Homeland Security Watch

 By Peter J. Brown

Besides its recent decision to terminate the National Applications Office (NAO), DHS/FEMA — along with NGA — has several other satellite-related issues that warrant immediate attention.

The first responders we were in touch with recently use satellite communications (satcom) equipment routinely in their assigned missions, and they want DHS to hear their concerns. It is clear that from the standpoint of satcom operations and training, improvements are in order. By the way, we were also in touch with an MIT-trained professional space systems engineer who served as an instructor for a satcom training course attended by a team of first responders as well.

First, DHS has no single point of contact which handles satcom questions for first responders. Or if one exists, it is not well known.

“Yes, I agree that a single point of contact at the Federal level for satcom questions would be of great benefit,” says one tech specialist who supports a rapid response team on the East Coast.

Second, while satcom appears to be a simple and straightforward solution, these first responders report that there are many issues that make satcom not as user-friendly as it could otherwise be.
 
- High recurring costs restrain or even prevent many first responders from utilizing the equipment.
- Satcom usage fees are increasing — with some service providers — while available bandwidth is being reduced in some instances.
- Teams need to be more highly trained, and more technically proficient in the use of satcom including troubleshooting when higher level satcom activities beyond simple remote Web access are underway. (”I would say that the grasp is getting firmer, but is not as firm as it should be,” says one first responder.) Radio over IP, Voice over IP and video streaming warrant further training.
- Only a finite pool of people tend to have a complete understanding of the entire scope of the communications network end-to-end.
- Many if not all federal agency and DoD satcom systems use firewalls that prohibit first responders from utilizing their systems.
- When NGA makes an effort to provide GIS data to first responders, more often than not, it only supplies low resolution, dated imagery. The ability to access real or near real time imagery is still a major challenge.

The good news is that a terrestrial alternative — Cellular 3G technology — has seen a notable improvement in availability and use over the past year or so.  This includes redundancy - dual carrier service options (AT&T / Sprint) or failover to one if the other is not available in an area. 

Our instructor recommends that response teams should meet with a representative for the service provider(s) to explain specifics of the network, troubleshooting options, etc. Besides providing specific technical resources for troubleshooting in the field, this could greatly assist the team to improve its set up.

By the way, DHS needs to be aware that occasional denials of service due to the high volume of traffic in the aftermath of an emergency are being reported. Perhaps DHS — and the FCC too — needs to sit down with first responders, disaster assistance teams and service providers to establish a WPS or GETS-type high-priority service channel / policy for satcom users.

One first responder reported that he could not get a special category designation, or a “Fair Use Policy” waiver on short notice to override limits on bandwidth usage. This is very restrictive and upsetting for emergency users in particular since a few minutes of video or a bundle of aerial image downloads can quickly exceed the contractual cap in question. Because unexpected service interruptions in the middle of operations can occur for reasons such as unannounced software upgrades too, our instructor thinks it may be useful to develop a guidebook that would walk a team through negotiating their service contracts to avoid similar pitfalls.

Otherwise, one first responder points out that DHS, FEMA and NGA also need to do a better job of addressing the satcom “culture gap” or what is simply the fact that in the field, federal agency employees and local first responders have completely different needs.

“We just need basic information in a one or two shift operation, and we need to have the complete response quickly in the first request cycle, and not after 3 requests have been made and 36 hours have passed,” says one first responder.
 
While first responders are well versed in IP and even IPv6, cybersecurity is not a top priority. In fact, our instructor reports that in one 6-hour session, “I don’t recall cybersecurity ever being brought up; rather, the team seemed mostly concerned about physical trailer security. In other words, they didn’t want people to enter their trailer and steal their equipment.”

DHS might find this observation troubling.

Finally, with this year’s “Amateur Radio Week” drawing to a close this past weekend, this satellite guy want to salute all the members of the American Radio Relay League (ARRL) who contribute so much of their time as volunteer communications personnel in emergency situations large and small. These people ensure that vital ham radio services are available on short notice whenever needed. They are truly the finest kind of first responders.

At 10:55 this morning, President Obama will announce the long-awaited plans  for dealing with cyber security in his White House.  A cyber czar, albeit at a level lower than desired (special assistant), will be supported by a new cyber directorate within the National Security Council.  That person will also report to the National Economic Council. Expect the announcement will be broad in scope and discuss goals for dealing with the global threat of cyber security, as well as address such issues as a public awareness campaign for the challenges of cyber security and the need for a strengthened technology workforce in the U.S.

The 60 day review (that ended approx 30 days) ago, led by Melissa Hathaway, is the fourth attempt in the last 12 or so years to address cyber security.  In late 1996, President Clinton created the Presidential Commission for Critical Infrastructure Protection (PCCIP) that issued a report on its findings in 1997. That effort led to the 1998 Presidential Directive-63, the emergence of ISACs, and the creation of the National Infrastructure Protection Center (NIPC) at the FBI and the Critical Infrastructure Assurance Office (CIAO) at the Department of Commerce, among other organizations at various agencies.  Those two are worth noting as we continue, a decade later, to see a tension, as evidenced by the dual NEC and NSC reporting announcement expected today, between law enforcement/security and economic/commerce interests in cyber security.   Interestingly enough, the term “cyber czar” originated during that time - Dick Clarke in the White House.

In 2003, President Bush released the Clarke-led National Strategy to Secure Cyberspace which provided recommendations for “government-industry” cooperation.   Soon thereafter Clarke left the government. The strategy laid a framework for how the federal government would try to address cyber issues and promoted public-private partnerships.  DHS’ leadership on the issue was laid out about this time with the merger of most of the major cyber functions (NIPC, CIAO, FedCert, etc) into a new National Cyber Security Division. These efforts led to the creation of sector coordinating councils and the National Infrastructure Protection Plan (NIPP).   There was wide-spread criticism that the Director of the NCSD was buried too far into DHS and the nation needed a WH czar. Congress responded by creating an Assistant Secretary position at DHS.

