Cybersecurity: Progress Made but Challenges Remain...

"Cybersecurity: Progress Made but Challenges Remain in Defining and Coordinating the Comprehensive National Initiative"

In response to the ongoing threats to federal systems and operations posed by cyber attacks, President Bush established the Comprehensive National Cybersecurity Initiative (CNCI) in 2008. This initiative consists of a set of projects aimed at reducing vulnerabilities, protecting against intrusions, and anticipating future threats. GAO was asked to determine (1) what actions have been taken to develop interagency mechanisms to plan and coordinate CNCI activities and (2) what challenges CNCI faces in achieving its objectives related to securing federal information systems.

To do this, GAO reviewed CNCI plans, policies, and other documentation and interviewed officials at the Office of Management and Budget (OMB), Department of Homeland Security, and the Office of the Director of National Intelligence (ODNI), among other agencies. GAO also reviewed studies examining aspects of federal cybersecurity and interviewed recognized cybersecurity experts.

The White House and federal agencies have taken steps to plan and coordinate CNCI activities by establishing several interagency working groups. These include the National Cyber Study Group, which carried out initial brainstorming and information-gathering for the establishment of the initiative; the Communications Security and Cyber Policy Coordinating Committee, which presented final plans to the President and coordinated initial implementation activities; and the Joint Interagency Cyber Task Force, which serves as the focal point for monitoring and coordinating projects and enabling the participation of both intelligence-community and nonintelligence- community agencies. These groups have used a combination of status meetings and other reporting mechanisms to track implementation of projects. CNCI faces several challenges in meeting its objectives: (1) Defining roles and responsibilities. Federal agencies have overlapping and uncoordinated responsibilities for cybersecurity, and it is unclear where overall responsibility for coordination lies. (2) Establishing measures of effectiveness. The initiative has not yet developed measures of the effectiveness in meeting its goals. While federal agencies have begun to develop effectiveness measures for information security, these have not been applied to the initiative. (3) Establishing an appropriate level of transparency. Few of the elements of CNCI have been made public, and the rationale for classifying related information remains unclear, hindering coordination with private sector entities and accountability to the public. (4) Reaching agreement on the scope of educational efforts. Stakeholders have yet to reach agreement on whether to address broad education and public awareness as part of the initiative, or remain focused on the federal cyber workforce. Until these challenges are adequately addressed, there is a risk that CNCI will not fully achieve its goal to reduce vulnerabilities, protect against intrusions, and anticipate future threats against federal executive branch information systems. The federal government also faces strategic challenges beyond the scope of CNCI in securing federal information systems: (1) Coordinating actions with international entities. The federal government does not have a formal strategy for coordinating outreach to international partners for the purposes of standards setting, law enforcement, and information sharing. (2) Strategically addressing identity management and authentication. Authenticating the identities of persons or systems seeking to access federal systems remains a significant governmentwide challenge. However, the federal government is still lacking a fully developed plan for implementation of identity management and authentication efforts."

http://www.whitehouse.gov/the_press_office/Transparency_and_Open_Government/

http://www.whitehouse.gov/cybersecurity
http://www.rsaconference.com/2010/usa/index.htm
http://www.whitehouse.gov/administration/eop/nsc/cybersecurity
http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf
http://www.whitehouse.gov/cyberreview/documents

Quote:

http://www.whitehouse.gov/the-press-office/remarks-president-securing-our-nations-cyber-infrastructure

Home • Briefing Room • Speeches & Remarks

THE WHITE HOUSE
Office of the Press Secretary
______________________________________________________
For Immediate Release May 29, 2009

REMARKS BY THE PRESIDENT
ON SECURING OUR NATION’S
CYBER INFRASTRUCTURE
East Room
11:08 A.M. EDT
THE PRESIDENT: Everybody, please be seated. We meet today at a transformational moment — a moment in history when our interconnected world presents us, at once, with great promise but also great peril.

