for us to target.

Tomorrow, the National Cybersecurity Division – part of DHS’s Office of Cyber Security and Communications will hold its second large-scale national cyber exercise, Cyber Storm II. The exercise follows Cyber Storm I, held Feb. 6-10, 2006, the first government-led, full-scale exercise (FSE) on cyber security. These FSEs are intended to improve public and private sector interaction for enhanced decision making and information sharing, as well as better public communication techniques and stronger response and recovery capabilities.

The Cyber Storm II scenario will include coordinated cyber and physical attacks on critical infrastructure to simulate a political and economic agenda. Participants in the FSE include Federal, State, local, and international governments, as well as private sector entities from multiple critical infrastructure sectors.  The adversary for Cyber Storm I was depicted in this rendering (click to enlarge):

The National Cybersecurity Division (NCSD) is responsible for providing cyber security coordination and preparedness under Homeland Security Presidential Directive 7. The shorthand mission for NCSD is to coordinate the federal government’s “interaction with state and local government, the private sector and the international community concerning cyberspace vulnerability reduction efforts.”

I’d like to add one more goal for Cyber Storm II: Define cybersecurity once and for all.

In an article published by CSO Magazine, Rick Lawhorn, the former Chief Information Security Officer for GE Financial, identifies four different definitions of cyberterrorism or Cybercrime that need to be reconciled:

State Department definition, Title 22 of the U.S. Code, Chapter 38, Section 2656f(d): premeditated, politically motivated violence perpetrated against noncombatant targets by subnational groups or clandestine agents, usually intended to influence an audience.

FBI definition: the unlawful use of force or violence against persons or property to intimidate or coerce a government, the civilian population, or any segment thereof, in furtherance of political or social objectives.

Defense Department definition: the calculated use, or threatened use, of force or violence against individuals or property to coerce or intimidate governments or societies, often to achieve political, religious, or ideological objectives.

United Nations definition: any act intended to cause death or serious bodily injury to a civilian, or to any other person not taking an active part in the hostilities in a situation of armed conflict, when the purpose of such act, by its nature or context, is to intimidate a population, or to compel a government or an international organization to do or to abstain from doing any act. Article 2(b) of International Convention for the Suppression of the Financing of Terrorism, May 5, 2004)

Lawhorn is right. The absence of a standard definition of the cyber threat hobbles efforts to track it, understand it, and identify the characteristics that comprise its profile.  This same gap plagues efforts to combat overall terrorism. This is most apparent when we attempt to work with allies overseas, but the recent REAL ID showdown with Montana, South Carolina, and Maine are another example close to home. If cybersecurity is achieved by orchestrating federal, state, local, and international governments, as well as private sector entities from multiple critical infrastructure sectors, a baseline definition is an unavoidable first step.

UPDATE — DHS Issued a press release this evening with a link to more information about Cyber Storm II.

DHS seeks FY09 funding for an array of projects tied to cyber security and the National Strategy to Secure Cyberspace. Many of them are concerned with simply assessing the threat. Some are focused on shoring up obvious vulnerabilities. And whole lot of them are just plain classified. We’ll highlight a few here that are drawn from the Administration’s 3,754-page justification of their FY 2009 budget request recently submitted to the Congress.

The Information Infrastructure Security (IIS) Program is designed to identify new technologies to protect critical infrastructure. The IIS program, under DHS S&T, works with industry, government, and academia to secure the core functions of the Internet. This has both civilian and government benefits because the program is focused on functions used by everyone from a shopper on eBay to a network specialist at DHS. The IIS program uses economic assessment, risk analysis, and modeling to evaluate cyber security technologies through such projects as Secure Protocols, Process Control Systems, and Cyber Security Assessment.

In FY 2008, the S&T Directorate will award a contract for the Cyber Infrastructure and Emerging Threats Project. This uses a “distributed scenario-based exercise” to help the private sector – primary owner of critical infrastructure – respond to and manage cyber disruptions. This one has an impressive acronym, too: The Distributed Environment for Critical Infrastructure Decision-Making Exercises (DECIDE) project.

But to really understand just what it is we’re trying to protect, DHS is starting the Internet Route Monitoring Project. This project will identify critical internet infrastructure, mapping important internet hosts and routers by FY 2010. The maps to be developed under the Project are intended to help identify cyber threats and predict the cascading impacts of various scenarios.

Twelve cyber security experts identified and ranked the most damaging and likely attacks to be faced in cyberspace in 2008. Experts included Stephen Northcutt, Ed Skoudis, Marc Sachs, Johannes Ullrich, Tom Liston, Eric Cole, Eugene Schultz, Rohit Dhamankar, Amit Yoran, Howard Schmidt, Will Pelgrin, and Alan Paller.