Round three happened in 2008. President Bush initiated the Comprehensive National Cyber Security Initiative.   The CNCI, officially established in January 2008 (though rumored as early as Sept 2007) by National Security Presidential Directive 54/Homeland Security Presidential Directive 23 was a multi-agency, multi-year plan laying out twelve steps to securing the federal government’s cyber security networks.  DHS would have the lead (mostly) on civilian systems while DoD would take the lead on .mil systems.  The role of NSA and the DNI was questioned, though hard for most to pen down given the classified nature of the program. By this point, the White House had a  Special Assistant to the President and Senior Director for Cybersecurity and Information Sharing Policy, Neill Sciarrone, and a multi-agency task force headed by Melissa Hathaway leading the CNCI efforts.  DHS, meanwhile, also created a Deputy Undersecretary for cyber at the National Protection and Programs Directorate - a role fulfilled by Scott Charbo in the Bush Administration and by Phil Reitinger in the Obama Administration.   Silicon Valley guru Rod Beckstrom was brought in as the First Director of the National Cyber Security Center.  He left several months ago, claiming that the NSA and intelligence agencies were taking too much of a leading role in the cyber efforts.

That leads us to today’s announcement in a few hours.  While in a condensed timeframe, there is much history in the nation’s cyber security efforts. Today’s efforts will set a framework - even if broadly- for how we are going to tackle round four.  The real question will be whether we can advance our efforts or will we be repeating this exercise in a few years.  Stay tuned for a more in-depth analysis of the cyber security analysis this afternoon.

Also worth noting - after the cyber announcement,  the President will attend a hurricane preparedness meeting at FEMA headquarters.  Hurricane season is only a weekend away so FEMA’s preparedness efforts and posture are critical.

The sixty day cybersecurity review is past due.  Melissa Hathaway made her deadline.  But the document has been vetted, parsed, and edited… you know the drill. Someone, who claims to know, tells me the draft was finalized Saturday. (UPDATE: Not according to the Washington Post.)

The Obama campaign weaponized listening. Asking thoughtful questions, feeding back what was heard, and then shaping, amplifying, and organizing around what was being said, moved a very unlikely first term Senator into the White House.

This is the kind of campaign that private sector cybersecurity will need (and if Armbinder is right, maybe federal sector cybersecurity as well).

The Iowa caucus equivalent for a cybersecruity campaign could be a proposal being pushed by  Business Executives for National Security. For several months BENS and others have been circulating a proposal for a new sort of  public-private “co-laboratory” (my word, not theirs).  Several leading private sector organizations – each heavily dependent on cyber capabilities –  are ready to join-up.  

“Thousands of confidential files on the U.S. military’s most technologically advanced fighter aircraft have been compromised by unknown computer hackers over the past two years,” the Wall Street Journal, CNN and others are reporting.  (It’s not so bad, according to other reports.)

The news story comes as the White House is putting the final touches to its cybersecurity review.  This morning the WSJ reports that, “Defense Secretary Robert Gates plans to announce the creation of a new military ‘cyber command’ after the rollout of the White House review… The cyber command is likely to be led by a military official of four-star rank, according to officials familiar with the proposal. It would, at least initially, be part of the Pentagon’s Strategic Command, which is currently responsible for computer-network security and other missions.”

While “official” hackers may be at the top of the suspect list for penetrating the Joint Strike Fighter, the capability of private cybercriminals is on the rise.  “The world’s largest-ever malware network has been uncovered, affecting 1.9 million corporate, government and consumer computers,” according the the security firm Finjan and several news reports (TGDaily, BBC, and others).

According to Spamfighter.com, “New research (finds that) direct attacks on the financial institutions coupled with organized crime has resulted in the increasing number of online records being hacked in 2008, which aggregated more than the cumulative figures of 2004-2007.”

In his Tuesday keynote, Art Coviello, President of RSA, focused on cybercriminals, “Our adversaries operate as a true ecosystem that thrives through interdependence and constantly adapts to ensure its growth and survival.”

Mr Coviello said that meant it was time for the security industry to come together to defeat the criminal element at large,” according to the BBC.

“We must evolve from acting independently to solve discreet information security problems to acting collaboratively to create a common development process.”

The cyber-security review ordered by President Obama has been completed.  There is considerable speculation about who and/or what will emerge as the alpha-dog going forward.  The National Security Agency is thought by many to have the competence.  But last week’s admission of continuing problems at NSA with unauthorized intercepts undercuts that agency’s claim to leadership.  Proposed legislation would create a so-called cyber-czar in the White House.  Other aspects of the legislation — including a possible ability to “shut-down” the Internet – are beginning to attract critical attention from the technorati.

Twitter — the messaging service with which users send each other “tweets” — was hit by a series of worm attacks over the weekend and early today.  According to a story in Computerworld, “Twitter again emphasized that while the worm attacks have been a nuisance, they haven’t stolen any user account information.”  But sounds like  it was a long weekend worthy of Looney Tunes. (Apologies to Bob Clampett and Warner Brothers)

UPDATE: According to the BBC, “Twitter has been given the all clear after a worm infected ‘tens of thousands of users’. But experts say the attack could have been much worse.”

US web companies are popular hosts for terrorist Internet sites and operations. According to this morning’s Washington Post, “Intelligence officials and private experts cite dozens of instances in which Islamist militants sought out U.S. Internet firms — known for their reliable service and easy terms that allow virtual anonymity — and used them to incite attacks on Americans.”

Eben Kaplan of the Council on Foreign Relations has authored a helpful backgrounder on Terrorists and the Internet.

This morning’s Wall Street Journal reports, “Cyberspies have penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system, according to current and former national-security officials. The spies came from China, Russia and other countries, these officials said, and were believed to be on a mission to navigate the U.S. electrical system and its controls. The intruders haven’t sought to damage the power grid or other key infrastructure, but officials warned they could try during a crisis or war.”

UPDATE:  Chinese deny intruding into US electrical grid and some experts claim it doesn’t matter much anyway.

The Munk Centre for International Studies at the University of Toronto has found evidence of a coordinated cyber-espionage effort that has infiltrated at least 1295 computers in 103 countries.   The report, released on Sunday afternoon, alledges official Chinese involvement.   The report was the subject of a front page story in the Sunday New York Times.

The finding tends to confirm observations regarding information and cyber warfare capabilities included in the recent DOD study on China’s military power.

Last week the White House gave lawmakers an update on the sixty day review of cybersecurity currently underway.

UPDATE: The Chinese government denies cyber-espionage charges, says China Daily.

Shortly after 9:00 (eastern) this morning Stephanie Condon filed a great piece with CNET.  The news lead is Senator Susan Collins’ letter to DHS requesting the sun and the moon (and all dark matter in between) in terms of cyber-security documentation.  It is some of the continuing fall-out from Rod Beckstrom’s dramatic resignation.  But Ms. Condon’s reporting goes well beyond the immediate controversy and provides political and policy context.  Read it on the CNET website.

