washingtonpost.com
Clarification to This Article
This article was updated to clarify the timing of when the White House will unveil the new cyber-security policy. The policy details could come as early as next week.
White House Plans Proactive Cyber-Security Role for Spy Agencies

By Brian Krebs
washingtonpost.com Staff Writer
Friday, May 2, 2008 11:47 AM

America's spy agencies for the first time would be tasked with gathering intelligence on threats to the nation's computer networks under a policy that could be detailed by the White House as early as next week, a senior administration official said Wednesday.

Speaking at a security conference in Washington, the official said the Bush administration wants to harness the intelligence community's offensive capabilities in defense of government and civilian computer systems.

"We've never looked at how all the unique things this government wages against others could be used to inform our defensive posture," said the official, who asked not to be named because the White House has not yet released details about the plan. "We really need to move from [the reality that] the advantage is always with the attacker to how we can have our offense better inform our defense to shrink that gap."

In January, President Bush signed a directive authorizing the intelligence agencies, including the National Security Agency, to monitor all federal network traffic to prevent attackers from breaking in and from stealing sensitive data or disrupting critical systems.

The administration official said the intelligence community is uniquely suited to counteract today's malicious actors -- ranging from lone hackers to organized cyber criminal groups and nation states -- who the official said are constantly developing new attacks and exploiting unknown security holes in software and hardware to compromise government networks.

The official said the president's new cyber-security directive will share the intelligence gleaned through monitoring threats across the government space with the private sector, which experts say is being hit with the same types of attacks that the federal dot-gov space is battling.

"This an important and perhaps one of the most important national security and economic security issues facing us today," the official said. "We want a broader information flow to the private sector of the threats we're seeing, so that they can increase their security posture as well."

Most of the 18 strategic goals laid out in the cyber initiative are currently classified, and few within the government have been fully briefed on the the plan. But the official said the administration plans to release additional details on at least 12 of those goals next week, after the White House Office of Management and Budget issues rules for assigning classification levels for data collected and shared under the new program. An OMB spokesperson confirmed that the White House plans to release the classification memo as early as next week.

Alan Paller, director of research at the Bethesda based SANS Institute, which tracks hacking trends, said few federal civilian agencies or private sector companies have the analysts or computer power to spot the most stealthy cyber attacks. Agencies like the NSA, he said, are in a bit of a tight spot in sharing new threat information with allies and the private sector, because spy agencies very often glean intelligence by exploiting the very same security vulnerabilities in hardware and software used by enemies of the United States.

"This is the oldest conflict in security, because if we give away our best exploits, we lose the ability to use them offensively," Paller said. "That's a conflict the guys at NSA deal with every day. When you find good ones, how long do you wait before you tell the vendors and people defending our own networks?"

This precise conundrum sprang up in December 2007, when U.S. intelligence analysts exchanged with their counterparts in Australia, Canada, New Zealand and the United Kingdom new exploits that had been observed being used against their government networks.

"We lost a key exploit for a critical hard target, so there was a gain and there was a loss," the administration official said. "Many of us agree that we're going to have to accept a lot more intelligence losses in order to increase the defensive posture of the nation."

The NSA and other intelligence agencies have an important ¿ if not vital ¿ role to play in sifting through government network traffic for signs of attacks and compromises, said Jim Dempsey, policy director at the Center for Democracy & Technology. But he said the Bush administration has a penchant for slapping a classified label on even the most benign information, and as a consequence the intelligence community's involvement could result in less ¿ not more ¿ information being shared with the private sector.

"To my mind, one of the key tests of whether this program will be successful or not is how much [information] falls on the classified side of the line, and how much falls on the unclassified side," Dempsey said. "The more information that gets classified, the less likely the initiative will succeed."

The cyber initiative comes more than five years after the Bush administration first released its National Strategy to Secure Cyberspace, a roadmap for securing federal information networks and critical information assets owned and operated by the private sector, such as those used to control the electric and nuclear power systems. The task of implementing that plan largely fell to the Department of Homeland Security, but critics say the department's progress on that front has been hampered by bureaucratic infighting and a lack of authority.

"What you're seeing here is the acknowledgment by the administration that DHS had its chance, flubbed it, and now we've got to get serious," CDT's Dempsey said.

Whether the next administration continues the work called for in the cyber initiative remains and open question. But Paul Kurtz, a former cyber adviser to the Bush administration and a key author of the 2003 strategy, said it would be wrong not to try to stand up some new programs at this time.

"Candidly, they're doing as much as they can given the 11th hour of this administration," said Kurtz, who is among more than two dozen security experts working to devise a series of cyber-security policy recommendations for the next administration. "Our job is to get the programs in place at least initially so we have enough momentum going into the next presidency that ¿ no matter who wins ¿ they can carry on with this effort."

View all comments that have been posted about this article.

© 2008 Washingtonpost.Newsweek Interactive