When James Lewis heard the vice chair of the Joint Chiefs of staff drop a bombshell on the Pentagon, he was less surprised than most. Lewis, project director of a cybersecurity commission within DC think tank the Center for Strategic and International Studies (CSIS), was listening to a speech by General James. E. Cartwright. “He said that when he got to the Pentagon, there were 19 different people who said they were in charge of cyber security,” recalls Lewis. “You’ll find that across the federal government. You could ask who’s in charge, and a dozen people would hold up their hands.”
In December, Lewis’s commission released a report called Securing Cyberspace for the 44th Presidency. It found the US unprepared when it came to cybersecurity, and outlined a broad set of changes designed to get it back on track. With the administration changing, it was the perfect time to bring it to the public’s attention.
Cartwright’s role as a former STRATCOM commander makes his statement particularly poignant. STRATCOM grew out of the original US Strategic Air Command, which controlled the US nuclear deterrent. It was good at using big arsenals to face down big enemies in the name of national security. But cold war enemies were monolithic, easy to monitor, and the trigger on the nuclear deterrent was never supposed to be pulled. Conversely, cyber-enemies are already waging a covert, low-level war with the US, flowing like water along many different channels. Spotting them is the bigger challenge.
Cyberthreats are increasingly a national security issue, because so much of what we do relies on the network. That dependence will only increase as we continue to modernize our infrastructure, points out Robert Holleyman, CEO of the Business Software Alliance. “Look at the dependence of the financial sector by businesses and consumers. Look at the great opportunity we have to improve healthcare in North America through the use of IT,” he says. “Inherent in that is a level of confidence in sensitive personal, medical information. Inherent in that is a confidence in the right results.”
Healthcare and finance are just two examples of targets that could be disrupted by cyberattack. Phyllis Schneck, vice president of cyber intelligence and critical infrastructure protection at McAfee, sat on the CSIS commission. She says that other systems are waiting to be exploited - and that they could have immediate physical consequences.
The Supervisory Control and Data Acquisition (SCADA) systems that control many industrial plants are often antiquated and hard to patch. “There are a finite number of people on the planet that understand how they work. They’re very hard to fix,” she says. Many of them were installed over a decade ago, and have been bought into the internet age with little or no oversight. “When the internet became popular it was a great solution to connect these control systems so that they could be monitored from other places. But this introduces all the vulnerabilities that we have in traditional IT into these pointed, specialized systems,” she warns.
Digital Pearl Harbour
“You had a series of high-level penetrations of critical US agencies: Defense. State. NASA. Commerce. The Central Command. The White House. The two [presidential] campaigns last summer. And you had the Estonia incident. It seems like we crossed a threshold last year.” |
James Lewi, Center for Strategic and International Studies (CSIS) |
Thus far, attacks on SCADA systems have been limited, but a series of high-profile attacks on government information systems still leaves Lewis calling the last year a “digital Pearl Harbour”.
“You had a series of high-level penetrations of critical US agencies: Defense. State. NASA. Commerce. The Central Command. The White House. The two [presidential] campaigns last summer,” he says. “And you had the Estonia incident. It seems like we crossed a threshold last year.”
Evidence suggests that the US is even less prepared for attacks across the network now than it was for attack from the skies in 1941. A cyberwar simulation reportedly run by Booz Allen Hamilton in December bought together 230 representatives of government agencies and private sector organizations. The US failed the test. Reuters summed it up nicely in a quote from BAH vice president Mark Gerencser: “There isn’t a response or a game plan; there isn’t really anybody in charge.”
In areas where authority has been concentrated, experts argue that bureaucracy and political infighting have directed energy away from the real goals. In September, Amit Yoran, former head of cybersecurity at the Department of Homeland Security, testified at a House Intelligence Committee. He quoted Robert Stephan, DHS assistant secretary for infrastructure protection on his frustrations with the day-to-day bureaucracy in the DHS: “I spend most of the bullets in my single 30-round magazine that I bring to work every day shooting into the backs of our own bureaucracy trying to clear a field of fire.”
Cyber-Czar
The recommendations in Lewis’s report aim to resolve some of these issues. First on the agenda is the creation of a National Office for Cyberspace, headed by an assistant to the president in charge of cyberspace. This ‘cyber-czar’ position would put the issue of cybersecurity properly back on the presidential agenda for the first time since Richard Clarke left office.
Clarke served as special advisor to the president on cybersecurity, but resigned in 2003. “His role was no longer there, so a lot of the cybersecurity efforts came directly out of the Department of Homeland Security, with no-one in the White House reporting,” explains Kevin Richards, federal government relations manager at Symantec. “The Joint Chiefs of Staff were really behind the cybersecurity effort when they raised some alarms about some of the attacks that we’re seeing. That was raised mostly at the agency level.”