One week ago Rod Beckstrom resigned as Director of the National Cybersecurity Center protesting what he claimed is NSA heavy-handedness in cybersecurity strategy and operations.  Monday Beckstrom explained to  Forbes that there is a fundamental mis-match between NSA’s mission focus and what is needed to prevent and mitigate cyber threats. “In intelligence environments like the NSA, you seek out and gather information, and then you classify it,” Beckstrom told the magazine. “It’s the opposite of collaboration.”

Beckstrom’s resignation letter was sent about the same time that  the HLSwatch host was suffering a denial of service attack that kept us from making updates for about 12 hours and kept comments offline for three days.  Our tech guy blames NSA too.

Some claim DHS doesn’t have the competence (or clout) to do cybersecurity anyway. On Tuesday Amit Yoran, a predecessor of Beckstrom’s told a House panel that the department, “has repeatedly failed to either attract or retain the leadership and technical acumen required to successfully lead in the cybermission space.”  Was that a self-slam?

The GAO seemed to agree with Yoran and I will eventually link you to the report released Tuesday entitled National Cybersecurity Strategy: Key Improvements Needed.  But early this Friday morning several GAO links are dead.  The GAO list of “most recent” reports and testimony starts in August 2008 and goes back in time.  Was someone hacked last night?  (Saturday update: The GAO website has been restored to its  typical orderly self. Read more on the House hearing in a Computerworld story.)

Since DHS can’t and NSA shouldn’t one witness told the House Homeland Security Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology that the White House needs to take a stronger role in cybersecurity. “If I have access to the president and control over budgets, I will get agencies to do whatever I want,” said Jim Lewis, director of the technology and public policy program at the Center for Strategic and International Studies. “We have to put that [authority] at the White House.”  (More from nextgov.)  Yeah. Besides there’s nothing else claiming the West Wing’s attention.

On Wednesday at 1:58PM Eastern I received a DHS email announcing that Phil Reitinger was being named  Director of the National Cybersecurity Center (Beckstrom’s job).  Oops.  Fifteen minutes later the correction arrived. Reitinger is being named Deputy Undersecretary in the National Protections Program Directorate (NPPD).  “In this role, Reitinger will be charged with protecting the U.S. government’s computing systems from domestic and foreign threats.”

Damn send buttons.  But the error probably tells us what the Department’s media team was really thinking about and trying to deal with.

Yesterday my Email server was almost taken down by a tsunami of forwards all with copies of the new CRS report entitled, Comprehensive National Cybersecurity Initiative: Legal Authorities and Policy Considerations.  The Federation of American Scientists’ Secrecy Project distributed this study of the classified CNCI program. 

Last year that bastion of leftist succor for our enemies, the Senate Armed Services Committee, complained that  super-secret treatment of the CNCI, ”…preclude(s) public education, awareness, and debate about the policy and legal issues, real or imagined, that the initiative poses in the areas of privacy and civil liberties. Without such debate and awareness in such important and sensitive areas, it is likely that the initiative will make slow or modest progress.”

Last night and this morning we are all reading about Vivek Kundra’s troubles as White House CIO.  Free-lance snooping by some of Kundra’s  former subordinates is alleged and there is no suggestion that Kundra is implicated. But for too many Obama appointments the send button seems to be stuck.  Good tech support is so hard to find.

Well… it is Friday the 13th for the second time in two months.

Secretary Napolitano today requested a comprehensive review of DHS efforts as they pertain to cyber security and our northern border strategy. These are two more aspects of what appears to be a net assessment of existing strategy and investments, and a determination of the delta between what those efforts deliver and what we need to succeed. Earlier this week, she issued five “Action Directives” seeking reviews of other DHS operations and plans.

For cyber, the Secretary poses the following questions, to be answered in an oral report by Feb. 3 and a final report due Feb. 17:

• What are the authorities and responsibilities of DHS for the protection of the government and private sector domains?

• What are the relationships with other government agencies, especially the departments of Defense, Treasury, and Energy, and the National Security Agency?

• What are the programs and timeframes to achieve the department’s responsibilities and objectives?

Concerning the “Northern Border Strategy,” the Secretary has requested that a review respond to the following questions with an oral report by Feb. 10 and a final report due Feb. 17:

• What are the current vulnerabilities?

• What is the overall strategy for reducing those vulnerabilities?

• What are the requirements, the programs, the budget, and the timeframe for improving security along this border?

• What level of risk will remain once the programs are completed?

The final question is a critically important one. However, assessing risk remains one of the challenges for the homeland security mission. The second of the so-far seven directives issued by the Secretary actually deals with risk analysis. By January 28, she wants to know the status of risk analysis metrics and how DHS “can enhance risk management as the basis of decision making.” Look for budget priorities to follow this review.

Forbes runs a story today identifying likely picks for the new position of National Cyber Adviser, which then-candidate Obama announced he would appoint to reflect his intention to “make cyber security the top priority that it should be in the 21st century. The new National Cyber Adviser, or NCA, would likely take over some leadership role for the National Cyber Security Initiative (NCSI), which DHS currently leads with support from the DNI and DOD.

The “cyber czar” post may go to Paul Kurtz, a partner with Good Harbor Consulting who joined Obama on the dais during the latter’s speech on cybersecurity at Purdue University. Paul served as senior director for the White House Office of Cyberspace Security and was special assistant to the President and senior director for critical infrastructure protection on the HSC, where he was responsible for both physical and cyber security. He has since also founded the Cyber Security Industry Alliance. Kurtz served on the CSIS Commission on Cybersecurity for the 44th Presidency, which advocated shifting the center of gravity for the NCSI to the White House. Today, Kurtz works the Presidential Transition Team.

But Kurtz may decline. According to Forbes, he has told friends that he’s “reluctant to accept” the new appointment. Others in the running include Gen. Charles Croom, the recently retired head of the Defense Information Systems Agency, and now a cybersecurity executive at Lockheed Martin. Croom also Commander of DOD’s Joint Task Force - Global Network Operations.

In that role, Croom sought “to accelerate the adoption of a net-centric culture in the Department, make information a force-multiplier, aggressively defend the network, facilitate warfighter connection to all information including intelligence information, achieve agility with non DoD partners, and invest in information technology prudently.”

