White House Declassifies Outline of Cybersecurity Plans

An anonymous reader writes "The Obama administration on Tuesday declassified part of the Comprehensive National Cybersecurity Initiative created during the Bush administration, outlining offensive and defensive strategies for protecting information networks. The initiative was originally intended to unify efforts of a number of government agencies into a comprehensive strategy to protect the nation's computer networks. 'One area in which the government did officially disclose new details was Einstein 3, a program to protect civilian government systems from intrusion by deploying sensors on the networks of private telecommunications companies. For the first time, the government disclosed officially that the program would use technology developed by the NSA, the nation's largest intelligence agency. It also said that the Department of Homeland Security, which would run the program, would share malicious code data with the NSA but not the content of communications, such as e-mails.'"

High Risk - High Payoff?

[ka9dgx]

Initiative #9. Define and develop enduring "leap-ahead" technology, strategies, and programs. One goal of the CNCI is to develop technologies that provide increases in cybersecurity by orders of magnitude above current systems and which can be deployed within 5 to 10 years. This initiative seeks to develop strategies and programs to enhance the component of the government R&D portfolio that pursues high-risk/high-payoff solutions to critical cybersecurity problems. The Federal Government has begun to outline Grand Challenges for the research community to help solve these difficult problems that require 'out of the box' thinking. In dealing with the private sector, the government is identifying and communicating common needs that should drive mutual investment in key research areas.

(Emphasis mine)

I propose instead that we consult the results of the previous R&D work that has been active in this area since the 1960s, and learn the lessons of problems already solved. This is low risk (as we've already paid for it), high payoff.

Let's get capability based security into the hands of the masses. This will remove their machines from the threat pool. It would also allow those inside the government to manage security in a much more granular (and thus more effective) manner.

This can be fixed, and it doesn't require a high risk, just due diligence, and hard work.

Re:The First Condemnment!

[Opportunist]

Tell me, Mr. Anderson... what good is a phone call... if you're unable to speak?

I know, I know, it's old and overused, but admit it, when did it fit better?

This is not self-monitoring.

[bjamesv]

On the face of it proposal #3 seems perfectly fine.

The desire for government agencies to have "situational awareness" in the form of deep-packet inspection of every transaction coming in or out of their network is nothing more then a proactive capability that any responsible Admin might want for their network. (assuming they disclose this capability and have policy dictating its use)

What does worry me are the washington posts comments about Telcom involvement.
This other article make it very clear EINSTEIN 3 is truly NSA equipment installed on the commercial telcom network where the potential exists for it to easily be repurposed to monitor _OTHER_ traffic streams.
http://www.washingtonpost.com/wp-dyn/content/article/2009/07/02/AR2009070202771.html?nav=emailpage

this is a whole different animal from whitehouse.gov's portrayal of responsible network admin.

Re:Get A Clue Please

[ka9dgx]

Yes, the threats are real, but the solution that the "Cyber Warriors" came up with is crap. A much better solution than working around all the holes and patching them quicker is to simply rip out a bad design and replace it with a better one. Its not easy changing everyones OS, but it's cheaper in the long run.

Defense: a legitimate government power, right?

If your neighbor is worried about the Red Menace, he might be inclined to put a ABM launch site in his backyard, or even ICBMs as deterrent force.

You probably don't want that.

There are some very good reasons for centralizing physical warfare under a single political authority. It's not just that the constitution says this is a federal executive job (i.e. not something you leave to the states or the people); it's a good idea. If it weren't in the constitution already, I think almost all people would support an amendment making it so.

But even so, there are limits to that. There's no legitimate reason the federal government should be able to have any sort of authority at all, over whether or not people are allowed to build bomb shelters. A bomb shelter isn't a particularly good way to deal with the threat of nuclear holocaust (the best thing to do, is persuade the Russkies to not attack in the first place), but it doesn't really endanger your neighbors or usurp the president's negotiating power.

The same applies even to 18th century threats. If your neighbor is worried that the Brits might try to retake the colonies, it's ok for him to stock up on musket ammunition, but that's not really a good solution either. You want a single political entity to deal with the Brits, hopefully at a point long before anyone has to worry about redcoats marching through their farms.

With cybersecurity, the situation is pretty different. The analogy to relatively ineffective private bomb shelters and relatively ineffective musket ammunition stockpiles, happens to be the best solution to computer security problems. If you decide to have a policy of not executing malware, you are pretty much invincible except for Denial of Service issues related to overwhelming traffic. (And the private network providers are able to deal with that.)

We don't need any sort of central authority for dealing with computer security. That doesn't mean a central plan would be totally useless, but the payoff is pretty low. A president in charge of cybersecurity is about as an effective solution to cybersecurity, as bomb shelters are an effective solution to nuclear war.

People can already deal with this; they just don't bother to. That's their problem.

Now, TFA is actually not all that stupid-looking. He's mostly talking about the government protecting goverement systems. That's a no-brainer. But we don't need them to protect private networks, and I hope people keep an eye on any bullshit that moves in that direction.

Preview of outlines

[noidentity]

Here's an ASCII preview of the declassified outlines:

+-----------x
|           |\
|           | \
|           |  \
|           |   \
|            ----
|                |
|                |
|                |
|                |
|                |
|                |
+----------------+

Your comment violated the "postercomment" compression filter. Try less whitespace and/or less repetition.

Re:Get A Clue Please

[morgauxo]

Go to a typical hospital. Count the number of life critical monitoring equipment is running old unpatched copies of XP and connecting to easily broken WEP encrypted networks.

How many financial transactions take place at ATMs loaded with Windows 2000? How many banks have crappy, poorly written ASP.NET websites.

How about all those malware filled crusty old porn surfing boxes that manage our power grid in their spare time?

Yes, there is a problem. We are vulnerable and something bad will someday happen. However, nothing our government is going to do is going to help. What's necessary is for the people to demand better from the hospitals, banks, power companies etc... which implement this crap. That isn't going to happen. The people don't understand, don't care and don't want to.

Meanwhile what is some government agent reading my email going to do to help? Our government has a horrible track record on privacy and lately even on basic human rights in general. On top of this, all three branches and both parties are in the pockets of media executives who admittedly do have some legitimate points about their property being stolen but would like to take things way beyond protecting what is truly theirs and eliminate fair use while closing off media to any potential competitors.

Protect the internet, protect free speech. Keep the government out.

Re:Concerns About Dinner

[girlintraining]

I guess my most major concern about using the Department of Homeland Security is that if anything should go wrong; that it's not during dinner.

And I guess my most major concern about using the Department of Homeland Security is that. They take my nail clippers away because it's a security risk, say I can't wear underwire bras, have closed the bathroom down for most, if not all of the flight (and god help you if you have a feminine issue then) now they want to take high-resolution naked pictures of me and share them with their government buddies, contractors, and basically anyone not me. They can't even handle issues of basic sanitation and common decency -- a problem as I understand has been solved for a few thousand years now. I would go on a feminist rant right about now, but frankly I don't think they're being sexist, just retarded. Unfortunately, retardation isn't curable. But I digress...

The only reason the internet still works at all is because they haven't gotten around to screwing it up -- yet. I can just see it now -- The entire internet has been turned off because a kindergartner in Utah made a drawing that suggested he was going to shoot the president. It was later disclosed that the drawing was of a cat and the sun. And later, mom posts it on the fridge...