Obama administration partially lifts secrecy on classified cybersecurity project
President Barack Obama's administration has declassified portions of the highly secret multi-billion dollar Comprehensive National Cybersecurity Initiative (CNCI), which was launched by the Bush administration as part of an effort to defend American interests in cyberspace.
As of 12:00 noon Pacific Time on Wednesday, a document (PDF) providing high-level details of the initiative was posted on the Whitehouse.gov Web site. Some of the details that have been provided in the five page document are already known, but at least some of the material is fresh.
For instance, the document shows that the government is working on developing a next generation intrusion prevention system called Einstein 3, for civilian departments and agencies of the Federal Executive Branch. Similarly, it shows that government is developing a cyber-counterintelligence strategy specifically to mitigate threats from overseas adversaries.
The administration's decision to declassify portions of the 12-point program was announced today at the RSA Security Conference by Howard Schmidt, recently appointed as White House cybersecurity advisor.
In a keynote address, Schmidt said the government had decided to lift the veil of secrecy that has shrouded CNCI for the past two years as part of its commitment to open-government and transparency.
Such a move is important for fostering the closer partnership between the private sector and the government that is needed to fight cyber-threats, he said. "Transparency and partnership are concepts that go hand in hand," Schmidt said at the conference.
The government's decision to partially lift the shroud of secrecy that has surrounded CNCI is likely to be welcomed by security experts. Even though the document posted today offered little by way of specific details, it at least offers some insight into where the government will be pouring hundreds of millions of dollars into cybersecurity over the next few years.
As previously understood, under CNCI all civilian federal agencies are consolidating external access points, including those to the Internet, as part of an effort to reduce their exposure to Internet borne threats.
Under the effort, more than 4,300 external connections are being consolidated, to about 100. The consolidated network will then be monitored by an upgraded version of a federal network intrusion detection technology called Einstein.
The new version of Einstein, called Einstein 2 will use signature-based sensors to inspect all Internet traffic entering Federal systems for malicious content.
The document released today reveals that in addition to Einstein 2, the government is also developing Einstein 3, a network intrusion prevention system based on technology developed at the National Security Agency. The Department of Homeland Security is currently piloting the technology, which will be used by the U.S. Computer Emergency Response Team (US-CERT) to respond to network intrusions.
Under CNCI, the federal government is also working on developing a strategy for deterring "interference and attack" on U.S. cyber assets. The goal of the effort is to enhance advanced warning capabilities and to develop an effective deterrent response to attacks against federal and critical infrastructure targets.
Another key program that has been launched under CNCI is one that is focused on protecting global supply chains from cyber-attacks.
The CNCI was established under a classified directive known as Homeland Security Presidential Directive 21 in January 2008 by then President Bush. It is designed to essentially bolster the ability of federal agencies to detect and respond to cyber threats in a far more efficient manner.
The highly-classified nature of the initiative, and the fact that the National Security Agency (NSA) is actively participating in the effort has spooked many lawmakers, privacy advocates and security experts.
Over the past 18 months or so, there have been several calls for more details on the project to be released publicly. Much of the consternation has to do with what many see as an unsettling expansion of the NSA's role in domestic cybersecurity matters.
Last month, for instance, privacy advocacy group the Electronic Privacy Information Center (EPIC) filed a lawsuit against the NSA in U.S. District Court for the District of Columbia, seeking the court's intervention in getting the NSA to divulge details on the authority it has been granted on domestic cybersecurity matters as part of CNCI.
EPIC had previously filed Freedom of Information Act (FOIA) requests with the NSA asking for the information. It is too soon to say whether the information released today will alleviate any of the concerns that have been previously expressed over CNCI.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is firstname.lastname@example.org.
Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Knowledge Center.