Homeland Security Watch

In my post on Monday, I wrote about this week’s big conferences relating to homeland security - the RSA Conference in San Francisco (Geeks) and the ABA Homeland Security Institute in DC (Lawyers).  I suggested that folks “stay tuned to any announcements or surprises that might come from” the conferences.

RSA has not disappointed, with a number of announcements and declarations coming out of the conference.  The biggest revelation was that the White House was, as many had been expecting for the last several months, declassifying information on the Comprehensive National Cybersecurity Initiative (CNCI).

The CNCI was initiated in January 2008 in NSPD 54/HSPD 23, a classified document that left many, even before its release, asking questions about the role of the intelligence agencies in the government’s cybersecurity plans.  Siobhan Gorman, then of the Baltimore Sun, did a great job in late 2007 covering the effort.

While the the HSPD 54/HSPD 23 has not itself been declassified, the President did release a five page summary of the CNCI this week, the first official document to describe the classified directive, which can be found on the White House’s website.

The summary notes the twelve initiative within the Initiative:

Initiative #1. Manage the Federal Enterprise Network as a single network enterprise with Trusted Internet Connections

Initiative #2. Deploy an intrusion detection system of sensors across the Federal enterprise.

Initiative #3. Pursue deployment of intrusion prevention systems across the Federal enterprise.

Initiative #4: Coordinate and redirect research and development (R&D) efforts.

Initiative #5. Connect current cyber ops centers to enhance situational awareness.

Initiative #6. Develop and implement a government-wide cyber counterintelligence (CI) plan.

Initiative #7. Increase the security of our classified networks.

Initiative #8. Expand cyber education.

Initiative #9. Define and develop enduring “leap-ahead” technology, strategies, and programs.

Initiative #10. Define and develop enduring deterrence strategies and programs.

Initiative #11. Develop a multi-pronged approach for global supply chain risk management.

Initiative #12. Define the Federal role for extending cybersecurity into critical infrastructure domains.

In announcing the declassification, White House Cybersecurity Coordinator Howard Schmidt said “partnerships and transparency are concepts that have to go hand in hand” in the protection of the nation’s critical computer networks.

The declassification has come with mixed reviews. Many privacy advocates still would like to see the original NSPD/HSPD declassified, especially parts dealing with cyber offense capabilities.  The Washington Post also reported and Schmidt acknowledged that there remain a number of legal questions to be answered about parts of the initiative.  Personally, I believe that the declassification of information on the CNCI is an important first step that allows the private sector and the public to have a more open dialogue on how the government can be leading the way, with private sector input, on protecting government systems.

One of the biggest issues that came out of the CNCI was a concern that the government would move full-force ahead on the classified initiative without significant input from the numerous sectors of the private sector, many of whom have tackled some of the problems facing the government as it moved to protect its systems.  The added fear was that once the government put in place “solutions” for itself, it would move to migrate those solutions to the private sector through standards and mandates.  While some sectors with appropriate clearances have advised on parts of the initiative, there remained a gap in a transparent and full discussion.   Schmidt should be commended for taking on this effort and moving for a more open process for discussion.

I also question whether the NSPD/HSPD should be declassified in its entirety. While privacy and legal questions may arise out of any classified cyber offense capabilities discussed in the directive, we also should be careful about revealing too much about these efforts, especially if doing so would potentially reveal sources and methods to our technologically-savvy opponents, who are intent on compromising, sabotaging, or stealing information from our systems.  There needs to be a method to assure that classified information within the directive goes through appropriate checks and balances, but we also have to be prepared against a sophisticated enemy.

Also of note at the conference were Secretary Napolitano’s remarks.  In addition to encouraging industry to do better at security and recognize a “sense of urgency,” she announced a contest to the IT security community on how to develop a public education campaign on cyber-readiness.  Information on the contest and how to enter can be found at http://www.dhs.gov/files/cyber-awareness-campaign.shtm.

It is an interesting concept, though I wonder how it meshes with existing and past efforts to do public education campaigns on the cyber front.  In particular,  I wonder how this effort fits into the National Cyber Security Alliance, which was founded in 2001, as the pubic-private partnership for promoting cyber security awareness. That effort has worked with DHS and a number of tech companies, as well as the MS-ISAC for promoting cyberawareness and  “National Cybersecurity Awareness Month” in each of the past six Octobers.  There have also been numerous similar efforts through the years, including one I was involved with about 10 years ago, the “Cybercitizen Awareness Program,” that was intended to “establish a broad sense of responsibility and community in an effort to develop in young people smart, ethical, and socially conscious online behavior.”

Despite these questions, I think the idea is an interesting one.  In past posts, I have advocated for DHS to take more of a DARPA approach to solving problems, including potentially duplicating efforts like the DARPA Grand Challenge.  I have also written about DHS’ increasing use of social media and the need for it to integrate the public into those efforts.  In many ways, this contest takes both of those concepts and creates a mini-Grand Challenge web 2.0 awareness campaign. I look forward to seeing the results.

Those were the big government announcements coming out of RSA.  Overall, the conference seems to focus on a few themes : cloud computing, offensive cybersecurity efforts (including warfare), a call to action, and collaboration.