Understanding America's Comprehensive National Cybersecurity Initiative

Understanding America's Comprehensive National Cybersecurity Initiative

Summary: Even within the scope of defense and containment, there is at least one initiative that opens the door to offensive and espionage-related activities.

TOPICS: Security

There is a world of difference between information that's unclassified (meaning available to everyone, usually through the press) and classified (meaning I could tell you, but then I'd have to have someone kill you).

Recently, The New York Times crossed into classified territory by publishing a detailed back story about the Stuxnet virus, claiming deep involvement by the U.S. government and Presidents Bush and Obama.

See also: NY Times claims US released Stuxnet with Israel and it accidentally escaped

We still don't have verifiable confirmation that The Times' report is true, but the fact that members of Congress are calling for hearings into the leaking of classified information does tend to support the credibility of the Times' story.

There's still a lot to discuss about the policy and strategy of the alleged Stuxnet attacks, but first I'd like to start with a discussion of where such an action might fit within the American government's stated cyberspace strategy.

To that end, it will be instructive to explore the Comprehensive National Cybersecurity Initiative (CNCI). This initiative was launched by the second President Bush in National Security Presidential Directive 54 and Homeland Security Presidential Directive 23 back in January 2008.

According to the White House, there are 12 mutually-reinforcing initiatives that are intended to establish a front line of defense against today’s immediate threats, to defend against the full spectrum of threats, and to strengthen the future cybersecurity environment.

Let's look at each of them, one-by-one.

INITIATIVE #1 -- Manage the Federal Enterprise Network as a single network enterprise with Trusted Internet Connections. This is about consolidating our external access points and creating common security solutions across agencies.

INITIATIVE #2 -- Deploy an intrusion detection system of sensors across the Federal enterprise. This is a passive system that watches traffic and helps notify us about unauthorized network intrusions. DHS is deploying signature-based sensors as part of the EINSTEIN-2 (PDF) capability, with notification going to US-CERT.

INITIATIVE #3 -- Pursue deployment of intrusion prevention systems across the Federal enterprise. This takes it up a notch with EINSTEIN-3 (PDF) and not only detects intrusions, but actively prevents intrusions into federal systems. This will have serious zero-day and real-time counter-threat capabilities.

INITIATIVE #4 -- Coordinate and redirect research and development (R&D) efforts. This initiative serves to help us get all of our R&D efforts working together, with a better communications and tasking infrastructure. It's an important part of utilizing our resources and our smartest people to the best of their abilities.

INITIATIVE #5 -- Connect current cyber ops centers to enhance situational awareness. This is our key threat-data sharing initiative.

The National Cybersecurity Center (NCSC) within Homeland Security is helping secure U.S. Government networks and systems under this initiative by coordinating and integrating information from the various centers to provide cross-domain situational awareness, analysis, and reporting on the status of our networks. As a side-effect, it's also designed to help our various agencies play better with each other.

INITIATIVE #6 -- Develop and implement a government-wide cyber counterintelligence (CI) plan. We're now coordinating activities across all Federal Agencies so we can detect, deter, and mitigate foreign-sponsored cyber intelligence threats to government and private-sector IT.

INITIATIVE #7 -- Increase the security of our classified networks. Our classified networks contain our most valuable and most secret defense and warfighting information. We're continuing to work hard in securing these networks against the changing threat model.

INITIATIVE #8 -- Expand cyber education. This is where the Comprehensive National Cybersecurity Initiative begins to break down, because it's where all modern cyberdefense breaks down -- the people.

We're training more and more cyberdefense experts, but we also need to expand that education up and down government, to corporations, and to individuals.

We can have the very best-trained cyberdefense expert in a corporation, say, and it'll all break down if the CEO won't allocate the time or funds to conduct that defense. It's all about making everyone know just how real these threats are.

INITIATIVE #9 -- Define and develop enduring "leap-ahead" technology, strategies, and programs. We'll talk more about future directions later, but the idea of leap-ahead is to get 5 to 10 years ahead of the bad guys and explore out-of-the-box thinking in building a better cyberdefense. This is good stuff, and it's the first CNCI initiative that, essentially, opens the door to concepts like Stuxnet (or what The Times claimed the White House called "Olympic Games").

INITIATIVE #10 -- Define and develop enduring deterrence strategies and programs. Put simply, because of the wildly asymmetric nature of the threat, we can't have a mutually-assured destruction option with cyberattack, the way we do with nuclear attack. We're working on developing deterrence strategies, but we're not there yet, a fact which is sadly all too evidenced by constant level of cyberattack, breach, and threat we find ourselves experiencing.

INITIATIVE #11 -- Develop a multi-pronged approach for global supply chain risk management. This area should be one of our biggest concerns. Most Americans get their computers from suppliers who use processors, motherboards, and components made outside the United States -- and often in China.

China, as we've seen repeatedly, is one of our most challenging "frenemies". They're clearly important to us financially, but they're also one of the leading sources of cyberattack (and, quite frankly, could be behind the one we’re dealing with now).