Just before Clarke resigned, the President’s Critical Infrastructure Protection Board that he chaired delivered the National Strategy to Secure Cyberspace. That report, summarising necessary actions for an ongoing cybersecurity campaign, counselled the creation of a national cybersecurity response mechanism; a program to reduce cybersecurity vulnerabilities, and an education initiative. It also advised a focus on securing government networks, and an emphasis on international co-operation. The DHS’s National Cyber Security Division (NCSD) was formed to oversee co-operation on cybersecurity between different agencies.
The next significant governmental move didn’t happen until half a decade later, however, with the release of National Security Presidential Directive 54, a classified document that created the Comprehensive National Cybersecurity Initiative (CNCI). Launched last February, that initiative is itself highly secretive. Two projects that are public are the revision of the Einstein system, and the creation of Trusted Internet Connections (TICs).
Created in 2003, Einstein is a monitoring system that takes network access information voluntarily from participating Federal agencies. The system looks at information such as originating and destination IP addresses to understand what system resources are being used, and from where. The CNCI will strengthen Einstein with a second version that includes intrusion detection capabilities with specific attack signatures. Deployment of the intrusion detection functions were due to begin this summer.
The Trusted Internet Connections initiative is an attempt to hone the number of connections between Federal US government networks and the public internet, providing the government with a reduced number of interfaces to monitor and protect. Introduced in November 2007 by the Office of Management and Budget (part of the Executive Office of the President), the TIC initiative seems to have had some success. The OMB said that the number of connections to the external internet from Federal systems reduced by 39% in the first four months of 2008.
Statistics suggest that the first version of Einstein are also having some marked effect, although at first sight the reverse seems true. The OMB reported that the number of security incidents more than doubled in 2007, to 12 896. However, the DHS says that this is due to a mixture of Einstein deployment and increased reporting from individual agencies to US-CERT (which holds the Einstein information).
Reform
Even with such successes, the CNCI and the DHS are in need of reform. “One thing we hope that this administration will do is move towards a more transparent approach,” says Lewis, who adds that only a couple of small pieces of the CNCI needed to be classified. “We’ve heard that the people who are the gravest threat to the US are the Chinese and the Russian military intelligence services. The DHS isn’t the group to go up against the FSB and the PLA.”
Under the report’s recommendations, the DHS would effectively lose control of the National Cyber Security Center’s inter-agency co-ordination function. The Center would merge into the NOC, and so would the military function currently controlled by the Joint Inter-Agency Cyber Task Force.
The other thing that would change is the private/public partnership effort. With 85% of the critical national infrastructure currently controlled by the private sector, its involvement in the security process is crucial. Currently, the Critical Infrastructure Partnership Advisory Council (CIPAC) sits within the National Infrastructure Protection Plan, co-ordinating interactions between private sector players and partnerships. However, there are other organizations such as the National Security and Telecommunications Advisory Committee (the NSTAC, introduced during the Reagan era) that now sit within the DHS and also provide a bridge between public and private sector organizations.
The National Infrastructure Advisory Council (NIAC) is another committee within the DHS with private sector members advising the President.
It’s all too complex, says the report. And so is the current definition of 18 core industrial sectors making up the critical national infrastructure. Lewis says that this is a symptom of a government unwilling to tell some sectors (and their advocates in Congress) that they simply aren’t critical to the nation’s survival. “You don’t think agriculture is a critical infrastructure? Come on! How about national monuments?” quips a sardonic Lewis (monuments really are one of the sectors deemed critical to the national infrastructure on the DHS’s list). “I’m still trying to work out how you hack the Washington Monument. I got up and held my computer against it and nothing happened.”
Consolidation
"Obama’s promise to appoint a Federal CTO is another promising sign. It all suggests that someone will finally put their hand on the tiller. Hopefully, that person will be able to steer us in the right direction" |
The report recommends cutting down the list of 18 sectors to just four: energy, finance, ICT, and government services (down to a municipal level). It also wants to establish a single point of contact between government and the private sector, called the President’s Committee for Secure Cyberspace, which would absorb the NIAC and the NSTAC. Membership would be restricted to C-level officials from companies (no stand-ins). The wider community, including the other 14 sectors, would be served by a new ‘town hall group’, designed to let a wider audience share its views.
That takes care of strategy. A Center for Cybersecurity Operations would co-ordinate cybersecurity operations on the ground. The non-profit, independent body would include a 24x7 operational center designed to watch the threat landscape and respond to attacks.
There are other recommendations, too: rewriting the 2002 Federal Information Security Management Act (FISMA) to be more performance-led, enforcing strong federal identity management schemes based on the HSDP-12 standard and coordinating cybersecurity research and development through the NOC. And yes, proper regulation of those SCADA systems.
Thankfully, many of these recommendations fall in line with the incoming president’s existing agenda. Holleyman points to Obama’s promise to appoint a Federal CTO as another promising sign. It all suggests that someone will finally put their hand on the tiller. Hopefully, that person will be able to steer us in the right direction before our cyber-enemies deliver a damning broadside - assuming that their code isn’t already sitting on our systems, waiting to do just that.