U.S. Declassifies Part of Secret Cybersecurity Plan

The Obama administration declassified part of the government's cybersecurity plan Tuesday, publishing parts of it that discuss intrusion detection systems for federal computer networks and the government's role in securing critical infrastructure.

The declassification announcement was made by Howard A. Schmidt, a former Microsoft security executive who in December was appointed cybersecurity coordinator by President Barack Obama. Schmidt was speaking at the RSA Security Conference in San Francisco, an annual industry conference for computer security professionals.

The government's Comprehensive National Cybersecurity Initiative was launched in 2008 by President George W. Bush under a shroud of secrecy. The plan has 12 directives that cover the government's strategy to protect U.S. networks -- including military, civilian, government networks and critical infrastructure systems -- as well as the government's offensive strategy to combat cyberwarfare.

Civil libertarians criticized the Bush administration for failing to disclose the contents of the plan or allowing independent oversight of its implementation. Schmidt said that Obama recognized the need for some transparency.

"There are a lot of legal issues about what we're doing," he told the 2,000-member audience, adding that the government was currently working on a list of about 40 legal questions related to the cybersecurity initiative.

Obama said last May that he planned to appoint a separate official to ensure that the implementation of the cybersecurity plan doesn't violate privacy and civil liberties and insisted that the government's plan would not include spying on the public.

"Our pursuit of cybersecurity will not include -- I repeat, will not include -- monitoring private sector networks or internet traffic,"he said. "We will preserve and protect the personal privacy and civil liberties that we cherish as Americans."

A White House spokesman said Tuesday that the administration had appointed Tim Edgar to oversee the privacy aspects of the cybersecurity initiative. Edgar, a former attorney for the American Civil Liberties Union, has been working as the deputy for civil liberties for the Civil Liberties and Privacy Office of the Office of the Director of National Intelligence.

The declassified portion of the plan published Tuesday includes information on only part of the initiative and does not discuss cyberwarfare. The plan instead discusses the deployment of Einstein 2 and Einstein 3, intrusion detection systems on federal networks designed to inspect internet traffic entering government networks to detect potential threats.

DHS (Department of Homeland Security) is deploying, as part of its EINSTEIN 2 activities, signature-based sensors capable of inspecting Internet traffic entering Federal systems for unauthorized accesses and malicious content. The EINSTEIN 2 capability enables analysis of network flow information to identify potential malicious activity while conducting automatic full packet inspection of traffic entering or exiting U.S. Government networks for malicious activity using signature-based intrusion detection technology.... EINSTEIN 2 is capable of alerting US-CERT in real time to the presence of malicious or potentially harmful activity in federal network traffic and provides correlation and visualization of the derived data....

The EINSTEIN 3 system will also support enhanced information sharing by US-CERT with Federal Departments and Agencies by giving DHS the ability to automate alerting of detected network intrusion attempts and, when deemed necessary by DHS, to send alerts that do not contain the content of communications to the National Security Agency (NSA) so that DHS efforts may be supported by NSA exercising its lawfully authorized missions.

The Einstein programs have raised concerns among privacy and civil liberties groups, such as the Center for Democracy and Technology, because they involve scanning the content of communications to intercept malicious code before it reaches government networks.

In 2008, the Department of Homeland Security’s Privacy Office published a Privacy Impact Assessment on early versions of Einstein 2 (.pdf) but has not published one on Einstein 3. The assessment left many questions unanswered, such as how much of a role the National Security Agency will play in the programs and whether information obtained in scans be shared with law enforcement or intelligence agencies.

What may be the most controversial part of the declassified plan is a discussion of a need for the government to define its role in protecting private critical infrastructure networks. Critical infrastructure includes the electrical grid, telecommunication networks, internet service providers, the banking and financial industry, and others.

The document indicates that DHS and private-sector businesses have already "developed a plan of shared action with an aggressive series of milestones and activities" but doesn't discuss the nature of those shared actions other than to say that the two sectors are focused on developing a "public-private sharing of information regarding cyberthreats and incidents."

The U.S. Government depends on a variety of privately owned and operated critical infrastructures to carry out the public’s business. In turn, these critical infrastructures rely on the efficient operation of information systems and networks that are vulnerable to malicious cyberthreats. This Initiative builds on the existing and ongoing partnership between the Federal Government and the public and private sector owners and operators of Critical Infrastructure and Key Resources (CIKR).... It addresses security and information assurance efforts across the cyberinfrastructure to increase resiliency and operational capabilities throughout the CIKR sectors.

Additionally, the plan calls for a strategy to increase the security of classified networks and to develop and implement a government-wide cybercounterintelligence (CI) plan, but provides little detail about what that would involve.

"A government-wide cybercounterintelligence plan is necessary to coordinate activities across all Federal Agencies to detect, deter, and mitigate the foreign-sponsored cyberintelligence threat to U.S. and private sector information systems," the plan says. "To accomplish these goals, the plan establishes and expands cyber CI education and awareness programs and workforce development to integrate CI into all cyber operations and analysis, increase employee awareness of the cyber CI threat, and increase counterintelligence collaboration across the government."

Photo: huertk/Flickr

See also:

• Cyberwar Hype Intended to Destroy the Open Internet
• Obama Says New Cyberczar Won't Spy on the Net
• Obama Appoints Former Microsoft Security Chief New Cybersecurity Czar
• Obama Promises New Era of Openness
• Obama Cybersecurity Report Addresses Critical Infrastructure and Privacy Issues