This initiative, though, isn't just about China. Our components and our supplies must be insulated from foreign influence and unapproved modification.

INITIATIVE #12 -- Define the Federal role for extending cybersecurity into critical infrastructure domains. The federal government is relying more and more on private sector services. For example, the Department of Interior is about to start using Google for its email infrastructure.

This initiative encourages public/private-sector cooperation to extend Federal-systems cybersecurity into the wider cyber-infrastructure.

As you can see, in just this one comprehensive initiative (really a collection of initiatives), the U.S. government is mostly discussing a defense and containment strategy. That said, even within the scope of defense and containment, there is at least one initiative that opens the door to offensive and espionage-related activities.

Topic: Security


David Gewirtz, Distinguished Lecturer at CBS Interactive, is an author, U.S. policy advisor, and computer scientist. He is featured in the History Channel special The President's Book of Secrets and is a member of the National Press Club.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Nice Summary

    Not surprising we should have some sort of "comprehensive" initiative. I imagined we did but it was mostly confidential/secret. I wonder how we'd support a MAD stategy for computer attacks?

    Really, the US government needs totally isolated environments with complete TEMPEST systems running in Faraday cages for secret and above work, IMHO. Even better, the US government would have it's own flavor of Windows/Linux/Etc specifically tailored to extra-secure computing.

    If I had a big concern, it would be the supply chain business. Seems to me that more and more of our strategic industial capacity is moving overseas (specifically to China), and these countries (specifically China) may one day go to war with us. How would that work? Would they build our items for us still? I don't think so.
    • Supply chain

      It's the supply chain that worries me about much of America's interests. We get our motherboards from China, and our oil from the Middle East. We could produce both here...but we don't. Strategically, that might be a major failing.
      David Gewirtz
      • High Tech supply chain depends on Asia

        There's one confidential study that says 75 percent of our high-tech supply chain is dependent on China or China-influenced countries (Taiwan, etc.). The number goes to 95+ percent if you include Japan and South Korea which are vulnerable to Chinese aggression. In short, if China really got angry, they would have the US in a choke hold.

        And that doesn't include all of the automotive, industrial and consumer industries that would grind to a halt if the US were cut off from the Chinese manufacturing base. The US threat assessments all assume that if it happened, China would suffer as much as the US, but this is false. The political machine in China still dictates to the business leaders, not the other way around like it is in the US.
        terry flores
      • China is more of a financial threat than physical.

        @terry flores
        "In short, if China really got angry, they would have the US in a choke hold."

        China wouldn't want to destroy the U.S. because we owe them too much money. It would be like a loan shark having somebody killed rather than breaking their legs. You definitely don't get your money back if the person is dead.

        In addition, we are their biggest customer. We buy so much from China that their economy would crumble if we fell apart. That's the reason they gave us the loans. They need us even more than we need them.
      • Backdoors?

        With most of our consumer electronics, computer components and other devices being produced overseas, I wonder what the chance is that there's some current- or future-exploitable backdoor built in, say, to a computer's network adapter or BIOS, or a smart-TV's webcam?
  • Failure in Initiative #8?

    I am assuming that your comments about the NY Times publishing in-depth material about the Stuxnet virus is a failure in Initiative #8? The human factor is always the weakest link.
    Mike Hermes
  • The Human Factor will Screw the Pooch.

    No matter how well the Security Software is written and what directives are in place there are always going to be the person who thinks the directives don't apply to them or that it won't hurt if they do "it" just this once.

    I heard Stuxnet got in and out of the nuclear facility by transport of a USB between insecure and secured networks. I don't believe it was intentional.(?)

    The only reason we know about Stuxnet is because the programmer/authors left out the code telling Stuxnet not to propagate if not in the nuclear facility.

    Then we have the kid/troop burning CD/DVDs and turning the material over to Assange (effectively).

    Then there are the chips being made overseas. I guess it would be easier for a Frenemy to hard code overseas, but thinking something made within our own shores immune is foolishness. To allow free running paranoia it wouldn't bee too hard for Intel to hide a couple of thousand circuits on even a small chip, at the Governments request of course.

    Trusted manufacturers? Sony and their Root Kit anyone? It' gotten easier, download an installer for a mainstream "app" or "plugin" and the installation file disappears after the install. The installer can be hammered with scanners before running but if it's a Zero Day, good luck.

    Stay ten years ahead of the Cyber threat? Five years? Good luck with that, we don't even know whats going to happen next year or even tomorrow.

    Vectors of threat? A new wireless network shows up on my list. Suddenly my laptor starts suffering random disconnects from my AP. So I Reavered the AP. Don't know what I'm going to do with the information, tempting to use it to see what's on connected machines, if they have attack software. So who is the Cyber threat here? Them who showed up and magically coincidentally I start having problems, or me taking only the first step in investigating "Occam's Razor" to those problems?

    Aren't we in murky waters?
    Rob Berman
    • Exactly...

      you have stated what we are facing in so many ways.