Much of this experience is important to implementing an NCSI, but to be national requires an artful and effective engagement of a very broad set of stakeholders the defense community doesn’t really have to enfranchise in its normal daily business. For example, the private sector is a central player in this effort. Just how much DISA dealt with the commercial sector – beyond the defense contractors – is unclear.

And in the other corner…. Forbes even suggests that Rod Beckstrom is under consideration. Rod is the current head of the DHS National Cyber Security Center, which he took over less than a year ago. Rod is a successful Silicon Valley visionary who is best known for the book he co-authored on centralized and decentralized leadership networks and behavior called The Starfish and the Spider. When he joined DHS, he had little if any experience with cyber security. Since then, its hard to point to singular successes since much of that entity’s work is classified.

The new Administration will inherit a multi-billion dollar National Cyber Security Initiative with lead roles served by DHS and its component agencies, the Director of National Intelligence, and the Defense Department. In practice, all agencies will serve some role in reducing cyber-based threats. To address some of the governance and strategy issues in this context, the Center for the Study of the Presidency (CSP) and IBM’s Global Leadership Initiative today convene the next Homeland Security Roundtable on the topic of “DHS Cyber Security Plans, Progress, and Strategies for Success.”

Since 2001, CSP has convened senior leadership from the Executive Branch and leading minds from the policy community and private sector to address critical homeland security issues in an invitation-only, off-the-record setting. Today, I’ll facilitate this roundtable as I used to when I was at CSP as director of homeland security projects. A group of leading experts from the policy community and private sector will join me and our lead discussant, Mr. Andrew Cutts, director of cyber security policy at the Department of Homeland Security. Participants include:

• Steven Bucci, Cyber Lead, IBM Global Leadership Initiative, IBM Global Business Services, and former Deputy Assistant Secretary of Defense – Homeland Defense

• Frank Cilluffo, Associate Vice President for Homeland Security and Director, Homeland Security Policy Institute, The George Washington University, and Former Special Assistant to the President for Homeland Security

• P.J. Crowley, Senior Fellow and Director of Homeland Security at the Center for American Progress, and former Special Assistant to the President of the United States for National Security Affairs, serving as Senior Director of Public Affairs for the National Security Council, and former Principal Deputy Assistant Secretary of Defense

• Andrew Cutts, Director, Cyber Security Policy, U.S. Department of Homeland Security

• Jonah J. Czerwinski, Senior Fellow, Homeland Security, IBM Global Leadership Initiative, and Senior Adviser Homeland Security Projects, Center for the Study of the Presidency

• Bryna Dash, IBM Public Sector – DHS/NPPD

• W. Scott Gould, Partner and Vice President, IBM Global Business Services, , Public Sector , and former Assistant Secretary of the Treasury, former Assistant Secretary of Commerce

• Job Henning, Director, Political and Legal Affairs, Project on National Security Reform and Senior Fellow, Center for the Study of the Presidency

• Henry H. Horton, Associate Partner leading the Information Assurance and Strategic Initiatives, IBM Global Services, Public Sector, and former Federal Special Agent in Charge of a strategic counter-espionage and counter-terrorism organization, Director of Security for an Independent Federal agency.

• Daniel B. Prieto, Partner and Vice President, IBM Global Business Services, Public Sector

Mr. Cutts will provide a substantive overview of where the DHS efforts currently stand, what remains as defined goals, and areas that should receive better focus. This session will be held at the unclassified level and is not for attribution. All comments are off the record and so, unfortunately, I will not be posting here about the roundtable.

In a meeting yesterday that comes as DHS kicks off its first National Cyber Security Awareness Month, Secretary Chertoff responded to a range of questions from a group of invited homeland security bloggers. The discussion focused on the Department of Homeland Security’s cyber security initiatives.

I asked about governance issues, budget priorities, and the gradual shift from passive defense to “active defense” in the Department’s role in dealing with cyber threats to the .gov environment.

Chertoff explained that “from our standpoint in the next year, the $350 million in the FY 09 appropriations for DHS cyber programs is actually slightly more than we requested. And what we’re doing is we’re building the basic infrastructure.”

That basic infrastructure includes the following:

• Deploying Einstein 2.0

• Equipment, personnel (recruiting over 100 programmers and operators of Einstein.)

• Additional space, leasing various utilities.

• DHS monetary contribution to support of the Cyber Security Center, which is in the process of standing up.

In the future, Chertoff references DHS plans to “get our control over the .gov domain.” He explained that “every 45 days we are reducing by half and consolidating the number of Internet connections [to the Internet from the federal computer networks.] According to the Secretary, DHS plans to consolidate federal Internet connections “from what started at as a thousand and we hope will be in the neighborhood of a hundred or two.”

This will enable more effective deployment of the DHS cyber security program called Einstein 2.0, which is designed to obtain “real time detection warning,” Chertoff said. The intention here would be to provide characterization of cyber intrusions or other threats as they occur so that an immediate response can be executed to counter the attack in some way. It is unclear if DHS also is responsible for the countermeasures.

I asked about another program he mentioned in a separate discussion that he called Einstein 3.0, which would be shifting us even further down the spectrum from defense to offense.

Chertoff responded by saying that “we are taking our Einstein 1.0, which is our current detection tool, we are now upgrading it to Einstein 2.0 and testing it out, and we’re also in the process of looking at turning it from a passive detection to an active detection device, active meaning that we would have the ability to actually stop an attack as opposed to merely warn about an attack.

Chertoff continued:

No, it’s still defense. It’s just a blocking capability. In other words, what 2.0 does is if I know malicious code is coming in, it enables me to give a real time warning. Someone described it the other day to me; it’s like a traffic cop sitting on the highway seeing people speed and he can immediately call in and say someone with license plate XYZ is speeding, and give warning down there.

3.0 would allow the traffic cop to make the arrest right on the spot.

It would be when you detected the attack, you would stop it cold.

I’ll update this post later today with more from the exchange. Other bloggers in attendance included I’ll update this post later today with more from the exchange. Other bloggers in attendance included Ben Bain with Federal Computer Week, Jeff Fox from ConsumerReports, Jena McNeill with the Heritage Foundation, Julian Sanchez from ArsTechnica, Jeff Stein from Congressional Quarterly, and John Solomon from In Case of Emergency Blog. Full transcript can be found here.

