U.S. Cyber Strategy Still A Bit Mushy

Sunday, September 19th, 2010

More than a year after President Obama made a White House speech proclaiming the protection of computer networks a national priority, the federal government is still grappling with key questions about how to secure its computer systems as well as private networks deemed critical to U.S. security.

The administration unveiled a cyberspace policy review last year, and Obama appointed a White House cyber coordinator in December to synchronize the government’s efforts.

But the administration is still debating whether it needs new legal authorities – to strengthen the government’s ability to defend private-sector networks, for example – or whether current law allows such actions. Meanwhile, critics say officials have not adequately assuaged privacy concerns or determined the extent to which the government should regulate or collaborate with the private sector to ensure that telecommunications companies, electric utilities and other critical industries are protected against hackers.

Congress, meanwhile, has crafted dozens of bills with varying prescriptions to improve the country’s cyber security – including one that would place new security requirements, enforceable by the federal government, on certain elements of critical private-sector networks – but the White House has yet to weigh in with a position on any of them.

“There’s a degree of caution about what direction to move, how far to move,” said James A. Lewis, a national security expert at the Center for Strategic and International Studies. “You’ve got a lot of agreement on what the problem is but very little agreement on the solution, both within the government and outside.”

Officials have warned of the dangers of failing to address the threat, saying that a sophisticated cyber attack could cripple U.S. computer networks and threaten the nation’s economic security.

The Pentagon’s second-in-command, Deputy Secretary William J. Lynn III, recently stated that more than 100 foreign intelligence organizations are trying to hack into the military’s digital networks. Indeed, the Pentagon has been battling a series of significant and long-standing intrusions into military networks by foreign adversaries looking to steal secrets worth potentially billions of dollars in terms of information technology and development of military capability, sources said.

Lynn asserted that the threat to the intellectual property of businesses, universities and the government may be “the most significant cyber threat” facing the country.

The president’s cyber coordinator, Howard Schmidt, said in an interview that the administration was deliberating the appropriate regulatory role for the federal government but that the emphasis must be on collaboration.

“It’s very clear,” he said. “We’ve recognized it’s a partnership.”

He noted that officials have reduced the number of government “gateways” to the Internet, which makes network monitoring easier; begun connecting federal network security centers so that technicians can better see what’s happening on computers across the government; and crafted a national cyber-emergency response plan.

Schmidt has also touted a proposal to enable computer users, if they wish, to obtain a “smart identity card” that authenticates their identities for online banking and other online transactions.

“Are we more secure than last year? Absolutely,” he said. “Is the private sector more engaged? Absolutely. We’re better off now than we have been, and we’ll continue to strive to get better.”

One sign of the private sector’s engagement is the growing number of leading technology companies that, spurred by government contracting rules, have adopted a common lexicon to describe computer configurations and vulnerabilities. The increasing adoption of these protocols by firms such as Symantec, McAfee and Microsoft is making more feasible the automated monitoring of networks to detect and patch vulnerabilities more rapidly, officials say.

The Department of Homeland Security – which is responsible for protecting civilian government systems and helping to secure commercial networks – would like to see such “continuous monitoring” applied across the entire federal government and beyond, said Phil Reitinger, deputy undersecretary of the National Protection and Programs Directorate.

“We certainly want to build out a fundamentally more secure ecosystem that can be adopted by the private sector as well,” he said.

Despite such advances, experts say DHS remains beset by bureaucratic challenges, a lack of authority to demand results from civilian agencies and a plethora of other priorities, including combating domestic terrorism and securing the borders.

DHS has struggled to implement Einstein 3, a program that is supposed to detect and block malicious software before it enters government networks.

More than a year after the department said it was moving forward, the program remains in pilot mode, in part because DHS has been unsure whether to use technology from private industry or from the ultra-secret National Security Agency. The agency has powerful electronic surveillance capabilities, but its involvement might raise privacy concerns.

Civil liberties advocates, for instance, are wary of any potential effort to extend government monitoring to the private sector.

Defense officials believe that the NSA’s advantage over industry is its ability under law to infiltrate adversaries’ computers overseas to obtain never-used malicious code. The NSA can then attempt to ensure those codes are blocked from military networks.

But telecom companies say they have vast data sets of malicious code that they have amassed over years of monitoring their own networks for threats.

The NSA technology is being tested at the Agriculture Department on the networks of the telecommunications giant AT&T. But DHS has made no decision on deployment, said an industry official. “They don’t have a plan,” the official said. “They keep going around in circles.”

Reitinger acknowledged that DHS is still developing its Einstein 3 strategy but said, “We’re moving forward as rapidly as possible.”

At the Defense Department, the U.S. Cyber Command to protect military networks has been launched, leveraging the NSA’s abilities. But even Cyber Command, led by NSA’s director, Gen. Keith Alexander, must work through concerns over privacy, private-sector liability and legal authorities.

Perhaps nowhere is this more pronounced than in the debate over how to ensure that critical industries are protected.

In June, Deputy Secretary Lynn directed the development of a voluntary pilot program with defense contractors in which a consortium of Internet service providers would monitor companies’ traffic for threats, using malware signatures and other data provided by the Defense Department, according to industry officials.

Companies have raised concerns, including over cost, and they fear it could become an unfunded mandate. Some firms feel that they could do the job themselves if the government would provide them with timely data.

But technical measures alone will fail without bolder steps globally, argued Rob Knake, a cyber expert formerly at the Council on Foreign Relations who now works at DHS. The White House should establish a “declaratory policy” that puts adversaries on notice as to how it will view aggressive acts, he said. “We’re simply being outmaneuvered in the international forums that will determine the future of the Internet, by China, Russia and other countries.”

By Ellen Nakashima

Read more at http://www.washingtonpost.com/wp-dyn/content/article/2010/09/16/AR2010091606745.html