Homeland Security Watch

News and analysis of critical issues in homeland security

March 5, 2010

Cybersecurity - Front and Center

Filed under: Cybersecurity — by Jessica Herrera-Flanigan on March 5, 2010

In my post on Monday, I wrote about this week’s big conferences relating to homeland security - the RSA Conference in San Francisco (Geeks) and the ABA Homeland Security Institute in DC (Lawyers).  I suggested that folks “stay tuned to any announcements or surprises that might come from” the conferences.

RSA has not disappointed, with a number of announcements and declarations coming out of the conference.  The biggest revelation was that the White House was, as many had been expecting for the last several months, declassifying information on the Comprehensive National Cybersecurity Initiative (CNCI).

The CNCI was initiated in January 2008 in NSPD 54/HSPD 23, a classified document that left many, even before its release, asking questions about the role of the intelligence agencies in the government’s cybersecurity plans.  Siobhan Gorman, then of the Baltimore Sun, did a great job in late 2007 covering the effort.

While the the HSPD 54/HSPD 23 has not itself been declassified, the President did release a five page summary of the CNCI this week, the first official document to describe the classified directive, which can be found on the White House’s website.

The summary notes the twelve initiative within the Initiative:

Initiative #1. Manage the Federal Enterprise Network as a single network enterprise with Trusted Internet Connections

Initiative #2. Deploy an intrusion detection system of sensors across the Federal enterprise.

Initiative #3. Pursue deployment of intrusion prevention systems across the Federal enterprise.

Initiative #4: Coordinate and redirect research and development (R&D) efforts.

Initiative #5. Connect current cyber ops centers to enhance situational awareness.

Initiative #6. Develop and implement a government-wide cyber counterintelligence (CI) plan.

Initiative #7. Increase the security of our classified networks.

Initiative #8. Expand cyber education.

Initiative #9. Define and develop enduring “leap-ahead” technology, strategies, and programs.

Initiative #10. Define and develop enduring deterrence strategies and programs.

Initiative #11. Develop a multi-pronged approach for global supply chain risk management.

Initiative #12. Define the Federal role for extending cybersecurity into critical infrastructure domains.

In announcing the declassification, White House Cybersecurity Coordinator Howard Schmidt said “partnerships and transparency are concepts that have to go hand in hand” in the protection of the nation’s critical computer networks.

The declassification has come with mixed reviews. Many privacy advocates still would like to see the original NSPD/HSPD declassified, especially parts dealing with cyber offense capabilities.  The Washington Post also reported and Schmidt acknowledged that there remain a number of legal questions to be answered about parts of the initiative.  Personally, I believe that the declassification of information on the CNCI is an important first step that allows the private sector and the public to have a more open dialogue on how the government can be leading the way, with private sector input, on protecting government systems.

One of the biggest issues that came out of the CNCI was a concern that the government would move full-force ahead on the classified initiative without significant input from the numerous sectors of the private sector, many of whom have tackled some of the problems facing the government as it moved to protect its systems.  The added fear was that once the government put in place “solutions” for itself, it would move to migrate those solutions to the private sector through standards and mandates.  While some sectors with appropriate clearances have advised on parts of the initiative, there remained a gap in a transparent and full discussion.   Schmidt should be commended for taking on this effort and moving for a more open process for discussion.

I also question whether the NSPD/HSPD should be declassified in its entirety. While privacy and legal questions may arise out of any classified cyber offense capabilities discussed in the directive, we also should be careful about revealing too much about these efforts, especially if doing so would potentially reveal sources and methods to our technologically-savvy opponents, who are intent on compromising, sabotaging, or stealing information from our systems.  There needs to be a method to assure that classified information within the directive goes through appropriate checks and balances, but we also have to be prepared against a sophisticated enemy.

Also of note at the conference were Secretary Napolitano’s remarks.  In addition to encouraging industry to do better at security and recognize a “sense of urgency,” she announced a contest to the IT security community on how to develop a public education campaign on cyber-readiness.  Information on the contest and how to enter can be found at http://www.dhs.gov/files/cyber-awareness-campaign.shtm.

It is an interesting concept, though I wonder how it meshes with existing and past efforts to do public education campaigns on the cyber front.  In particular,  I wonder how this effort fits into the National Cyber Security Alliance, which was founded in 2001, as the pubic-private partnership for promoting cyber security awareness. That effort has worked with DHS and a number of tech companies, as well as the MS-ISAC for promoting cyberawareness and  “National Cybersecurity Awareness Month” in each of the past six Octobers.  There have also been numerous similar efforts through the years, including one I was involved with about 10 years ago, the “Cybercitizen Awareness Program,” that was intended to “establish a broad sense of responsibility and community in an effort to develop in young people smart, ethical, and socially conscious online behavior.”

