[Infowarrior] - Bush's Cyber Secrets Dilemma

[Richard Forno]

Security
Bush's Cyber Secrets Dilemma
Andy Greenberg, 04.10.08, 7:40 PM ET

SAN FRANCISCO, CALIF. -

http://www.forbes.com/2008/04/10/cyber-security-initiative-cx_tech_security_
cx_ag_0410cyber_print.html

There's a problem facing the Bush administration: It has $30 billion to
spend over the next five to seven years to keep the U.S. safe from hackers
and cyberspies. But to extend that protection to the nation's critical
infrastructure--including banks, telecommunications and transportation--it
needs the cooperation of the private sector.

And among corporate executives, even those who want to help are wary: How
can the business world participate in the government's cyber initiative,
they ask, if the government remains intensely secretive?

"There's very little transparency as to the government's plans," says Bruce
McConnell, a former information technology policy director for the White
House's Office of Management and Budget who now works as a private
consultant. "To protect critical infrastructure, we need to create
trustworthy mechanisms for sharing information. That can't happen when one
side's position is secret."

That call for transparency was a common refrain this past week at the
security industry's biggest gathering, the annual RSA conference held in San
Francisco. The government has plenty of money tagged to the Bush
administration's classified Presidential Directive 54, the plan for shoring
up the cyber defenses of the U.S. government. But any extension to key parts
of the private sector, according to former officials and security
professionals, could be hamstringed by the government's own secrecy.

The need for private sector partnership was a new wrinkle in Department of
Homeland Security (DHS) Secretary Michael Chertoff's speech on the cyber
initiative at the conference--one of the first public discussions of the
classified program. Chertoff asked the audience to imagine a situation in
which hackers took control of the nation's air traffic control system,
comparing the threat to the Sept. 11th attacks. "So many of our national
assets are in the hands of the private business," he said. "We can't be
serious about national security or national cyber security without engaging
with the private sector, and not just those in IT, but power plants,
financial systems and transportation."

But given that much of the cyber initiative remains classified--including
key details like the anatomy of the government's new networking monitoring
technology and the degree to which it will be deployed on private sector
networks--building trust with the private sector will be difficult,
McConnell argues. The problem, he says, is the little-discussed role of the
National Security Agency in the project, in partnership with the DHS and the
Office of the Director of National Intelligence.

"The intelligence community, which is leading this effort, has a tradition
of overclassifying information," McConnell says. "So it's not surprising
that there's an inappropriate level of classification in an area, which
deserves broad public debate."

The Bush administration's cyber initiative, signed by the president in early
January, aims to increase surveillance of government networks, which have
suffered multiple major intrusions in recent years. But the vulnerability of
critical infrastructure systems, mostly owned by the private sector, has
slowly emerged as a real threat to national security. Over the past two
years, cybercriminals extorted hundreds of millions of dollars from critical
infrastructure companies, according to Alan Paller, director of the SANS
Institute, an organization that hosts a crisis center for hacked companies.
(See: America's Hackable Backbone). In January, a CIA official told a
conference of cybersecurity professionals that power outages affecting
multiple non-U.S. cities had been the work of hackers. (See: Hackers Cut
Cities' Power).

Marcus Sachs, the executive director of national security policy at Verizon,
was hopeful that Chertoff's appeal to the private sector at RSA might mean
more information sharing with those critical infrastructure systems. But so
far, he says, details on the cyber initiative have been held closely within
the government. "They're acting like they have a family problem that they
can't tell the neighbors about," he says. "We feel like we're absolutely
ready to help out, but the family in distress doesn't want our help."

Last May, the DHS released a National Infrastructure Protection Plan (NIPP)
designed to create channels for security collaboration between the
government and business. Those channels, says Sachs, aren't being used. In
March, Forbes.com obtained a document revealing a piece of the cyber
initiative known as Project 12, which former officials say is designed to
create channels for sharing classified information between government and
critical infrastructure. But Project 12 is only a small piece, says Sachs.
(See: Show Me Your Cyberspies, I"ll Show You Mine).

"At the very least, there are eleven other projects, and we don't know
anything about those," Sachs says. "I think we'd all like to learn a little
more."

Laura Sweeney, a DHS spokesperson, countered that it's still too early to
judge how the cyber initiative deals with the private sector--the project is
still focused on securing government networks, she argued. But she pointed
to NIPP as evidence that the government can successfully work with private
industry, even when trading in classified data. "For now we're focused on
getting our own house in order," she said. "But we've realized that the
private sector will be an incredibly important partner moving forward."

But the disconnect between the private sector and government is a familiar
problem, says Howard Schmidt, a former Air Force and DHS official who has
also held jobs at eBay and Microsoft. "When I was working with a
corporation, I would hear from the government about a new attack pattern,
and because it was classified, I wouldn't be able to share it with my IT
people," he says. "It's a very real problem."

Despite Chertoff's comments about private sector partnership and Project
12's initial attempt to open communication, that old problem of
overclassification still afflicts the cyber initiative, says Schmidt. "When
I think about what I would do to secure government networks--things like
intrusion protection, strong authentication, event correlation and data
analysis--none of it would be classified," he says. "This decision about
what to classify is a very big deal, and it's something that the government
has got to fix."