Arms Trade
  Children and Armed Conflict
  Missile Defense
  Nuclear Proliferation
  Small Arms & Light Weapons
  Space Security
  Straus Military Reform Project
  Terrorism
  The Defense Monitor



  Bruce Blair's Nuclear Column
  Missile Defense Updates
  Space Security Updates
  The Defense Monitor Archives
  The Polling Critic




advanced search


Funding CDI


 
       
July 23, 2008

The Murky Waters of the White House's Cybersecurity Plan
 

“The Comprehensive National Cybersecurity Initiative: What You Don’t Know May Hurt You”

by Victoria Samson, CDI Senior Analyst

 

Chances are you’ve never heard of the program the House Intelligence Committee termed “the single largest request and the most important initiative” of the White House’s requested intelligence budget for fiscal year (FY) 2009: the Comprehensive National Cybersecurity Initiative (CNCI).[1] This program, said to be on par with the Manhattan Project in importance, was unveiled in January 2008, but little outside of some vague wording about detecting outside intrusions on federal systems has been released since.  Perhaps more worrying than its lack of accountability is its potential for infringing upon civil liberties, all in the name of “cybersecurity.”

In February 2003, the White House released the “National Strategy to Secure Cyberspace.”[2] Building off the then-brand-new Department of Homeland Security, this document spelled out its strategic goals:

·        “Prevent cyber attacks against America’s critical infrastructures;

·        “Reduce national vulnerability to cyber attacks; and

·        “Minimize damage and recovery time from cyber attacks that do occur.”[3]

 

Even so, the document did acknowledge that “Privacy and civil liberties must be protected in the process” of defending national cyberspace.[4]

 

Despite the assertion by the White House that “the healthy functioning of cyberspace is essential to our economy and our national security,”[5] it took nearly five years before a presidential directive was released about this. National Security Presidential Directive 54 / Homeland Security Presidential Directive 23 (PD-54/HSPD-23) on Jan. 8, 2008, reportedly established the CNCI; “reportedly,” as no unclassified version of the presidential directive has been open to the public, despite repeated requests from Congress to do so.[6] But according to media reports, it authorizes intelligence agencies to monitor all federal network traffic in order to detect any outside intrusions. It puts the National Security Agency (NSA) in charge of tracking civilian communications traffic, something that previously was the responsibility of the National Institute of Standards and Technology (NIST): NSA used to just have to follow national security communications.[7]

 

Its components and goals are rather hazy. Its cost for this year could top $1 billion, and overall costs have been reported anywhere from $17 billion to $30 billion over the next seven years or so.[8] It could eventually have as many as 2,000 people assigned to it; then again, it might not.[9] The whole thing has been cloaked in such secrecy that until Secretary of Homeland Security Michael Chertoff announced that Rod Beckstrom was the director of DHS’ new National Cyber Security Center (NCSC), Senate Homeland Security and Governmental Affairs Committee staff had been told that the existence of the NSCS was classified.[10] (Beckstrom’s responsibilities? He will be “coordinating cyber security efforts and improving situational awareness and information sharing across the federal government.”[11])  At the end of Chertoff’s March announcement was the apparently unironic statement that “We look forward to working with Congress on the development of the NCSC.”[12]

 

Only two programs have been specifically mentioned in relation to the CNCI.  There was a system in place for monitoring federal networks called “Einstein,” but it was derided as being insufficient, so the CNCI is supposed to include strengthening it.  However, as pointed out by an alarmed May 2008 letter by Senators Joe Lieberman, I-Conn., and Susan Collins, R-Maine, to Chertoff, the new version of Einstein,  instead of only looking at information traffic to and from government networks, could be used to look at the content of this traffic as well.”[13] They go on to ask when a privacy impact assessment (PIA) will be completed for the updated Einstein system as legally required by the E-Government Act of 2002.

 

The other part of the CNCI that has been hesitantly spoken about is its Trusted Internet Connections (TIC) program.  This program was geared toward cutting down all the connections from federal agencies to outside networks from over 4,000 (as of February) to 50 or less by June.[14]  No word on whether this goal has been met.  Einstein and TIC together are reportedly supposed to cost around $100 million.[15]

 

DHS has been ramping up its spending on cybersecurity, one of its top four priorities for FY 09.  Its main branch for cybersecurity is the National Cyber Security Division (NCSD). In FY 07, its actual spending level was $79.3 million; in FY 08, its enacted funding was $210.4 million; in the FY 09 budget request, $293.5 million is included for the NCSD.[16]  This tremendous increase in cybersecurity spending has brought along with it many questions. In the aforementioned letter by Lieberman and Collins, the senators wrote that they “have concerns about how information has been shared with Congress and other stakeholders concerning this initiative and the potential impact this lack of collaboration may have on the success of the initiative.”[17] They also mention the paucity of private sector input in CNCI as a weakness of the initiative, seeing how much of the ownership for U.S. critical infrastructure is outside of government entities. 