Now, over the past four months my administration has taken decisive steps to seize the promise and confront these perils. We’re working to recover from a global recession while laying a new foundation for lasting prosperity. We’re strengthening our armed forces as they fight two wars, at the same time we’re renewing American leadership to confront unconventional challenges, from nuclear proliferation to terrorism, from climate change to pandemic disease. And we’re bringing to government — and to this White House — unprecedented transparency and accountability and new ways for Americans to participate in their democracy.
But none of this progress would be possible, and none of these 21st century challenges can be fully met, without America’s digital infrastructure — the backbone that underpins a prosperous economy and a strong military and an open and efficient government. Without that foundation we can’t get the job done.

It’s long been said that the revolutions in communications and information technology have given birth to a virtual world. But make no mistake: This world — cyberspace — is a world that we depend on every single day. It’s our hardware and our software, our desktops and laptops and cell phones and Blackberries that have become woven into every aspect of our lives.

It’s the broadband networks beneath us and the wireless signals around us, the local networks in our schools and hospitals and businesses, and the massive grids that power our nation. It’s the classified military and intelligence networks that keep us safe, and the World Wide Web that has made us more interconnected than at any time in human history.

So cyberspace is real. And so are the risks that come with it.

It’s the great irony of our Information Age — the very technologies that empower us to create and to build also empower those who would disrupt and destroy. And this paradox — seen and unseen — is something that we experience every day.

It’s about the privacy and the economic security of American families. We rely on the Internet to pay our bills, to bank, to shop, to file our taxes. But we’ve had to learn a whole new vocabulary just to stay ahead of the cyber criminals who would do us harm — spyware and malware and spoofing and phishing and botnets. Millions of Americans have been victimized, their privacy violated, their identities stolen, their lives upended, and their wallets emptied. According to one survey, in the past two years alone cyber crime has cost Americans more than $8 billion.

I know how it feels to have privacy violated because it has happened to me and the people around me. It’s no secret that my presidential campaign harnessed the Internet and technology to transform our politics. What isn’t widely known is that during the general election hackers managed to penetrate our computer systems. To all of you who donated to our campaign, I want you to all rest assured, our fundraising website was untouched. (Laughter.) So your confidential personal and financial information was protected.

But between August and October, hackers gained access to emails and a range of campaign files, from policy position papers to travel plans. And we worked closely with the CIA — with the FBI and the Secret Service and hired security consultants to restore the security of our systems. It was a powerful reminder: In this Information Age, one of your greatest strengths — in our case, our ability to communicate to a wide range of supporters through the Internet — could also be one of your greatest vulnerabilities.

This is a matter, as well, of America’s economic competitiveness. The small businesswoman in St. Louis, the bond trader in the New York Stock Exchange, the workers at a global shipping company in Memphis, the young entrepreneur in Silicon Valley — they all need the networks to make the next payroll, the next trade, the next delivery, the next great breakthrough. E-commerce alone last year accounted for some $132 billion in retail sales.

But every day we see waves of cyber thieves trolling for sensitive information — the disgruntled employee on the inside, the lone hacker a thousand miles away, organized crime, the industrial spy and, increasingly, foreign intelligence services. In one brazen act last year, thieves used stolen credit card information to steal millions of dollars from 130 ATM machines in 49 cities around the world — and they did it in just 30 minutes. A single employee of an American company was convicted of stealing intellectual property reportedly worth $400 million. It’s been estimated that last year alone cyber criminals stole intellectual property from businesses worldwide worth up to $1 trillion.

In short, America’s economic prosperity in the 21st century will depend on cybersecurity.

And this is also a matter of public safety and national security. We count on computer networks to deliver our oil and gas, our power and our water. We rely on them for public transportation and air traffic control. Yet we know that cyber intruders have probed our electrical grid and that in other countries cyber attacks have plunged entire cities into darkness.

