White House declassifies outline of cybersecurity program

By Ellen Nakashima
Washington Post Staff Writer
Wednesday, March 3, 2010

SAN FRANCISCO -- The Obama administration Tuesday declassified an outline of a major government effort to protect its computer networks.

The White House put up a link to a description of the Comprehensive National Cybersecurity Initiative (CNCI), which was launched in January 2008 to protect government computer systems and begin to address the protection of private sector systems.

"Partnerships and transparency are concepts that have to go hand in hand" in the protection of the nation's critical computer networks, Howard Schmidt, the White House's newly appointed computer security coordinator, said Tuesday at the RSA security conference in San Francisco, his first major public address since his appointment in December.

Unclassified summary descriptions of the CNCI's 12 elements have been circulating in industry and trade publications since 2008. The declassified version posted Tuesday contains slightly more descriptive material, such as acknowledging officially for the first time the role of the National Security Agency in one monitoring program. The initiatives range from the uncontroversial -- research and development and promoting cyber education -- to the effort to develop deterrence strategies in cyberspace.

Transparency is particularly vital in areas in which there have been legitimate questions about sensitive topics such as the intelligence community's role in cybersecurity, Schmidt said.

But key portions of the initiative remain classified, such as those dealing with the government's cyber offense capabilities. Much of that work is still being developed, officials have said.

One area in which the government did officially disclose new details was Einstein 3, a program to protect civilian government systems from intrusion by deploying sensors on the networks of private telecommunications companies. For the first time, the government disclosed officially that the program would use technology developed by the NSA, the nation's largest intelligence agency. It also said that the Department of Homeland Security, which would run the program, would share malicious code data with the NSA but not the content of communications, such as e-mails.

But the administration did not declassify a summary of the legal justification of Einstein 3. Cyber policy experts, including some former George W. Bush administration officials, say the classification was unnecessary and likely hindered public and congressional support for the program.

The analysis is based on the notion that the public has no reasonable expectation of privacy in communications to the government, said sources familiar with it. Moreover, as long as the program is aimed solely at government traffic, and all government employees are notified that their communications are subject to monitoring as a condition of using the network, the consent of one party to the monitoring -- the government employee -- is sufficient, they said.

Government has historically classified legal analyses, but cybersecurity should be different, said Catherine B. Lotrionte, a former CIA lawyer who now teaches at Georgetown University. "What we're doing in cybersecurity greatly involves the private sector and the everyday citizen who's using the Internet, so the government should try to be transparent," she said. No data on sources or methods need be revealed, she added.

But Jamil N. Jaffer, a former associate counsel to President Bush, said Obama "needed to be careful with declassification."

He asserted that the administration's declassification of the CIA interrogation memos last summer unnecessarily revealed "critical details" of the program. Civil liberties advocates have said the memos were properly declassified.

The Einstein 3 program has been slowed by legal reviews, privacy concerns and other issues. But a Department of Homeland Security spokeswoman said a pilot test should be concluded by "midyear."

© 2010 The Washington Post Company