Critics not satisfied with partial revelation of secret cybersecurity plan

The release of a summary of a classified cybersecurity program launched during the Bush era that continues to guide government computer security efforts was generally welcomed, but some say key questions about the government’s strategy still need to be answered.

Howard Schmidt, the White House’s cybersecurity coordinator, released an outline of Comprehensive National Cybersecurity Initiative (CNCI) in a blog posting March 2. The CNCI started in January 2008 when then-President George W. Bush signed National Security Presidential Directive 54/Homeland Security Presidential Directive 23.

The unclassified summary outlines 12 initiatives that make up the CNCI. Much of the information had already been reported. However, the document does provide additional detail about EINSTEIN 3, the next-generation tool that the government is developing to protect the civilian government domain.

Related story:

White House lifts the veil on Bush cybersecurity initiative

“On the one hand it’s a departure from the prior level of secrecy, and it’s more than the Bush administration was willing to disclose,” said Steven Aftergood, director of the Project on Government Secrecy for the Federation of American Scientists. “On the other hand…it’s still a sparse description of the program, the underlying directive of the program has not been disclosed and the release seems more like it was intended to reassure the public than to initiate new public discussion or debate.”

Aftergood said the document amounted to a bare-bones description, but he said the release represented movement in the right direction. “They haven’t specified exactly what [legal] authorities they are claiming to carry out this activity and that’s something I would like to know more about,” he said. “What are the limits of their legal authorities?”

One area of the government's efforts that privacy advocates have been focused on is EINSTEIN 3. The summary said that program “will draw on commercial technology and specialized government technology to conduct real-time full packet inspection and threat-based decision-making on network traffic entering or leaving these Executive Branch networks” to “identify and characterize malicious network traffic to enhance cybersecurity analysis, situational awareness and security response.”

The summary also said the new program will give the Homeland Security Department the capability to send alerts that don’t contain the content of communications to the National Security Agency in order to support DHS, the agency in charge of protecting the civilian government domain. The summary said DHS is currently conducting a pilot exercise to test EINSTEIN 3’s capabilities, based on technology developed by the NSA. The government's privacy and civil liberties officials are working with DHS to put privacy protections in place, the document said.

Gregory Nojeim, senior counsel and director of the Project on Freedom, Security and Technology at the Center for Democracy and Technology, said there was not a lot of new information in the summary but that it was good for the government to acknowledge publicly that an NSA product is part of the development of EINSTEIN 3. However, he added that the outline raises questions.

“It would be important to know the answers to questions like what will be the government’s response when it detects malicious code and will the response go beyond preventing a harm, will it include an effort to stop that code from coming in in the future, and if so what will be the parameters of that effort?”

Karen Evans, who was administrator of e-government and information technology at the Office of Management and Budget when the directive was signed and is now a partner at KE&T Partners, said the release of the summary was a step forward. She said that it’s important for people to know what’s being done and what the 12 initiatives are.

The initiatives include the reducing the government’s external Internet access points, bolstering intrusion detection capabilities, coordinating research and development efforts, putting in place a counter-intelligence plan, and improving supply chain security. The summary offers varying level of detail on the different components.

Retired Air Force Maj. Gen. Dale Meyerrose, who previously served as chief information officer at the Office of the Director of National Intelligence, said the summary showed people the balance and comprehensiveness of the government’s plans. However, Meyerrose, now the vice president and general manger of Harris Corp.’s Cyber and Information Assurance practice, said the full directive shouldn’t be released because a lot of it has to do with tactics and procedures that you wouldn’t want to give the enemy.

Gregory Garcia, who was assistant secretary for cybersecurity and communications at DHS during the Bush administration, said releasing the summary was “absolutely the right decision” and was overdue. “I think what this should do is jump-start a more collaborative engagement with the private sector,” said Garcia, who now runs the Garcia Strategies consulting firm.

Garcia said its release should be taken by the private sector as a good-faith gesture. “The document itself is less important than the iterative process…of how the strategy can be implemented by the private sector and by the government collaboratively,” he said.

But, Nojeim said the private sector needs more answers from the government. He said that if he was a company being asked to provide information, he would want to know how information he hands over is being used, what is being shared with competitors, and how his company would be helped by providing that information.

“I think that this disclosure should be seen as a necessary but not sufficient step in transparency for the cybersecurity initiative,” Nojeim said. “To gain the confidence of the private sector that is necessary for the success of this program, a lot more has to be disclosed.”