Understanding America's Comprehensive National Cybersecurity Initiative
There is a world of difference between information that's unclassified (meaning available to everyone, usually through the press) and classified (meaning I could tell you, but then I'd have to have someone kill you).
Recently, The New York Times crossed into classified territory by publishing a detailed back story about the Stuxnet virus, claiming deep involvement by the U.S. government and Presidents Bush and Obama.
See also: NY Times claims US released Stuxnet with Israel and it accidentally escaped
We still don't have verifiable confirmation that The Times' report is true, but the fact that members of Congress are calling for hearings into the leaking of classified information does tend to support the credibility of the Times' story.
There's still a lot to discuss about the policy and strategy of the alleged Stuxnet attacks, but first I'd like to start with a discussion of where such an action might fit within the American government's stated cyberspace strategy.
To that end, it will be instructive to explore the Comprehensive National Cybersecurity Initiative (CNCI). This initiative was launched by the second President Bush in National Security Presidential Directive 54 and Homeland Security Presidential Directive 23 back in January 2008.
According to the White House, there are 12 mutually-reinforcing initiatives that are intended to establish a front line of defense against today’s immediate threats, to defend against the full spectrum of threats, and to strengthen the future cybersecurity environment.
Let's look at each of them, one-by-one.
INITIATIVE #1 -- Manage the Federal Enterprise Network as a single network enterprise with Trusted Internet Connections. This is about consolidating our external access points and creating common security solutions across agencies.
INITIATIVE #2 -- Deploy an intrusion detection system of sensors across the Federal enterprise. This is a passive system that watches traffic and helps notify us about unauthorized network intrusions. DHS is deploying signature-based sensors as part of the EINSTEIN-2 (PDF) capability, with notification going to US-CERT.
INITIATIVE #3 -- Pursue deployment of intrusion prevention systems across the Federal enterprise. This takes it up a notch with EINSTEIN-3 (PDF) and not only detects intrusions, but actively prevents intrusions into federal systems. This will have serious zero-day and real-time counter-threat capabilities.
INITIATIVE #4 -- Coordinate and redirect research and development (R&D) efforts. This initiative serves to help us get all of our R&D efforts working together, with a better communications and tasking infrastructure. It's an important part of utilizing our resources and our smartest people to the best of their abilities.
INITIATIVE #5 -- Connect current cyber ops centers to enhance situational awareness. This is our key threat-data sharing initiative.
The National Cybersecurity Center (NCSC) within Homeland Security is helping secure U.S. Government networks and systems under this initiative by coordinating and integrating information from the various centers to provide cross-domain situational awareness, analysis, and reporting on the status of our networks. As a side-effect, it's also designed to help our various agencies play better with each other.
INITIATIVE #6 -- Develop and implement a government-wide cyber counterintelligence (CI) plan. We're now coordinating activities across all Federal Agencies so we can detect, deter, and mitigate foreign-sponsored cyber intelligence threats to government and private-sector IT.
INITIATIVE #7 -- Increase the security of our classified networks. Our classified networks contain our most valuable and most secret defense and warfighting information. We're continuing to work hard in securing these networks against the changing threat model.
INITIATIVE #8 -- Expand cyber education. This is where the Comprehensive National Cybersecurity Initiative begins to break down, because it's where all modern cyberdefense breaks down -- the people.
We're training more and more cyberdefense experts, but we also need to expand that education up and down government, to corporations, and to individuals.
We can have the very best-trained cyberdefense expert in a corporation, say, and it'll all break down if the CEO won't allocate the time or funds to conduct that defense. It's all about making everyone know just how real these threats are.
INITIATIVE #9 -- Define and develop enduring "leap-ahead" technology, strategies, and programs. We'll talk more about future directions later, but the idea of leap-ahead is to get 5 to 10 years ahead of the bad guys and explore out-of-the-box thinking in building a better cyberdefense. This is good stuff, and it's the first CNCI initiative that, essentially, opens the door to concepts like Stuxnet (or what The Times claimed the White House called "Olympic Games").
INITIATIVE #10 -- Define and develop enduring deterrence strategies and programs. Put simply, because of the wildly asymmetric nature of the threat, we can't have a mutually-assured destruction option with cyberattack, the way we do with nuclear attack. We're working on developing deterrence strategies, but we're not there yet, a fact which is sadly all too evidenced by constant level of cyberattack, breach, and threat we find ourselves experiencing.
INITIATIVE #11 -- Develop a multi-pronged approach for global supply chain risk management. This area should be one of our biggest concerns. Most Americans get their computers from suppliers who use processors, motherboards, and components made outside the United States -- and often in China.
China, as we've seen repeatedly, is one of our most challenging "frenemies". They're clearly important to us financially, but they're also one of the leading sources of cyberattack (and, quite frankly, could be behind the one we’re dealing with now).
This initiative, though, isn't just about China. Our components and our supplies must be insulated from foreign influence and unapproved modification.
INITIATIVE #12 -- Define the Federal role for extending cybersecurity into critical infrastructure domains. The federal government is relying more and more on private sector services. For example, the Department of Interior is about to start using Google for its email infrastructure.
This initiative encourages public/private-sector cooperation to extend Federal-systems cybersecurity into the wider cyber-infrastructure.
As you can see, in just this one comprehensive initiative (really a collection of initiatives), the U.S. government is mostly discussing a defense and containment strategy. That said, even within the scope of defense and containment, there is at least one initiative that opens the door to offensive and espionage-related activities.