DHS has attempted to ameliorate at least part of the congressional concerns via “Project 12.” Under this project, representatives of the private sector apparently met with DHS officials from February to May of this year and discussed cyber-intrusions.[18] The idea was to initiate a pattern of sharing information between the government and industry about cyber threats.  Right now, the private sector is charged with monitoring its networks, while the government monitors federal ones, but critics are worried that the government could start monitoring the private sector.  According to Jim Dempsey, the vice president of the Center for Democracy and Technology, "The administration has already crossed the line in giving the NSA too much power to monitor its unclassified system,” an agency that he claims “operates in secret and is bent on stealing information.”[19]

Government officials further have attempted to assuage fears of civil liberties violations. Robert Jamison, undersecretary of the National Protection and Programs Directorate within the DHS, assured the House Committee on Homeland Security at a hearing in February that “privacy and civil rights have been a top focus of this.”[20] At the same hearing, Karen Evans, administrator of e-government and IT at the White House Office of Management and Budget (OMB), added, “[W]e have been doing all of these activities in a very transparent way.”[21]

Both the House and the Senate have criticized the CNCI’s over-classification. In the report that accompanied the Senate Armed Services Committee’s mark-up of the FY 09 defense authorization, the committee noted, “A chief concern is that virtually everything about the initiative is highly classified, and most of the information that is not classified is categorized as 'For Official Use Only.' These restrictions preclude public education, awareness, and debate about the policy and legal issues, real or imagined, that the initiative poses in the areas of privacy and civil liberties.”[22] And the House Intelligence Committee pointed out, “The committee finds a cybersecurity initiative worthwhile in principle, but the details of the CNCI remain vague and, thus, open to question.”[23] In fact, the House committee had such trepidation about the CNCI that it called for the establishment of a “Comprehensive National Cybersecurity Initiative Advisory Panel” that would be comprised of private sector, government, and Congressional representatives, with the goal of creating “policy and procedural recommendations” for fulfilling PD-54/HSPD-23.[24] 

Cybersecurity is a serious issue and must be treated as such by the government and the private sector.  However, any time such secrecy surrounds literally tens of billions of dollars, there exists the very real chance that at best, the money will be misused.  Understandably, government officials tend to be rather tight-lipped when it comes to intelligence programs. But in order for Congress to fulfill its constitutional role of oversight, the White House and the other branches of government must be willing to cooperate in order to ensure that the CNCI funding is used appropriately. 

 


[1] Matt Korade, “Intelligence Bills Zero In on Cybersecurity, but Interrogation Debate Threatens Enactment,” Congressional Quarterly Homeland Security, June 2, 2008.

[2] The White House, “The National Strategy to Secure Cyberspace,” February 2003, The White House – President George W. Bush, http://www.whitehouse.gov/pcipb/.

[3] Ibid, Executive Summary.

[4] Ibid.

[5] Ibid, Introduction.

[6] “Fact Sheet: Protecting Our Federal Networks Against Cyber Attacks,” Department of Homeland Security, April 8, 2008, (accessed July 15, 2008).

[7] Korade ibid.

[8] Bradley Olsen, “Cyber security plans assailed: Congress challenges secretive nature of computer safeguards,” Baltimore Sun, May 18, 2008; Andy Greenberg, “Behind ‘Project 12’: The government tries a new approach to fighting cyber-threats,” Forbes, March 7, 2008.

[9] Siobhan Gorman, “NSA to Defend Against Hackers; Privacy Fears Raised as Spy Agency Turns to Systems Protection,” Baltimore Sun, September 20, 2007.

[10] Letter by Senators Joe Lieberman, I-Conn., and Ranking Member Susan Collins, R-Maine, to Secretary of Homeland Security Michael Chertoff, May 1, 2008, http://hsgac.senate.gov/public/index.cfm?Fuseaction=PressReleases.Detail&PressRelease_id=a32aba11-4443-4577-b9a5-3b2ea2c2f826&Month=5&Year=2008&Affiliation=C/.

[11] U.S. Department of Homeland Security, “Statement by Homeland Security Secretary Michael Chertoff on the Appointment of the Director of the National Cyber Security Center,” Department of Homeland Security Press Release, March 20, 2008, http://www.dhs.gov/xnews/releases/pr_1206047924712.shtm/.

[12] Ibid.

[13] Ibid.

[14] Jaikumar Vijayan, “Feds downplay privacy fears on plan to expand monitoring of government networks: DHS,” ComputerWorld, February 28, 2008.

[15] Ibid.

[16] U.S. Department of Homeland Security, “Department of Homeland Security, National Protection and Programs Directorate, Homeland and Non-Homeland Allocation by Program/Project Activity,” Department of Homeland Security Budget Request for Fiscal Year 2009, February 2008, http://www.dhs.gov/xlibrary/assets/budget_fy2009.pdf /.

[17] Lieberman and Collins, ibid.

[18] Greenberg, ibid.

[19] Ibid.

[20] Vijayan, ibid.

[21] Ibid.

[22] Carlo Muñoz, “House Intel Committee Proposes Cybersecurity Advisory Panel,” Inside the Pentagon, May 29, 2008.

[23] Tim Starks, “House Intelligence Panel Says President's Tardy Consultation Violated Law,” Congressional Quarterly Today, May 22, 2008.

[24] Office of Congressman Silvestre Reyes, D-Texas,REYES: House Intelligence Committee Approves Funding for Intelligence Operations and Critical Oversight (May 8, 2008),” Congressional Documents and Publications, May 8, 2008.

 

 # # #
 
Back to What's New  |  Top of Page