DHS plans to go on the offensive in cyberspace. Secretary Chertoff told a group of reporters last week, including CNN, that following Einstein 2.0, which monitors and reports cyber intrusions in real time, we can expect a version 3.0 to act “like an anti-aircraft weapon, shoot down an attack before it hits its target,” Chertoff said. “And that’s what we call Einstein 3.0.”

The Bush administration introduced a National Cyber Security Initiative in January that is to be carried out by DHS, Defense, the Intel Community, and others. The role for DHS – and the extent to which it would lead any part of the Initiative – is the subject of some uncertainty. The “most immediate component” of the National Cyber Security Initiative for DHS, Chertoff said, is to increase security for federal government computer systems.

Tomorrow, Secretary Chertoff convenes a group of us from the blogosphere to discuss the DHS role in the National Cyber Security Initiative. I intend to ask about how the Department plans to deal with the implications of an offensive approach to cybersecurity, considered an escalation by some, for DHS. There is a wide spectrum of productive activity in cyber security between simply monitoring attacks and conducting the (counter)attacks. However, I’d like to know DHS is looking at this entire spectrum.

If you have questions on the topic of the National Cyber Security Initiative and the DHS role in it, please submit comments here.

What a week for DHS cyber security efforts. Congressional hearings, think tank studies, and GAO reports all arguing that the Department is underpowered and disorganized in its effort to carry out its role as a lead in the National Cyber Security Initiative, a multi-billion dollar program to protect federal and private sector internet assets against attack and exploitation.

Not to leave anything ambiguous, GAO released three new studies this week:
• DHS Faces Challenges in Establishing a Comprehensive National Capability
• DHS Needs to Better Address Its Cybersecurity Responsibilities
• DHS Needs to Fully Address Lessons Learned from Its First Cyber Storm Exercise

The pointy end of the spear is US-CERT. The US-CERT’s mission is to:

• analyze and reduce cyber threats and vulnerabilities
• disseminate cyber threat warning information
• coordinate incident response activities

They have a way to go. A new GAO report finds that US-CERT “lacks a comprehensive baseline understanding of the nation’s critical information infrastructure operations, does not monitor all critical infrastructure information systems, does not consistently provide actionable and timely warnings, and lacks the capacity to assist in mitigation and recovery in the event of multiple, simultaneous incidents of national significance.”

DHS spokesperson Laura Keehner explained that “We are undertaking something not unlike the Manhattan Project.” “Billions of dollars are going into this effort. We’re the first to admit there is more work to be done….” Of course, US-CERT was founded five years ago. In the last year, more cooks have been added to the kitchen, too. The DHS CIO has a leadership role, the Under Secretary for National Protection and Programs has a leadership role, the director of the National Cyber Security Center has a leadership role, the Assistant Secretary of Cyber Security and Communications has a leadership role.

This may be what drove James Lewis of the Center for Strategic & International Studies to tell Congress in testimony yesterday during a hearing on cyber issues that the core problems “are the lack of a strategic focus, overlapping missions, poor coordination and collaboration, and diffuse responsibility.”

Lewis serves on the Commission on Cybersecurity for the 44th Presidency along with 30+ other leading lights in this area, including Pete Allor of IBM and Paul Kurtz of Good Harbor. They make a pretty straight forward recommendation: If this is to be a truly national cyber initiative, move it to the White House. Getting this effort bogged down in DHS, the intelligence community, and DOD risks hobbling the whole endeavor, which is far too important.

Whatever happened to the public-private partnership? There may be a disconnect between what the private sector says is necessary to better secure cyber space and what the government is willing to do, according to a piece the LA Times runs today highlighting a rift between cyber experts among the private sector and the government, suggesting the latter is not taking the threat seriously.

Is this a symptom of Administration fatigue, wherein the political appointees assume they can’t make progress this late in the game so why try? Or is this a tough love approach wherein the Administration actually wants the private sector to secure its own dang databases?

Jerry Dixon, the previous director of the National Cyber Security Division at DHS is quoted as assessing that “Nothing is happening.” He believes that Washington needs to do much more to protect consumers, businesses, and the government from cyber attacks by criminals, state-based or rogue.

The report suggests two reasons for how we got here: First, the government embraces the notion that the private sector is better suited to deal with this problem. Second, because so many people are in charge of cyber, no one is.

Personifying the hands-off approach, the Director of the National Cyber Security Center (located at DHS) delivered a keynote address at this month’s Black Hat convention in Vegas. His remarks there discussed economic theory, why Abraham Lincoln was the nation’s “first wired president,” and that the financial industry and others needn’t spend more on cyber security than they already do.

The LA Times quotes from his speech, “Over time, the banking industry is pretty rational. So they’re probably doing a good job on investment.” He added that “private security spending in general was probably at about the right level.”

Apparently this was not the answer experts were seeking. The story describes how executives in attendance “grumbled that Lincoln had nothing to do with protecting their corporate networks.”

We’ve covered here the ways on which DHS needs to get its own house in order with respect to organizing for the cyber security mission. But the entire cyber landscape is by design a daunting complex of authorities and interests that fail to fit neatly into a box. DHS oversees protection of government networks. The FBI and Secret Service prosecute perpetrators of cyber crimes. The State Department is involved if a case crosses national boundaries. The role of the armed services is more complicated as described in this post about how to measure cyber attacks in comparison to armed attacks. Moreover, the Internet’s infrastructure is mainly owned and operated by the private sector.

Dixon makes a point that is at the heart of the problem: lack of leadership. The private sector will not spend on security that doesn’t have an obvious and immediate benefit to the bottom line without a coordinated rationale provided by the public sector because the government has no competitive dog in the fight. (It is one thing for Citi to suggest that all banks should beef up cyber security attribution capabilities and quite another for the government to do so.)

“The biggest thing we’ve noted is the lack of a guiding Net plan that includes privacy and infrastructure security,” Dixon said. “We need an overarching cyber doctrine that’s shepherded by the White House.”

The House recently passed a bill introduced by Rep. Langevin to amend the Homeland Security Act of 2002 to grant the DHS Chief Information Officer (CIO) authority for the development, approval, implementation, integration, and oversight of certain DHS cyber security initiatives (e.g “information management and information infrastructure”). The Homeland Security Network Defense and Accountability Act of 2008 authorizes the CIO to manage the policies, procedures, activities, funding, and systems relating to DHS networked information and infrastructure, and this surely bears on the Department’s role in the National Cyber Security Initiative.