Despite these questions, I think the idea is an interesting one.  In past posts, I have advocated for DHS to take more of a DARPA approach to solving problems, including potentially duplicating efforts like the DARPA Grand Challenge.  I have also written about DHS’ increasing use of social media and the need for it to integrate the public into those efforts.  In many ways, this contest takes both of those concepts and creates a mini-Grand Challenge web 2.0 awareness campaign. I look forward to seeing the results.

Those were the big government announcements coming out of RSA.  Overall, the conference seems to focus on a few themes : cloud computing, offensive cybersecurity efforts (including warfare), a call to action, and collaboration.

March 1, 2010

Geeks and Lawyers Confer on Security…

Filed under: Cybersecurity, Legal Issues — by Jessica Herrera-Flanigan on March 1, 2010

December 4, 2009

ISA Issues Report: Incentivize Don’t Regulate

Filed under: Cybersecurity, General Homeland Security — by Jessica Herrera-Flanigan on December 4, 2009

August 10, 2009

Cybersecurity -

Filed under: Cybersecurity — by Jessica Herrera-Flanigan on August 10, 2009

August 7, 2009

Bits & Bytes: Second Cyber Official Steps Down

Filed under: Cybersecurity — by Jessica Herrera-Flanigan on August 7, 2009

July 28, 2009

Is Cyber Going the Way of Robotics?

Filed under: Cybersecurity — by Jessica Herrera-Flanigan on July 28, 2009

July 1, 2009

DHS still has more satellite issues to address

Filed under: Cybersecurity, Preparedness and Response, Technology for HLS — by Philip J. Palin on July 1, 2009

May 29, 2009

Long-Awaited Cybersecurity Announcement and FEMA visit

Filed under: Cybersecurity, Infrastructure Protection, Preparedness and Response, State and Local HLS — by Jessica Herrera-Flanigan on May 29, 2009

May 10, 2009

Cybersecurity: community organizing needed more than command and control

Filed under: Cybersecurity — by Philip J. Palin on May 10, 2009

April 22, 2009

Quantity and quality of cybercrimes increasing

Filed under: Cybersecurity — by Philip J. Palin on April 22, 2009

April 18, 2009

Cyber-security short-stories

Filed under: Cybersecurity — by Philip J. Palin on April 18, 2009

April 13, 2009

Sylvester still harassing Tweety bird

Filed under: Cybersecurity, Humor — by Philip J. Palin on April 13, 2009

April 9, 2009

Be our guests: terrorist websites hosted in US

Filed under: Cybersecurity, Terrorist Threats & Attacks — by Philip J. Palin on April 9, 2009

April 8, 2009

Beware of geeks bearing gifts

Filed under: Cybersecurity — by Philip J. Palin on April 8, 2009

March 29, 2009

Cyber Spy Network Found

Filed under: Cybersecurity, General Homeland Security — by Philip J. Palin on March 29, 2009

March 25, 2009

Cyber controversy craves context

Filed under: Cybersecurity, General Homeland Security — by Philip J. Palin on March 25, 2009

March 13, 2009

Cyber: Seven days in March

Filed under: Cybersecurity, General Homeland Security — by Philip J. Palin on March 13, 2009

January 23, 2009

Napolitano to review Cyber, Northern Border Efforts

Filed under: Border Security, Cybersecurity — by Jonah Czerwinski on January 23, 2009

December 19, 2008

Obama Pick for Cyber Czar Comes Into Focus

Filed under: Cybersecurity — by Jonah Czerwinski on December 19, 2008

November 14, 2008

DHS Cyber Security Plans, Progress, and Strategies for Success Subject of IBM Roundtable

Filed under: Cybersecurity — by Jonah Czerwinski on November 14, 2008

October 9, 2008

HLSwatch Interviews Chertoff on DHS Cyber Initiatives

Filed under: Budgets and Spending, Cybersecurity — by Jonah Czerwinski on October 9, 2008

October 7, 2008

Chertoff Elaborates on DHS Cyber Posture

Filed under: Cybersecurity — by Jonah Czerwinski on October 7, 2008

September 17, 2008

A Rough Week for DHS Cyber Programs

Filed under: Cybersecurity — by Jonah Czerwinski on September 17, 2008

August 26, 2008

Cyber Splits Public & Private Sector

Filed under: Cybersecurity — by Jonah Czerwinski on August 26, 2008

August 21, 2008

Congress Amends HSA Again; This Time for DHS Cyber

Filed under: Congress and HLS, Cybersecurity, Organizational Issues — by Jonah Czerwinski on August 21, 2008

August 18, 2008

When is a Cyber Attack an Act of War?

Filed under: Cybersecurity, International HLS, Strategy — by Jonah Czerwinski on August 18, 2008

August 12, 2008

When Electrons Attack

Filed under: Cybersecurity — by James Carafano on August 12, 2008

July 16, 2008

Obama Sets Top National Security Priorities

Filed under: Biosecurity, Cybersecurity, Radiological & Nuclear Threats, Strategy — by Jonah Czerwinski on July 16, 2008
Next Page »