Our technological advantage is a key to America’s military dominance. But our defense and military networks are under constant attack. Al Qaeda and other terrorist groups have spoken of their desire to unleash a cyber attack on our country — attacks that are harder to detect and harder to defend against. Indeed, in today’s world, acts of terror could come not only from a few extremists in suicide vests but from a few key strokes on the computer — a weapon of mass disruption.
In one of the most serious cyber incidents to date against our military networks, several thousand computers were infected last year by malicious software — malware. And while no sensitive information was compromised, our troops and defense personnel had to give up those external memory devices — thumb drives — changing the way they used their computers every day.

And last year we had a glimpse of the future face of war. As Russian tanks rolled into Georgia, cyber attacks crippled Georgian government websites. The terrorists that sowed so much death and destruction in Mumbai relied not only on guns and grenades but also on GPS and phones using voice-over-the-Internet.
For all these reasons, it’s now clear this cyber threat is one of the most serious economic and national security challenges we face as a nation.

It’s also clear that we’re not as prepared as we should be, as a government or as a country. In recent years, some progress has been made at the federal level. But just as we failed in the past to invest in our physical infrastructure — our roads, our bridges and rails — we’ve failed to invest in the security of our digital infrastructure.
No single official oversees cybersecurity policy across the federal government, and no single agency has the responsibility or authority to match the scope and scale of the challenge. Indeed, when it comes to cybersecurity, federal agencies have overlapping missions and don’t coordinate and communicate nearly as well as they should — with each other or with the private sector. We saw this in the disorganized response to Conficker, the Internet “worm” that in recent months has infected millions of computers around the world.

This status quo is no longer acceptable — not when there’s so much at stake. We can and we must do better.

And that’s why shortly after taking office I directed my National Security Council and Homeland Security Council to conduct a top-to-bottom review of the federal government’s efforts to defend our information and communications infrastructure and to recommend the best way to ensure that these networks are able to secure our networks as well as our prosperity.

Our review was open and transparent. I want to acknowledge, Melissa Hathaway, who is here, who is the Acting Senior Director for Cyberspace on our National Security Council, who led the review team, as well as the Center for Strategic and International Studies bipartisan Commission on Cybersecurity, and all who were part of our 60-day review team. They listened to a wide variety of groups, many of which are represented here today and I want to thank for their input: industry and academia, civil liberties and private — privacy advocates. We listened to every level and branch of government — from local to state to federal, civilian, military, homeland as well as intelligence, Congress and international partners, as well. I consulted with my national security teams, my homeland security teams, and my economic advisors.

Today I’m releasing a report on our review, and can announce that my administration will pursue a new comprehensive approach to securing America’s digital infrastructure.

This new approach starts at the top, with this commitment from me: From now on, our digital infrastructure — the networks and computers we depend on every day — will be treated as they should be: as a strategic national asset. Protecting this infrastructure will be a national security priority. We will ensure that these networks are secure, trustworthy and resilient. We will deter, prevent, detect, and defend against attacks and recover quickly from any disruptions or damage.
To give these efforts the high-level focus and attention they deserve — and as part of the new, single National Security Staff announced this week — I’m creating a new office here at the White House that will be led by the Cybersecurity Coordinator. Because of the critical importance of this work, I will personally select this official. I’ll depend on this official in all matters relating to cybersecurity, and this official will have my full support and regular access to me as we confront these challenges.

Today, I want to focus on the important responsibilities this office will fulfill: orchestrating and integrating all cybersecurity policies for the government; working closely with the Office of Management and Budget to ensure agency budgets reflect those priorities; and, in the event of major cyber incident or attack, coordinating our response.

To ensure that federal cyber policies enhance our security and our prosperity, my Cybersecurity Coordinator will be a member of the National Security Staff as well as the staff of my National Economic Council. To ensure that policies keep faith with our fundamental values, this office will also include an official with a portfolio specifically dedicated to safeguarding the privacy and civil liberties of the American people.