1. Attacks That Exploit Browser Vulnerabilities and Trusted Web Sites
Attacks increasingly target browser components, such as Flash and QuickTime, because they are not automatically patched when a browser is enhanced with security upgrades. These experts predict more sophisticated attacks that cycle through multiple exploits or disguised threats that attack visitors of trusted websites that convey an assumption of privacy or security.

2. Attack of the Botnets
Deceptive emails with attention-grabbing subject lines that infect an opener with computer worms will use “peer-to-peer control” that corrupts the user’s computer instead of relying on a central controller. SANS cites the Storm Worm as an example of what’s to come, but with more veracity.

3. Cyber Espionage seeking large amounts of data using phishing techniques
Nation-state attacks on government systems will expand, seeking more targets and employing greater sophistication. Attackers are expected to exploit newly discovered vulnerabilities in Microsoft Office and techniques that dupe virus checking software.

4. iPhones and VOIP Beware
Since mobile phones are computers – and increasingly ubiquitous – worms, viruses, and other malware will target them. Vulnerabilities of VoIP phones are widely published on the Net, along with attack tools to exploit these vulnerabilities. The experts see these as a target of choice.

5. Insider Attacks
“Going Postal” may look more like a hacker attack in new cyber era. Disgruntled employees with some tech savvy can attack their employers from the inside, but cyber warfare also enables them to attack from afar with their insider knowledge and legitimately granted access.

The remaining five of the Top 10 cyber security threats from the SANS Institute:

6. Advanced Identity Theft from Persistent Bots

7. Increasingly Malicious Spyware

8. Web Application Security Exploits

9. Increasingly Sophisticated Social Engineering Including Blending Phishing with VOIP and Event Phishing

10. Supply Chain Attacks Infecting Consumer Devices (USB Thumb Drives, GPS Systems, Photo Frames, etc.) Distributed by Trusted Organizations

Additional public information about the developing cybersecurity policy can be found in an interview with DNI McConnell in the Jan 21, 2008, issue of The New Yorker. In it, interviewer Lawrence Wright describes McConnell’s path to prioritizing cybersecurity, the scale of the challenge to secure both government and private networks, and some of the unique characteristics of the plan that invoke privacy concerns. As noted in yesterday’s post, the President requested $436 million to fund cybersecurity initiatives likely to be driven by this strategy.

Highlights:
• In May 2007, at a meeting with the President and several cabinet members, McConnell asked for authority to wage information warfare against the tech savvy insurgents in Iraq. McConnell identified computer-network defense as an area in which the U.S. was under-invested. The President then charged McConnell to craft a security strategy, not only for government systems but also for American industry and private individuals.

• McConnell’s Cybersecurity Policy, which is still in draft, recommends reducing the access points between government computers and the Internet from two thousand to fifty.

• McConnell expresses concern about private sector defense. “The real question is what to do about industry,” McConnell is quoted as saying. He continues, “Ninety-five per cent of this is a private-sector problem.”

• McConnell suggests that the “real problem is the [cyber crime] perpetrator who doesn’t care about stealing [money] —he just wants to destroy.”

• Privacy protections are considered to be in conflict with enhanced security. A contributor to the strategy and long-time collaborator with McConnell says that the government needs the authority to examine the content of any e-mail, file transfer, or Web search.  Citing a maxim among the info-sec community, he concluded that “Privacy and security are a zero-sum game.”

• Aware of the difficulties in obtaining new powers for security measures, McConnell says that “FISA reform will be a walk in the park compared to this….”

Readers recall the November 8 post that cited a White House move to secure $436 million for cybersecurity initiatives. There’s been little news about the development since, but I’m hoping to glean more details on the 24th.

The president sent his request to Speaker Pelosi on November 6th explaining the requested budget change. Its unclear if the new cyber initiative will reside wholly at the Department of Homeland Security, the intel community, or at DOD. Each has a stake, to be sure, but it depends on how cybersecurity is defined. Are we interested in securing the private sector-owned cyber infrastructure (DHS)? Will we emphasize the use of the internet as a source of secrets and detecting plots (IC)? Or are we protecting government assets and countering attacks on them (DOD)?

We may get some light shed on the subject when Jessica Herrera-Flanigan, Staff Director at the House Homeland Security Committee, and Andy Purdy, former Director of DHS’s National Cyber Security Division speak over breakfast on January 24th as part of the “Cyberspace and Homeland Security: Vulnerability and Opportunity” event at Crowell & Moring, 1001 Pennsylvania Avenue, NW.

