Declassified CNCI Summary: What's New?
Reading the declassified summary of the Comprehensive National Cybersecurity Initiative, posted on the White House website Tuesday, may have baffled those who following federal cybersecurity policy closely. What's new here?
The summary outlines the dozen initiatives that make up the CNCI, and much in the declassified prÃ©cis has been discussed publicly over the past year or so, though not necessarily as identifiable components of the initiative. What's new is the fact that the government is publicly outlining what's in the CNCI.
White House Cybersecurity Coordinator Howard Schmidt announced the declassification at the RSA IT security conference in San Francisco Tuesday. At that conference, I ran into Melissa Hathaway, and asked her what she thought about declassifying portions of the CNCI. Hathaway had been intimately involved with CNCI, first as a Bush administration national security senior staffer - CNCI is a result of a directive issued by President Bush - and then as the official who led President Obama's 60-day cybersecurity policy review last year. Hathaway told me:
"It's really important to get that information out in the public domain, the list of all 12. I had spoken about CNCI in the transition between the two administrations pretty extensively at different conferences. And there was some information published on the DHS website, but this is the first time that, I think, it was all put together."
Hathaway said the declassified summary included new information on Initiative No. 3 - Einstein 3, an intrusion prevention system under development - which has attracted many questions from Congress and the private sector.
Here, in part, is what the declassified summary says about Einstein 3:
"This initiative makes substantial and long-term investments to increase national intelligence capabilities to discover critical information about foreign cyber threats and use this insight to inform Einstein 3 systems in real time. DHS will be able to adapt threat signatures determined by NSA in the course of its foreign intelligence and DoD information assurance missions for use in the Einstein 3 system in support of DHS's federal system security mission. ...
"DHS is currently conducting a exercise to pilot the Einstein 3 capabilities described in this initiative based on technology developed by NSA and to solidify processes for managing and protecting information gleaned from observed cyber intrusions against civilian executive branch systems. Government civil liberties and privacy officials are working closely with DHS and US-CERT to build appropriate and necessary privacy protections into the design and operational deployment of Einstein 3."
Even if the declassified summary doesn't provide much new light on federal government cybersecurity initiatives, the fact that the administration is being more transparent about what was a fairly secretive program provides the public a stake in CNCI and other government IT security programs. Schmidt, in announcing the declassified abstract, explained why that's important:
"Transparency is particularly vital in areas such as the CNCI, where there have been legitimate questions about sensitive topics like the role of the intelligence community in cybersecurity. Transparency provides the American people with the ability to partner with government and participate meaningfully in the discussion about how we can use the extraordinary resources and expertise of the intelligence community with proper oversight for the protection of privacy and civil liberties.
Safeguarding our digital assets won't succeed without cooperation of all stakeholders, and letting the public know about these initiatives is a crucial step toward protecting our IT systems.