Comprehensive National Cybersecurity Initiative

On Tuesday, the White House published an unclassified summary of its Comprehensive National Cybersecurity Initiative (CNCI). Howard Schmidt made the announcement at the RSA Conference. These are the 12 initiatives in the plan:

  • Initiative #1. Manage the Federal Enterprise Network as a single network enterprise with Trusted Internet.
  • Initiative #2. Deploy an intrusion detection system of sensors across the Federal enterprise.
  • Initiative #3. Pursue deployment of intrusion prevention systems across the Federal enterprise.
  • Initiative #4: Coordinate and redirect research and development (R&D) efforts.
  • Initiative #5. Connect current cyber ops centers to enhance situational awareness.
  • Initiative #6. Develop and implement a government-wide cyber counterintelligence (CI) plan.
  • Initiative #7. Increase the security of our classified networks.
  • Initiative #8. Expand cyber education.
  • Initiative #9. Define and develop enduring "leap-ahead" technology, strategies, and programs.
  • Initiative #10. Define and develop enduring deterrence strategies and programs.
  • Initiative #11. Develop a multi-pronged approach for global supply chain risk management.
  • Initiative #12. Define the Federal role for extending cybersecurity into critical infrastructure domains.

While this transparency is a good, in this sort of thing the devil is in the details -- and we don't have any details. We also don't have any information about the legal authority for cybersecurity, and how much the NSA is, and should be, involved. Good commentary on that here. EPIC is suing the NSA to learn more about its involvement.

Posted on March 4, 2010 at 12:55 PM • 17 Comments

Comments

Volker HetzerMarch 4, 2010 1:33 PM

Sounds like some huge moloch.
IMHO Iniative #1 is almost guarenteed to fail, due to sheer size. Either it won't get completed or it won't be secure.

Initiative #9 is wishful thinking. Hackers leap ahead all the time and the gov hopes by doing its own leaps it lands anywhere near the hackers.

Sorry, someone appears to treat his as some conventional engneering or military problem. Looks like they'll have to learn the hard way.

jgrecoMarch 4, 2010 2:19 PM

Lesson #1 of 'cyber education' should be "Stop prefixing everything with 'cyber'".

Eric in PDXMarch 4, 2010 3:03 PM

I work with DOE as slave lab^H^H^H I mean contractor.

We've been hearing about #1 for quite some time.

The plans I've heard were to have three gateways to the Internet at key locations in the US.

Two issues I see (here anyway) are that DSL lines are in abundance and everyone has tether-able blackberrys

Nobody SpecialMarch 4, 2010 3:10 PM

So bring everything from nuclear launch codes to the traffic light bulb replacement guy's pager under one system.

With one giant TSA type organization in charge.

Nope, can't see any potential for massive screw up there.

PhillipMarch 4, 2010 3:31 PM

Initiative #7. Increase the security of our classified networks.

Great, how? With bubble gum?

ShaneMarch 4, 2010 3:42 PM

@Nobody

Seriously. Sounds like they're just giving future attackers one monolithic target to work on, as opposed to thousands of smaller ones.

Some 'summary' I might add. Buzzword bullet-points with absolutely zero actual meaning.

"Increase security,"... boy, ya think?

tauroidMarch 4, 2010 4:40 PM

sounds like an interesting idea too bad if it works it opens the door to an absolutely massive firesale (to quote hollywood) . while i applaude the gov for trying to fix its brokenness this is it incarnate folks

G-manMarch 4, 2010 6:25 PM

Initiative #7: Classified Networks are about as secure as they can be. These are well protected using NSA-approved encryption devices.

Problems arising out of classified networks almost always involve human error or a user willfully disregarding the security rules. The only way to improve the security of these is to put the money toward education and rule enforcement.

Clive RobinsonMarch 4, 2010 8:12 PM

OMG the Politico's have woken up and they think the stable door is open, not Pandora's casket.

#4 + #11 means "lets re-invent the Internet" and give it a "rainbow coloured hue" and thus bring it to heel...

Look on it as the Defense Industry reinvents it's self on the "second life" model, Let's call it "Tar warts 3".

If you thought 1200USD invoice for a 4USD lump hammer was bad value for money...

Essentialy this means open a bottomless pit in the ground and keep pouring tax payers money in.

There are two types of R&D we generaly see in industry,

1, Blue sky.
2, Product improvment.

And they aproximate to Primary and secondary patents respectivly.

Both generaly get crushed under foot by "red tape" when you try to put them in a "risk managment" staight jacket of a "managed" supply chain.

It also has all sorts of knock on effects in global trade restrictions.

The trick is to use the European Model not the US model, that is frameworks -v- specifics.

Frameworks generaly define specific interfaces at functional boundries which encorages a "modular" aproach which allows rapid inovation, test and update. The end to end method generaly encorages a "monolithic" aproach which discorages inovation because it's complex and slow to test and the whole gets replaced not a part.

