Blogger: Doug Simmons
This week I attended the “Information Assurance and Enabling Identity Management – Security 2008” conference. In light of Burton Group’s research plans to emphasize “Critical infrastructure protection and process networks” as a theme in 2009, I was very interested in the keynote address. The keynote speaker was Steve Chabinsky, Deputy Director, Office of the Director of National Intelligence. There were about 200-250 people in attendance.
Some of Mr. Chabinsky’s more compelling comments were that he believes we “as a nation” have been seduced by technology. This has led us to become lazy, weak and vulnerable. It appears that our “economic supremacy” relies on untrustworthy technology, and that technologies have not kept pace with the threat. As a result, the U.S. facing a grave economic and security challenge from a growing array of actors, including well resourced and persistent adversaries. We have “weak situational awareness.” We either change the path that we’re on “or we lose.”
Mr. Chabinsky then briefed the audience on the Comprehensive National Cyber Security Initiative (CNCSI) – HSPD-23. This directive is classified at top secret level, but calls for a national priority and plan for action. The directive considers the full spectrum of threat vectors - network, supply chain, vendor, mission bridge networks - to address threats - both insider and external.
In brief, HSPD-23 has 12 initiatives:
1. Reduce government portals connected to the Internet to less than 100. Currently there are 4.500 portal connections to the Internet. A consolidation effort is planned, and the end result will be a single, integrated line of defense to government networks.
2. Deploy an intrusion detection system called Einstein II across the civilian-supported networks. This does not include intrusion prevention and is dependent on initiative 1 above.
3. Deploy an intrusion prevention system called Einstein III, which will block or mitigate intrusions.
4. Coordinate and redirecting government funded R&D for cyber activities, possibly through a CTO-level Federal position.
5. Connect current cyber operational centers to share malicious activity information, in order to have an understanding of the entire threat. Mission bridging – leveraging and sharing of cyber defense information across agencies. Shared standards and procedures.
6. Define a government cyber counter intelligence plan.
7. Increase security of classified networks.
8. Expand cyber education. Academic programs teaching techniques and tools to all agencies, encouraging best practices. Even goes to civilian education, K-12, etc.
9. Define leap-ahead security strategies and programs. Get ahead of the bad guys, don’t just play catch up. Look at newer technologies.
10. Define and develop enduring deterrent strategies and programs. Group to be populated by a broad group of experts.
11. Develop a multi-pronged approach for global supply chain risk management. This is perhaps the most challenging of the initiatives. Threats include counterfeit hardware and software provided by small and large suppliers from around the world. Supply chain and risk management standards are necessary.
12. Extend cyber security into critical private domains. Emphasis on getting the government “act in order”, then working with private sector to coordinate dialogue and approaches on cyber security.
Funding is being considered. And the “powers” behind the initiative are meeting almost daily with the executive and legislative branch to gain the appropriate funding for these initiatives. Mr. Chabinsky is pretty optimistic that the appropriate funding will be found despite the current wars and state of the economy.
This initiative, of course, opens up a whole host of issues and concerns about the Federal government’s ability to “get its act together” any time soon – before a significant, “world-changing” breach occurs. Coupled with this concern is that of the protection of U.S. citizens’ civil liberties. What will the over-arching security measures dictate with respect to “national security” at the expense of personal privacy? These are not new questions, but the fact that the directive is gaining so much attention, while remaining top secret, leaves a lot of room for further investigation and analysis by companies such as Burton Group.