RSVP for the event with organizer Gordon Platt via gplatt@gothammediaventures.com

The event runs from 8-930 and is moderated by Scott Greiper, Managing Director of investment firm Legend Merchant Group, Inc. Gordon has two other panelists lined up: David Bodenheimer, a Partner at Crowell & Moring who focuses on government, and Jody Westby, the CEO of Global Cyber Risk.

I’ll be on travel, so I’ll rely on you all to tell me how it goes. Email me with input (jonah.hlswatch [at] gmail [dot] com).

Cybersecurity just got a $154 million boost as part of a seven-year Presidential initiative that may reach into the billions of dollars according to a White House whisper yesterday.  It is hard to know why the Presidential peep about such a major undertaking didn’t warrant more of a podium.  I couldn’t even find a press release.

Siobhan Gorman at the Baltimore Sun, always plugged in to the intel community, was among the first to report on the non-announcement.  The president requested the funds in a letter to Speaker Pelosi.  Tracking threats in cyberspace on both government and private networks is what the White House promised to do in more than one national strategy document.  There is a National Cyber Security Division at DHS. (See HSPD-7, section 16 for more detail.)  The PATRIOT Act (love it or hate it) extends authorities to combat terrorist activities on the Internet.  Few would suggest that the job is done.  Yet, why the mere murmur?

Perhaps because there are so few details settled.  The initiative would be led by DHS with support from the National Security Agency, the Office of the Director of National  Intelligence, and other intelligence community members, including the FBI.  Another touchy aspect may be the financing of this effort.  According to Siobhan’s story and the OMB documents attached to the president’s letter, funds for the “Cyber Initiative” will be redirected from such things as the Coast Guard, Hurricane Katrina rebuilding, border security, the Inspector General’s office, and the Federal Emergency Management Agency.

Whoa.  I wouldn’t broadcast that either.  Cutting funds for the Coast Guard is unpopular everywhere.  I’m pretty sure the Lower Ninth hasn’t been rebuilt since the last time I was there after Katrina.  Just wait until Lou Dobbs hears about the border security.  The Inspector General?  He might actually need a boost.  And FEMA.  That may actually be warranted.  (I can hear reader WRC’s keyboard already.)

Update: Further funding details are in Jason Miller’s story at FCW.com, wherein he specifies that the president recommends using unobligated funds from a number of different DHS offices, including the chief information officer ($873,000), the Customs an Border Protection automation modernization project ($6.1 million) and the Science and Technology Directorate ($216,000). All such details can be read in this attachment.

Washington-based think tank CSIS is joined by Rep. Jim Langevin (D-R.I.), chairman of the Homeland Security Subcommittee on Emerging Threats, Cyber Security and Science and Technology; and Rep. Michael McCaul (R-Texas), the ranking Republican on the subcommittee to launch a cybersecurity commission of top experts in the field charged with putting forth recommendations for the next U.S. president.

The 32-member commission plans to finish its work by the end of 2008. Co-chairmen of the commission are retired Admiral Bobby Inman, former director of the U.S. National Security Agency; Scott Charney, corporate vice president for trustworthy computing at Microsoft Corp.; Rep. Langevin and Rep. McCaul.

UPDATE:

IBM Plans Major Security Initiative
Thursday November 1, 6:29 am ET
By Brian Bergstein, AP Technology Writer

IBM Says It Will Spend $1.5 Billion on Computer Security-Related Products in 2008

BOSTON (AP) — IBM Corp. plans to announce Thursday that it will boost what it spends developing computer security products to $1.5 billion in 2008, reflecting an intensifying focus for the company.

IBM executives would not say how much they used to spend. But analyst Charles King of Pund-IT Research said he believes $1.5 billion would be twice what IBM traditionally spends on security research and product development each year.

The figure is separate from IBM’s spending on acquisitions that bring in new technology. In the past year IBM has bought several security companies, including Internet Security Systems Inc. for $1.3 billion and Watchfire Corp. for at least $100 million.

Now IBM says it is integrating technologies from its acquisitions with security software and services developed in house. It expects to offer broader security packages so customers can reduce the number of providers they hire to protect their data.

“We believe there’s a crisis in the marketplace right now,” said Val Rahmani, who heads IBM’s infrastructure management services.

Even with this sharper focus, IBM will encounter tough competition from security specialists and other information-technology vendors such as Hewlett-Packard Co. and EMC Corp., which have also been spending heavily to bolster their offerings.