Government Plans Top Secret HSPD-23 Program for Enhancing Information Assurance
Blogger: Doug Simmons
This week I attended the “Information Assurance and Enabling Identity Management – Security 2008” conference. In light of Burton Group’s research plans to emphasize “Critical infrastructure protection and process networks” as a theme in 2009, I was very interested in the keynote address. The keynote speaker was Steve Chabinsky, Deputy Director, Office of the Director of National Intelligence. There were about 200-250 people in attendance.
Some of Mr. Chabinsky’s more compelling comments were that he believes we “as a nation” have been seduced by technology. This has led us to become lazy, weak and vulnerable. It appears that our “economic supremacy” relies on untrustworthy technology, and that technologies have not kept pace with the threat. As a result, the U.S. facing a grave economic and security challenge from a growing array of actors, including well resourced and persistent adversaries. We have “weak situational awareness.” We either change the path that we’re on “or we lose.”
Mr. Chabinsky then briefed the audience on the Comprehensive National Cyber Security Initiative (CNCSI) – HSPD-23. This directive is classified at top secret level, but calls for a national priority and plan for action. The directive considers the full spectrum of threat vectors - network, supply chain, vendor, mission bridge networks - to address threats - both insider and external.
In brief, HSPD-23 has 12 initiatives:
1. Reduce government portals connected to the Internet to less than 100. Currently there are 4.500 portal connections to the Internet. A consolidation effort is planned, and the end result will be a single, integrated line of defense to government networks.
2. Deploy an intrusion detection system called Einstein II across the civilian-supported networks. This does not include intrusion prevention and is dependent on initiative 1 above.
3. Deploy an intrusion prevention system called Einstein III, which will block or mitigate intrusions.
4. Coordinate and redirecting government funded R&D for cyber activities, possibly through a CTO-level Federal position.
5. Connect current cyber operational centers to share malicious activity information, in order to have an understanding of the entire threat. Mission bridging – leveraging and sharing of cyber defense information across agencies. Shared standards and procedures.
6. Define a government cyber counter intelligence plan.
7. Increase security of classified networks.
8. Expand cyber education. Academic programs teaching techniques and tools to all agencies, encouraging best practices. Even goes to civilian education, K-12, etc.
9. Define leap-ahead security strategies and programs. Get ahead of the bad guys, don’t just play catch up. Look at newer technologies.
10. Define and develop enduring deterrent strategies and programs. Group to be populated by a broad group of experts.
11. Develop a multi-pronged approach for global supply chain risk management. This is perhaps the most challenging of the initiatives. Threats include counterfeit hardware and software provided by small and large suppliers from around the world. Supply chain and risk management standards are necessary.
12. Extend cyber security into critical private domains. Emphasis on getting the government “act in order”, then working with private sector to coordinate dialogue and approaches on cyber security.
Funding is being considered. And the “powers” behind the initiative are meeting almost daily with the executive and legislative branch to gain the appropriate funding for these initiatives. Mr. Chabinsky is pretty optimistic that the appropriate funding will be found despite the current wars and state of the economy.
This initiative, of course, opens up a whole host of issues and concerns about the Federal government’s ability to “get its act together” any time soon – before a significant, “world-changing” breach occurs. Coupled with this concern is that of the protection of U.S. citizens’ civil liberties. What will the over-arching security measures dictate with respect to “national security” at the expense of personal privacy? These are not new questions, but the fact that the directive is gaining so much attention, while remaining top secret, leaves a lot of room for further investigation and analysis by companies such as Burton Group.
The conference that you attended sounds interesting. Below is my brief take on his key points.
One can appreciate Mr. Chabinsky’s desire to propel security procedures and IT uses to the next level. Unfortunately, if there is a complete reduction in portals used, does this not also pose a risk? There is a certain vulnerability to having too few ports as well.
Vertical transparency is a well applauded concept as well, if everyone plays well in the proverbial sandbox.
Supply chain standards will be best suited to have risk mitigation built in and stringent enforcement policies as backup.
My belief is that we have not become lazy or weak through reliance on technology. Rather, those who do not advance internally by becoming integrators of old and new technologies have hindered the system. Because of this,we are going through teething pains with the emergence of each new piece of technology.
Posted by: Karl West | November 30, 2008 at 07:05 PM
The points your bring up are valid. However, because the federal government as a whole didn’t do “the right thing” by integrating and standardizing the online services offered by all agencies from Day One, they have to scramble to plug the myriad security holes. I guess we can be sure that many, many people will have input to the strategy and that most, if not all of the issues associated with the dichotomy of horizontal scalability coupled with vertical security will be addressed at some point. It will be interesting to see how this plays out, and it will likely take a couple of years before the issues and concerns are addressed sufficiently.
Posted by: Doug Simmons | December 02, 2008 at 04:46 PM