There’s much work to be done, and the report we’re releasing today outlines a range of actions that we will pursue in five key areas.

First, working in partnership with the communities represented here today, we will develop a new comprehensive strategy to secure America’s information and communications networks. To ensure a coordinated approach across government, my Cybersecurity Coordinator will work closely with my Chief Technology Officer, Aneesh Chopra, and my Chief Information Officer, Vivek Kundra. To ensure accountability in federal agencies, cybersecurity will be designated as one of my key management priorities. Clear milestones and performances metrics will measure progress. And as we develop our strategy, we will be open and transparent, which is why you’ll find today’s report and a wealth of related information on our Web site, www.whitehouse.gov.

Second, we will work with all the key players — including state and local governments and the private sector — to ensure an organized and unified response to future cyber incidents. Given the enormous damage that can be caused by even a single cyber attack, ad hoc responses will not do. Nor is it sufficient to simply strengthen our defenses after incidents or attacks occur. Just as we do for natural disasters, we have to have plans and resources in place beforehand — sharing information, issuing warnings and ensuring a coordinated response.

Third, we will strengthen the public/private partnerships that are critical to this endeavor. The vast majority of our critical information infrastructure in the United States is owned and operated by the private sector. So let me be very clear: My administration will not dictate security standards for private companies. On the contrary, we will collaborate with industry to find technology solutions that ensure our security and promote prosperity.

Fourth, we will continue to invest in the cutting-edge research and development necessary for the innovation and discovery we need to meet the digital challenges of our time. And that’s why my administration is making major investments in our information infrastructure: laying broadband lines to every corner of America; building a smart electric grid to deliver energy more efficiently; pursuing a next generation of air traffic control systems; and moving to electronic health records, with privacy protections, to reduce costs and save lives.

And finally, we will begin a national campaign to promote cybersecurity awareness and digital literacy from our boardrooms to our classrooms, and to build a digital workforce for the 21st century. And that’s why we’re making a new commitment to education in math and science, and historic investments in science and research and development. Because it’s not enough for our children and students to master today’s technologies — social networking and e-mailing and texting and blogging — we need them to pioneer the technologies that will allow us to work effectively through these new media and allow us to prosper in the future. So these are the things we will do.

Let me also be clear about what we will not do. Our pursuit of cybersecurity will not — I repeat, will not include — monitoring private sector networks or Internet traffic. We will preserve and protect the personal privacy and civil liberties that we cherish as Americans. Indeed, I remain firmly committed to net neutrality so we can keep the Internet as it should be — open and free.

The task I have described will not be easy. Some 1.5 billion people around the world are already online, and more are logging on every day. Groups and governments are sharpening their cyber capabilities. Protecting our prosperity and security in this globalized world is going to be a long, difficult struggle demanding patience and persistence over many years.

But we need to remember: We’re only at the beginning. The epochs of history are long — the Agricultural Revolution; the Industrial Revolution. By comparison, our Information Age is still in its infancy. We’re only at Web 2.0. Now our virtual world is going viral. And we’ve only just begun to explore the next generation of technologies that will transform our lives in ways we can’t even begin to imagine.

So a new world awaits — a world of greater security and greater potential prosperity — if we reach for it, if we lead. So long as I’m President of the United States, we will do just that. And the United States — the nation that invented the Internet, that launched an information revolution, that transformed the world — will do what we did in the 20th century and lead once more in the 21st.

Thank you very much, everybody. Thank you. (Applause.)

END
11:25 A.M. EDT

###
###

Quote:

http://www.whitehouse.gov/blog/2010/03/02/transparent-cybersecurity

Transparent Cybersecurity

Posted by Howard A. Schmidt on March 02, 2010 at 02:52 PM EST
Ed. Note: Learn more about the Administration’s Cybersecurity efforts on our Cybersecurity page.