Why the CIO? The GAO issued a report in June questioning DHS’s organization for addressing its cyber missions. There is CERT. There is an Assistant Secretary for Cyber Security and Communications and the director of the National Cyber Security Center at DHS. Of course, most of the component agencies of DHS also have their own CIOs.

The new bill directs the DHS CIO to establish and manage security control testing protocols to protect DHS’s and contractors’ information infrastructure against cyber-based attacks. It also tasks the DHS Inspector General with determining the effectiveness of the Department’s cyber security policies and controls. Moreover, the Secretary – through the CIO – has to determine that any contractors have their own cyber security policies and protections in place before entering into or renewing a covered contract.

That’s a lot on the CIO. The bill therefore sets forth a list of qualifications for the CIO. These quals include at least five years of executive leadership and management experience in IT and information security.

First, a sincere thank you to PJ Crowley, James Carafano, Clark Ervin, and Peter J. Brown for their contributions to HLSwatch during this past week. James’ piece on the cyber attacks conducted on Georgia during its confrontation with Russia over South Ossetia raised questions about not only who was to blame, but how Georgia should respond.

Both The Washington Post and The Wall Street Journal ran stories this past week about how cyber attacks on government and private sector entities of Georgia are invoking a debate about whether offensive measures in cyber space amount to acts of war. Because the cyber attacks occurred during the military offensive between Russia and Georgia, it begs the question about whether and how a government should respond to attacks on its cyber assets by way of the electromagnetic spectrum.

Finely-calibrated responses to attacks involving traditional kinetic methods has existed and evolved over the centuries. But measuring the appropriate response to a cyber attack is a unique challenge because information operations (IO) use digital weapons, new methods of attack, and novel targets.

Michael N. Schmitt, author of Computer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework, (1999), offers perhaps the most concrete way of answering the difficult question: “When does the attack rise to the level of a ‘use of force’ under international law?”

The Schmitt analysis applies a quantitative scale (1 to 10) to each of seven factors in order to determine if a cyber attack equates to an armed attack and to characterize any information operation as being closer to one end of a spectrum or the other. These seven factors are:
• Severity
• Immediacy
• Directness
• Invasiveness
• Measurability
• Presumptive Legitimacy
• Responsibility

This amounts to a modern adaptation of Just War Theory. One of the latter’s tenets is “always in response.” Let’s see whether that makes it into practice in the 21st century.

Bombs and bullets are not the only thing flying around in the Russia-Georgian war that broke out over the weekend. According to a recent story in The Telegraph, the Georgian Ministry of Foreign Affairs claimed “[a] cyber warfare campaign by Russia is seriously disrupting many Georgian websites, including that of the Ministry of Foreign Affairs.” That is not the first time Russia has been accused of cyber warfare.

A widely publicized cyber assault against Estonia in 2007 increased suspicion that Russia is using online malicious activity as a tool of national policy. The assault disrupted public and private Estonian information networks with massive denial-of-service attacks. The Estonia attacks targeted the Web sites of banks, telecommunication companies, media outlets, and government agencies, eventually forcing the country to block all foreign Internet traffic. Many Web sites were shut down by denial-of-service attacks, in which the attacker uses thousands of hijacked computers to bombard a Web site with use­less information until it is overloaded. Estonia’s defense minister described the attacks as “a national security situation…. It can effectively be compared to when your ports are shut to the sea.” The Estonia and Georgian attacks testify to the dis­ruptive power of a coordinated cyber offensive

Russia is not the only one. China uses “cyber-spying” as a matter of course -and America is one of their prime targets.

U.S. government information systems are attacked every day from sources within the country and around the world. Some of these intrusions have been extremely serious, compromising security and costing millions of dollars. Penetration of computer networks at the National Defense University proved so pervasive that the university was forced to take the entire computer network offline and install new information system defenses.

These attacks come from states, criminal networks, “hackivists” (online political activists) and other malicious actors.

In addition, bad people exploit the freedom of the Internet-terrorists included. They go online to gather intelligence, raise money, share tradecraft in chat rooms, and coordinate propaganda messages.

The lesson for the United States is take the challenge of cyber threats seriously. The initiatives that will likely best serve the United States and its international partners in the cyber conflicts of the 21st century are those derived from private sector experience, emerging military and intelligence capabilities for conducting information warfare, and law enforcement measures for combating cyber crime. The U.S. needs a national framework that builds on these capabilities, encouraging them to collaborate and reinforce one another. These initiatives should include:

• Adopting best practices. Both government agencies, such as the National Institute for Standards and Technology, and the private sector continue to develop best practices and lessons learned. These can be effective tools. Ensuring that these are refreshed and applied should be government’s first priority.

• Employing risk-based approaches. All information programs must include assessments of criticality, threat, and vulnerability as well as measures to efficiently and effectively reduce risks.

• Fostering teamwork. Cybersecurity is a national responsibility requiring international cooperation. The United States must maintain effective bilateral and multinational partnerships to combat cyber threats.

• Exploiting emergent private sector capabilities. These may come from many sources, such as small companies and foreign countries. The U.S. government must become a more agile consumer of cutting-edge commercial capabilities.

• Focusing on professional development. Most government information programs underperform because, due to inattentive senior leadership, they lack clear requirements and hold unrealistic projections of the resources required to implement those requirements. National security professionals must have familiarity with a number of diverse security-related disciplines and practice in interagency operations, working with different government agencies, the private sector, and international partners.

• Developing robust offensive capabilities to respond to cyber attacks and malicious acts by either state or non-state threats using the full range of military, intelligence, law enforcement, diplomatic, and economic means.

What is needed, however, is not massive reorganization, massive government bureaucracy, massive infusions of government cash, or massive intrusions into the marketplace and the lives of Americans. What is needed is long-term commitment and sound initiatives based on better and faster acquisition of commercial services; better and smarter management of military, intelligence, and information technology programs; and better and sustained professional development of federal, state, local, and private sector leaders.

James Jay Carafano, Ph.D., is Assistant Director, Kathryn and Shelby Cullom Davis Institute for International Studies and Senior Research Fellow, Douglas and Sarah Allison Center for Foreign Policy Studies at The Heritage Foundation in Washington, DC.

Barack Obama today delivered remarks at Purdue University in which he laid out a set of national security priorities. He specifically identified “nuclear, biological, and cyber threats – three 21st century threats that have been neglected for the last eight years.”