This is especialy true when things are subject to unexpected change, It is a case of Mammals -v- Dinosaurs.

The hard part is designing frameworks that don't include "hard coded protocols" or "implicit assumptions" and thus treats exceptions and inovation as "expected" not "unexpected".

tylerMarch 5, 2010 1:40 AM

From my experience, #1 is a horrible idea. This will create more bureaucracy. In such organizations it only takes one "expert" in the right place in an organization to cause a lot of headache and in some cases security incidents and downtime. I have seen it in my own organization. A little knowledge is a dangerous thing, especially when it is used to make decisions.

WinterMarch 5, 2010 2:12 AM

Eh...

There are only three doors. And if you are inside, you must be authorized to be inside.

And about 50 million users can be legally inside?

Sounds like the security from a Disney movie. Enter castle, pretend to be a delivery boy, enter unlocked treasure room, take secret treasure, walk out of castle.

Must be secure.

ZMarch 5, 2010 5:11 AM

OT, Bruce:

www [dot] theregister.co.uk/2010/03/04/severe_openssl_vulnerability/

"Computer scientists say they’ve discovered a “severe vulnerability” in the world’s most widely used software encryption package that allows them to retrieve a machine’s secret cryptographic key."

RagaarMarch 5, 2010 7:38 AM

Documentation pertaining to the development of Einstein (project Tutelage).

Privacy Impact Assessment - Collecting, Analyzing, and Sharing Computer Security Information
Computer Emergency Readiness Team (US-CERT) September 2004

www [dot] dhs.gov/xlibrary/assets/privacy/privacy_pia_eisntein.pdf

Clive RobinsonMarch 5, 2010 9:26 AM

@ Z,

"Computer scientists say they’ve discovered a “severe vulnerability” in the world’s most widely used software encryption package that allows them to retrieve a machine’s secret cryptographic key."

It looks genuine enough but a few more details always helps ;)

It looks like a variation of the late 1990's Differential Power Analysis attack on smart cards.

Basically it's a form of time realted side channel attack.

When software branches etc it takes fractionaly different time periods or can trigger a cache reload etc all of which shows up on the power supply lines in one form or another.

You just have to dig your wanted signal out of all the other system noise. The simplest way to do this is to run the same thing over and over again and use a known trigger point to average out the unwanted noise and average up the wanted signal (in theory unsynchronised noise goes down in proportion to the square root of the number of samples you average so 6dB improvment for every doubling of the number of samples).

It is not just on the power supply lines you can see this.

I think it was Peter Guttman who showed a network packet time stamp attack on an AES key across the network due to cache hits.

If you remove "brain dead" software implementations. The two biggies that let security down are,

1, Side Channels.
2, Protocol Errors.

SSL has been hit by both of late and as has been pointed out by many SSL/TSL and related protocols are the foundation of Internet security and have been for neigh on 20years...

One can probably make the assumption that the likes of the NSA / GCHG et al have been aware of this for the last ten years or so at the very least.

And of course their life is made so much easier by "standard plaintext" in file headers such as MS Office documents etc.

Oh and then there is a new kid on the block for researchers to get their heads around which is "RF Fault Injection Attacks".

If you add the three types of attack together then this fault could be easily excersisable from outside the server room and seen on the network...

db CooperMarch 5, 2010 5:03 PM

I would have liked to seen end-user education listed as one of the initiatives.

For both gov't employees and the general public.

nanomMarch 8, 2010 7:55 AM

@Mark: thanks for your policy statement support. the govt will be reiterating it's platform at every opportunity, with the help of drones like you.

BF SkinnerMarch 8, 2010 8:24 AM

@nanom -
The gummint has a duty and obligation to protect it's networks and systems from exploitation. After all they have our data in there too.

The first model "It's unclassified who cares" failed.

The second model "We hired system administrators and they know everything necessary to secure systems" failed.

The third model "'Make the executive do security.' and all the agencies implemented security as they interpreted it." failed.

Reducing and controlling all the access points (and I have seen senior GS's setup internet gateways on their desktop--well it was a box under the desk.) to a select handful and watching that handful is logical. The agencies that did security right did this.

Concentrating intrusion detection and incident handling within a group that has time and resources to get really good at analysis and response is logical. I've seen "Incident handlers" who were collateral duty people. Which means their real job was server or database administration.

Einstein now (well E2 actually) different matter. I was an end user for a year and it was either really good or really weak mostly I saw hits for keyloggers on end users PC's (these would be citizens). My question was, and is, how did it get inside my TLS tunnel? Based on the nature of the intercept there was data that was only passed within the tunnel.

If it's a proxy it's one mighty big proxy. If it's mirroring traffic how did it get my key? Nobody i interviewed admitted/remembered giving it up and we didn't have an MOU.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..