Today in my keynote speech at the RSA Conference in San Francisco I discussed two themes that are vital to our nation’s cybersecurity efforts: partnerships and transparency. These two themes go hand-in-hand. You cannot have one without the other, and they form the foundation of nearly all of the action items outlined in the President’s Cyberspace Policy Review.

Earlier this year in a memorandum on open government to all Federal departments and agencies, President Obama said, “My Administration is committed to creating an unprecedented level of openness in government.” Building on this statement, I am personally dedicated to ensuring that the Federal Government’s cybersecurity efforts are as transparent as possible.

For this reason, I was pleased to announce today that the Obama Administration has revised the classification guidance for the Comprehensive National Cybersecurity Initiative (or CNCI), which began in 2008 and forms an important component of cybersecurity efforts within the federal government. Anyone can now view or download an unclassified description of the CNCI and each of the 12 initiatives under the CNCI.

Transparency is particularly vital in areas, such as the CNCI, where there have been legitimate questions about sensitive topics like the role of the intelligence community in cybersecurity. Transparency provides the American people with the ability to partner with government and participate meaningfully in the discussion about how we can use the extraordinary resources and expertise of the intelligence community with proper oversight for the protection of privacy and civil liberties.

In order to be successful against today’s cybersecurity threats, we must continue to seek out innovative new partnerships—not only within government, but also among industry, government, and the American public. Transparency improves our collective knowledge and helps bind our partnerships together to form the most powerful cyber tools that we have. We will not defeat our cyber adversaries because they are weakening, we will defeat them by becoming collectively stronger, through stronger technology, a stronger cadre of security professionals, and stronger partnerships.

Howard A. Schmidt is Special Assistant to the President and the Cybersecurity Coordinator

###
###

Quote:

http://www.whitehouse.gov/cybersecurity/comprehensive-national-cybersecurity-initiative

The Comprehensive National Cybersecurity Initiative

download as pdf

President Obama has identified cybersecurity as one of the most serious economic and national security challenges we face as a nation, but one that we as a government or as a country are not adequately prepared to counter. Shortly after taking office, the President therefore ordered a thorough review of federal efforts to defend the U.S. information and communications infrastructure and the development of a comprehensive approach to securing America’s digital infrastructure.

In May 2009, the President accepted the recommendations of the resulting Cyberspace Policy Review, including the selection of an Executive Branch Cybersecurity Coordinator who will have regular access to the President. The Executive Branch was also directed to work closely with all key players in U.S. cybersecurity, including state and local governments and the private sector, to ensure an organized and unified response to future cyber incidents; strengthen public/private partnerships to find technology solutions that ensure U.S. security and prosperity; invest in the cutting-edge research and development necessary for the innovation and discovery to meet the digital challenges of our time; and begin a campaign to promote cybersecurity awareness and digital literacy from our boardrooms to our classrooms and begin to build the digital workforce of the 21st century. Finally, the President directed that these activities be conducted in a way that is consistent with ensuring the privacy rights and civil liberties guaranteed in the Constitution and cherished by all Americans.

The activities under way to implement the recommendations of the Cyberspace Policy Review build on the Comprehensive National Cybersecurity Initiative (CNCI) launched by President George W. Bush in National Security Presidential Directive 54/Homeland Security Presidential Directive 23 (NSPD-54/ HSPD-23) in January 2008. President Obama determined that the CNCI and its associated activities should evolve to become key elements of a broader, updated national U.S. cybersecurity strategy. These CNCI initiatives will play a key role in supporting the achievement of many of the key recommendations of President Obama’s Cyberspace Policy Review.