He explains in the speech — in so many words — that by “neglected” he means underinvested in and deserving of greater priority. It can be said that when everything’s a priority, nothing is. But if you read the whole speech Senator Obama makes the case that its wiser to focus on the ways in which we are vulnerable as opposed to focusing on the specific enemies. Sounds weird, but it makes sense to suggest that, while national security is broadly defined, we must focus on the threats that can be presented, regardless of the adversary.

For example, while it may be al Qaeda that seeks to use bio-terrorism, we need to focus on defeating that threat if it is employed by any enemy. Same goes for nucs and cyber. And since I’m still here at Maxwell AFB for the Air Force Cybersecurity Symposium, following are Obama’s proposals on addressing cyber threats:

Every American depends – directly or indirectly – on our system of information networks. They are increasingly the backbone of our economy and our infrastructure; our national security and our personal well-being. But it’s no secret that terrorists could use our computer networks to deal us a crippling blow. We know that cyber-espionage and common crime is already on the rise. And yet while countries like China have been quick to recognize this change, for the last eight years we have been dragging our feet.

As President, I’ll make cyber security the top priority that it should be in the 21st century. I’ll declare our cyber-infrastructure a strategic asset, and appoint a National Cyber Advisor who will report directly to me. We’ll coordinate efforts across the federal government, implement a truly national cyber-security policy, and tighten standards to secure information – from the networks that power the federal government, to the networks that you use in your personal lives.

To protect our national security, I’ll bring together government, industry, and academia to determine the best ways to guard the infrastructure that supports our power. Fortunately, right here at Purdue we have one of the country’s leading cyber programs. We need to prevent terrorists or spies from hacking into our national security networks. We need to build the capacity to identify, isolate, and respond to any cyber-attack. And we need to develop new standards for the cyber security that protects our most important infrastructure – from electrical grids to sewage systems; from air traffic control to our markets.

For a brief speech, this was about as much detail as we can expect from a candidate. However, the next president is going to have to delve into such challenges as how effectively to draw the line between monitoring, detecting, dissuading, deterring, and defeating cyber threats. And should we actually endure an attack, we’ve yet to carve out our conops for response, recovery, and retaliation. What does it mean to retaliate for a cyber attack that steals secrets? Or one that shuts down an electrical grid, leading to actual casualties? Or one that isolates our armed services from its chain of command?

Cyber security ought to be a presidential priority and it is positive to see Senator Obama call it out as a strategic concern. We’ll see if John McCain is focused on cyber should his campaign offer a counter-speech.

The Cyberspace Information Operations Study Center hosts its first symposium “Air Force Symposium 2008 – Cyberspace” at Maxwell AFB, Montgomery, AL, this week. Co-hosted by Headquarters 8th Air Force, Barksdale AFB, LA and U.S. Strategic Command, Offutt AFB, NE, the symposium is intended to engage military, industry and academic participants on a broad spectrum of topics affecting the cyberspace mission.

Participants include service members, business leaders, researchers, and academics who wish to participate in advancing the U.S. Air Force mission to “fly and fight” in cyberspace. Workshops focus on Doctrine and Concepts of Operations, Policy and Law, and USAF Cyber Support to National Security.

Sessions will address, among other things, defining cyberspace and working toward establishing the domain, control and use of cyberspace. Participants will also participate in discussions of international and domestic law related to cyberspace and analyze national security and other issues from both military and civilian perspectives.

Scheduled speakers at the symposium include Gen. Kevin P. Chilton, commander, U.S. Strategic Command; Maj. Gen. Charlie Dunlap, Air Force deputy judge advocate general; and Maj. Gen. William T. Lord, commander, Air Force Cyberspace Command.

I’ll be attending as much as I can of the Policy and Law track and Track Three on nat’l security, which involves workshops focused on the question of how “U.S. capabilities and activities in the Cyber Domain can and, if developed, should contribute to national security,” according to materials.

I had to confirm my clearance to attend the conference so my ability to blog from it is going to be rather limited. I’ll do my best to post here about unclassified information and other open developments.

The Stimson Center’s Cooperative Nonproliferation Program (CNP) announced the launch of a new task force charged with leveraging national laboratory S&T for the 21st century security environment. Fran Townsend, President Bush’s former Homeland Security Advisor, and Lieutenant General Donald Kerrick, former Deputy National Security Advisor to President Clinton, will serve as co-chairs. The bipartisan group, composed of national security experts, scientists, and businesspeople, will convene for the first time on June 27th, 2008 in Washington, DC.

The Task Force is led by The Stimson Center’s Libby Turpen, with clear involvement of Ellen Laipson, who was vice-chair at the National Intelligence Council the first time I met her. She was appointed president and CEO at Stimson in 2002. Libby used to be on the Hill before she joined Stimson in 2001 to establish the Security for a New Century congressional study group.

I have the privilege of serving on this taskforce over the next several months. While the proceedings of this Task Force will be private until reporting out to sponsors at DOE and the Lounsbery Foundation, I’ll do my best to keep readers informed of the work. After our first meeting is on the 27th, we’ll be heading out to Albuquerque, New Mexico, and Livermore, California, to visit with the people at Los Alamos National Lab, Lawrence Livermore, and Sandia.

The Department of Energy and the National Nuclear Security Administration’s (NNSA) ongoing transformation from a Cold War complex to a modern national security enterprise is faced with the distinct challenge of repurposing to some extent the overall mission and focus of the nuclear labs, namely Los Alamos, Sandia, and Lawrence Livermore.

The Task Force’s key objective is to develop a strategy to ensure retention of nuclear weapons related core competencies at the national labs while better leveraging their scientific and technological capabilities to serve a broader set of 21st-century national and homeland security needs. This initiative should create a comprehensive R&D strategy to serve this objective. One can anticipate a likely slate of issues to include cybersecurity, climate change modeling, and possibly energy security issues.

Seven NATO nations signed documents last week formally establishing a Cooperative Cyber Defence (CCD) Centre of Excellence (CoE) in Talin, Estonia. The International Multilateral Partnership against Cyber-Terrorism (IMPACT) will convene at least 30 governments at its summit this week.

NATO’s new CoE will conduct research and training on cyber warfare and have a staff of 30, half of them from sponsoring countries Estonia, Germany, Italy, Latvia, Lithuania, Slovakia, and Spain.