The CNCI consists of a number of mutually reinforcing initiatives with the following major goals designed to help secure the United States in cyberspace:

To establish a front line of defense against today’s immediate threats by creating or enhancing shared situational awareness of network vulnerabilities, threats, and events within the Federal Government—and ultimately with state, local, and tribal governments and private sector partners—and the ability to act quickly to reduce our current vulnerabilities and prevent intrusions.
To defend against the full spectrum of threats by enhancing U.S. counterintelligence capabilities and increasing the security of the supply chain for key information technologies.
To strengthen the future cybersecurity environment by expanding cyber education; coordinating and redirecting research and development efforts across the Federal Government; and working to define and develop strategies to deter hostile or malicious activity in cyberspace.
In building the plans for the CNCI, it was quickly realized that these goals could not be achieved without also strengthening certain key strategic foundational capabilities within the Government. Therefore, the CNCI includes funding within the federal law enforcement, intelligence, and defense communities to enhance such key functions as criminal investigation; intelligence collection, processing, and analysis; and information assurance critical to enabling national cybersecurity efforts.

The CNCI was developed with great care and attention to privacy and civil liberties concerns in close consultation with privacy experts across the government. Protecting civil liberties and privacy rights remain fundamental objectives in the implementation of the CNCI.

In accord with President Obama’s declared intent to make transparency a touchstone of his presidency, the Cyberspace Policy Review identified enhanced information sharing as a key component of effective cybersecurity. To improve public understanding of Federal efforts, the Cybersecurity Coordinator has directed the release of the following summary description of the CNCI.

CNCI Initiative Details

Initiative #1. Manage the Federal Enterprise Network as a single network enterprise with Trusted Internet Connections. The Trusted Internet Connections (TIC) initiative, headed by the Office of Management and Budget and the Department of Homeland Security, covers the consolidation of the Federal Government’s external access points (including those to the Internet). This consolidation will result in a common security solution which includes: facilitating the reduction of external access points, establishing baseline security capabilities; and, validating agency adherence to those security capabilities. Agencies participate in the TIC initiative either as TIC Access Providers (a limited number of agencies that operate their own capabilities) or by contracting with commercial Managed Trusted IP Service (MTIPS) providers through the GSA-managed NETWORX contract vehicle.

Initiative #2. Deploy an intrusion detection system of sensors across the Federal enterprise. Intrusion Detection Systems using passive sensors form a vital part of U.S. Government network defenses by identifying when unauthorized users attempt to gain access to those networks. DHS is deploying, as part of its EINSTEIN 2 activities, signature-based sensors capable of inspecting Internet traffic entering Federal systems for unauthorized accesses and malicious content. The EINSTEIN 2 capability enables analysis of network flow information to identify potential malicious activity while conducting automatic full packet inspection of traffic entering or exiting U.S. Government networks for malicious activity using signature-based intrusion detection technology. Associated with this investment in technology is a parallel investment in manpower with the expertise required to accomplish DHS’s expanded network security mission. EINSTEIN 2 is capable of alerting US-CERT in real time to the presence of malicious or potentially harmful activity in federal network traffic and provides correlation and visualization of the derived data. Due to the capabilities within EINSTEIN 2, US-CERT analysts have a greatly improved understanding of the network environment and an increased ability to address the weaknesses and vulnerabilities in Federal network security. As a result, US-CERT has greater situational awareness and can more effectively develop and more readily share security relevant information with network defenders across the U.S. Government, as well as with security professionals in the private sector and the American public. The Department of Homeland Security’s Privacy Office has conducted and published a Privacy Impact Assessment for the EINSTEIN 2 program.

Initiative #3. Pursue deployment of intrusion prevention systems across the Federal enterprise. This Initiative represents the next evolution of protection for civilian Departments and Agencies of the Federal Executive Branch. This approach, called EINSTEIN 3, will draw on commercial technology and specialized government technology to conduct real-time full packet inspection and threat-based decision-making on network traffic entering or leaving these Executive Branch networks. The goal of EINSTEIN 3 is to identify and characterize malicious network traffic to enhance cybersecurity analysis, situational awareness and security response. It will have the ability to automatically detect and respond appropriately to cyber threats before harm is done, providing an intrusion prevention system supporting dynamic defense. EINSTEIN 3 will assist DHS US-CERT in defending, protecting and reducing vulnerabilities on Federal Executive Branch networks and systems. The EINSTEIN 3 system will also support enhanced information sharing by US-CERT with Federal Departments and Agencies by giving DHS the ability to automate alerting of detected network intrusion attempts and, when deemed necessary by DHS, to send alerts that do not contain the content of communications to the National Security Agency (NSA) so that DHS efforts may be supported by NSA exercising its lawfully authorized missions. This initiative makes substantial and long-term investments to increase national intelligence capabilities to discover critical information about foreign cyber threats and use this insight to inform EINSTEIN 3 systems in real time. DHS will be able to adapt threat signatures determined by NSA in the course of its foreign intelligence and DoD information assurance missions for use in the EINSTEIN 3 system in support of DHS’s federal system security mission. Information sharing on cyber intrusions will be conducted in accordance with the laws and oversight for activities related to homeland security, intelligence, and defense in order to protect the privacy and rights of U.S. citizens.

DHS is currently conducting a exercise to pilot the EINSTEIN 3 capabilities described in this initiative based on technology developed by NSA and to solidify processes for managing and protecting information gleaned from observed cyber intrusions against civilian Executive Branch systems. Government civil liberties and privacy officials are working closely with DHS and US-CERT to build appropriate and necessary privacy protections into the design and operational deployment of EINSTEIN 3.

Initiative #4: Coordinate and redirect research and development (R&D) efforts. No single individual or organization is aware of all of the cyber-related R&D activities being funded by the Government. This initiative is developing strategies and structures for coordinating all cyber R&D sponsored or conducted by the U.S. government, both classified and unclassified, and to redirect that R&D where needed. This Initiative is critical to eliminate redundancies in federally funded cybersecurity research, and to identify research gaps, prioritize R&D efforts, and ensure the taxpayers are getting full value for their money as we shape our strategic investments.

Initiative #5. Connect current cyber ops centers to enhance situational awareness. There is a pressing need to ensure that government information security offices and strategic operations centers share data regarding malicious activities against federal systems, consistent with privacy protections for personally identifiable and other protected information and as legally appropriate, in order to have a better understanding of the entire threat to government systems and to take maximum advantage of each organization’s unique capabilities to produce the best overall national cyber defense possible. This initiative provides the key means necessary to enable and support shared situational awareness and collaboration across six centers that are responsible for carrying out U.S. cyber activities. This effort focuses on key aspects necessary to enable practical mission bridging across the elements of U.S. cyber activities: foundational capabilities and investments such as upgraded infrastructure, increased bandwidth, and integrated operational capabilities; enhanced collaboration, including common technology, tools, and procedures; and enhanced shared situational awareness through shared analytic and collaborative technologies.

The National Cybersecurity Center (NCSC) within the Department of Homeland Security will play a key role in securing U.S. Government networks and systems under this initiative by coordinating and integrating information from the six centers to provide cross-domain situational awareness, analyzing and reporting on the state of U.S. networks and systems, and fostering interagency collaboration and coordination.

Initiative #6. Develop and implement a government-wide cyber counterintelligence (CI) plan. A government-wide cyber counterintelligence plan is necessary to coordinate activities across all Federal Agencies to detect, deter, and mitigate the foreign-sponsored cyber intelligence threat to U.S. and private sector information systems. To accomplish these goals, the plan establishes and expands cyber CI education and awareness programs and workforce development to integrate CI into all cyber operations and analysis, increase employee awareness of the cyber CI threat, and increase counterintelligence collaboration across the government. The Cyber CI Plan is aligned with the National Counterintelligence Strategy of the United States of America (2007) and supports the other programmatic elements of the CNCI.