The agreement to form NATO’s Cooperative Cyber Defence CoE comes a year after a major cyber attack on Estonian government and private sector institutions. NATO’s Defense Ministers called for the development of a NATO cyber defense policy at their October 2007. The policy was adopted earlier this year.

The policy includes a Cyber Defence Management Authority that will manage cyber defense across all NATO’s communication and information systems and could support individual allies in defending against cyber attacks in the event of an Article V (mutual defense) request.

On the other side of the world, a new public-private partnership will meet in Malaysia to bring together government leaders and industry to address global cyber security. The International Multilateral Partnership against Cyber-Terrorism (IMPACT) received about $30 million in funding from the government of Malaysia and is currently convening its multilateral summit with about 30 governments represented.

Senate Homeland Security and Governmental Affairs Committee issued an eight-page letter to Secretary Chertoff demanding details about the ministration’s new Cyber Initiative. This follows the classified hearing the Committee held on March 4.

The Comprehensive National Cybersecurity Initiative (CNCI), formally established in January, is intended to strengthen the federal government’s ability to secure the electronic networks and databases of the federal government. According to the Committee, the March hearing included a threat assessment from DHS and the National Security Agency and a review of the interagency roles and responsibilities of the CNCI. The following witnesses testified:

• Robert D. Jamison, Under Secretary, National Protection and Programs Directorate at the Department of Homeland Security;
• Melissa A. Hathaway, Cyber Coordination Executive, Office of the Director of National Intelligence;
• G. Dennis Bartko, Special Assistant to the Director for Cyber at the National Security Agency; and
• Scott O’Neal, Section Chief, Cyber Division at the Federal Bureau of Investigation.

The Administration received $115 million for FY 2008 to fund the Cyber Initiative, and another $83 million is being requested for FY09. The Committee puts this into context by explaining the budget request as a three-fold increase over the course of one year.

Here’s where things get a little tense. Senators Lieberman and Collins, chair and ranking member of the Homeland Security and Governmental Affairs Committee, respectively, yesterday released a letter they sent to Secretary Chertoff asking for specific information about the CNCI, its dependence on contractors, and the potential lack of involvement by the private sector, which owns and/or operates the majority of the nation’s cyber infrastructure.

Such basic details as the role of the National Cyber Security Center and the authority under which its director was named. In terms of metrics, the Committee would like to know how DHS will determine when the CNCI is succeeding and Einstein is measuring something tangible.

If I were a betting man, this looks like the beginning of another investigation from the GAO….

Click here to view the full text of the letter.

Richard Mangogna is the new DHS Chief Information Officer, according to a DHS press release. The announcement is noteworthy for its brevity.

Before we get into the investigation, DHS deck chairs move as follows: Mangogna succeeds Scott Charbo, who was appointed deputy undersecretary of National Protection and Programs. Since Charbo’s departure, Deputy CIO Charles Armstrong has served as acting CIO. Armstrong will support Mangogna’s on-boarding before moving over to become CIO for Customs and Border Protection.

Not a lot out there on Mr. Mangogna. He is identified in the official release as an independent consultant with the Mason Harriman Group. MHG doesn’t list any of its staff on its website. It characterizes its employees as consultants who “are 45 seasoned former C-Level executives from the Fortune 200.” Only generic contact information is available, but at least we can tell where MHG is located: Towaco, N.J.

The White House and DHS releases cite Mangogna as a former president and CEO of Covidea. You don’t know Covidea? The New York Times and Covidea announced a videotex service on September 16, 1986, with a product called New York Pulse. On December 6, 1988, Covidea closed its videotex services, Pronto and Business Banking. New York Pulse shut down the following year.

So what’s the new DHS CIO been up to for the last twenty one years? The Administration only acknowledges that Mangogna worked as executive vice president and CIO at JP Morgan Chase and was the division head of Business Re-engineering Management at Chase Manhattan Bank. I found no evidence of the Business Re-engineering Management role. In its 1999 annual report, Chase Bank refers to him as Global Bank CIO.

It is unclear why more wasn’t said about his experience there. When Chase and JP Morgan merged in 2000, a massive systems and business integration project began. As CIO for the newly created company, Mangogna co-chaired the technology and operations steering committee that guided the integration of the technology that supported the operations of about 100,000 employees with systems across the country and on six continents, involving more than 90 data and processing centers, according to a 2001 piece in InfoWorld. You might say that’s a transferable skill set.

However, DHS is a larger undertaking. With over 200,000 employees operating in a different paradigm than pre-9/11 banking, DHS represents a challenge for anyone. USCIS alone is embarking on a major overhaul of its business processes and technology foundation under its $3.5 billion Transformation program. Perhaps more details about Mangogna’s resume will come out in the press. But since the CIO at DHS doesn’t need to be Senate confirmed, it won’t come easily.

Final note: When Chase Bank purchased a major new Sun Microsystems server for about $900K back in 1999 (that was big then), Mangogna justified the investment, explaining “IT performance is a competitive weapon in the global economy.” He might easily update that assessment to include the bigger picture that DHS is responsible for.

When HLSWatch asked DHS Secretary Chertoff during yesterday’s meeting about his intentions for the forthcoming Cyber Initiative, which will orchestrate a cross-agency, several hundred-million-dollar, effort to combat and defend against cyberterrorism, he laid out a three part plan:

1. DHS applies a computer program called EINSTEIN
2. The US-CERT is up and running
3. Security patches to protect against cyber threats will be shared with the private sector

1. EINSTEIN is computer program that detects attacks on federal computer networks and assembles data on how to defend against them. Its been in place selectively for a few years, but now its mandatory.
2. US-CERT, the United States Computer Emergency Readiness Team was established in 2003 to support DHS cooperation with “the public and private sectors” in defense against and responses to cyber attacks. Think of US-CERT as the enforcement guys who make sure that measures are taken to defend against cyber attacks. Apparently they have more authority under the Initiative.
3. Work with the private sector to share information about cyber threats has been underway since before 9/11 through the Information Sharing and Analysis Centers, each dedicated to a specific industry. (The Financial Services ISAC was formed in late 1999 and the IT-ISAC was established in late 2000).

The Chem ISAC and Oil&Gas ISACs came in 2001 and left in 2005.

So what’s new? Its classified, actually. We’ll see what the transcript says, but it sounds like the article by Ellen Nakashima in the Post is as close as we’re going to get for now to shedding light on the Cyber Initiative.

More available here.