Initiative #7. Increase the security of our classified networks. Classified networks house the Federal Government’s most sensitive information and enable crucial war-fighting, diplomatic, counterterrorism, law enforcement, intelligence, and homeland security operations. Successful penetration or disruption of these networks could cause exceptionally grave damage to our national security. We need to exercise due diligence in ensuring the integrity of these networks and the data they contain.

Initiative #8. Expand cyber education. While billions of dollars are being spent on new technologies to secure the U.S. Government in cyberspace, it is the people with the right knowledge, skills, and abilities to implement those technologies who will determine success. However there are not enough cybersecurity experts within the Federal Government or private sector to implement the CNCI, nor is there an adequately established Federal cybersecurity career field. Existing cybersecurity training and personnel development programs, while good, are limited in focus and lack unity of effort. In order to effectively ensure our continued technical advantage and future cybersecurity, we must develop a technologically-skilled and cyber-savvy workforce and an effective pipeline of future employees. It will take a national strategy, similar to the effort to upgrade science and mathematics education in the 1950’s, to meet this challenge.

Initiative #9. Define and develop enduring “leap-ahead” technology, strategies, and programs. One goal of the CNCI is to develop technologies that provide increases in cybersecurity by orders of magnitude above current systems and which can be deployed within 5 to 10 years. This initiative seeks to develop strategies and programs to enhance the component of the government R&D portfolio that pursues high-risk/high-payoff solutions to critical cybersecurity problems. The Federal Government has begun to outline Grand Challenges for the research community to help solve these difficult problems that require ‘out of the box’ thinking. In dealing with the private sector, the government is identifying and communicating common needs that should drive mutual investment in key research areas.

Initiative #10. Define and develop enduring deterrence strategies and programs. Our Nation’s senior policymakers must think through the long-range strategic options available to the United States in a world that depends on assuring the use of cyberspace. To date, the U.S. Government has been implementing traditional approaches to the cybersecurity problem—and these measures have not achieved the level of security needed. This Initiative is aimed at building an approach to cyber defense strategy that deters interference and attack in cyberspace by improving warning capabilities, articulating roles for private sector and international partners, and developing appropriate responses for both state and non-state actors.

Initiative #11. Develop a multi-pronged approach for global supply chain risk management. Globalization of the commercial information and communications technology marketplace provides increased opportunities for those intent on harming the United States by penetrating the supply chain to gain unauthorized access to data, alter data, or interrupt communications. Risks stemming from both the domestic and globalized supply chain must be managed in a strategic and comprehensive way over the entire lifecycle of products, systems and services. Managing this risk will require a greater awareness of the threats, vulnerabilities, and consequences associated with acquisition decisions; the development and employment of tools and resources to technically and operationally mitigate risk across the lifecycle of products (from design through retirement); the development of new acquisition policies and practices that reflect the complex global marketplace; and partnership with industry to develop and adopt supply chain and risk management standards and best practices. This initiative will enhance Federal Government skills, policies, and processes to provide departments and agencies with a robust toolset to better manage and mitigate supply chain risk at levels commensurate with the criticality of, and risks to, their systems and networks.

Initiative #12. Define the Federal role for extending cybersecurity into critical infrastructure domains. The U.S. Government depends on a variety of privately owned and operated critical infrastructures to carry out the public’s business. In turn, these critical infrastructures rely on the efficient operation of information systems and networks that are vulnerable to malicious cyber threats. This Initiative builds on the existing and ongoing partnership between the Federal Government and the public and private sector owners and operators of Critical Infrastructure and Key Resources (CIKR). The Department of Homeland Security and its private-sector partners have developed a plan of shared action with an aggressive series of milestones and activities. It includes both short-term and long-term recommendations, specifically incorporating and leveraging previous accomplishments and activities that are already underway. It addresses security and information assurance efforts across the cyber infrastructure to increase resiliency and operational capabilities throughout the CIKR sectors. It includes a focus on public-private sharing of information regarding cyber threats and incidents in both government and CIKR.

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.