U.S. cybersecurity plans lagging, critics say

By Ellen Nakashima
Washington Post Staff Writer
Thursday, September 16, 2010; 1:14 PM

More than a year after President Obama made a White House speech proclaiming that the protection of computer networks was a national priority, the federal government is still grappling with key questions about how to secure its computer systems as well as private networks deemed critical to U.S. security.

The administration unveiled a cyberspace policy review last year, and Obama appointed a White House cyber coordinator to synchronize the government's efforts in December.

But the administration is still debating whether it needs new legal authorities - to strengthen the government's ability to defend private sector networks, for example - or whether existing law allows such actions. Critics also say that officials have not adequately assuaged privacy concerns or determined the extent to which the government should regulate or collaborate with the private sector to ensure that telecommunications firms, electric utilities and other critical industries are protected against hackers.

Congress, meanwhile, has crafted dozens of bills with varying prescriptions to improve the country's cybersecurity - including one that would place new security requirements, enforceable by the federal government, on certain elements of critical private sector networks - but the White House has yet to weigh in with a position on any of them.

"There's a degree of caution about what direction to move, how far to move," said James A. Lewis, a cyber and national security expert at the Center for Strategic and International Studies. "You've got a lot of agreement on what the problem is but very little agreement on the solution, both within the government and outside."

Officials have warned of the dangers of failing to address the threat, saying that a sophisticated cyberattack could cripple U.S. computer networks.

The Pentagon's second-in-command, Deputy Secretary William J. Lynn III, recently disclosed details about the "most significant breach of U.S. military computers ever," in which a foreign intelligence agency used a flash drive infected with malicious code to spread a rogue program undetected through classified and unclassified systems.

In a recent article in Foreign Affairs, he also noted that more than 100 foreign intelligence organizations are trying to hack into the military's digital networks. Indeed, the Pentagon has been battling a series of significant and long-standing intrusions into military networks by foreign adversaries looking to steal secrets worth potentially billions of dollars in terms of information technology and development of military capability, sources said.

Lynn asserted that the threat to intellectual property of businesses, universities and the government may be "the most significant cyberthreat" facing the country. He cited the case of Google, which in January disclosed it had lost significant intellectual property as the result of a network intrusion originating in China.

The president's cyber coordinator, Howard Schmidt, said in an interview that the administration was deliberating the appropriate regulatory role for the federal government, but the emphasis must be on collaboration. "It's very clear," he said, "we've recognized it's a partnership."

He noted that officials have reduced the number of government "gateways" to the Internet, which makes network monitoring easier; begun connecting federal network security centers so that technicians can better see what's happening on computers across the government; and crafted a national cyber emergency response plan.

He has also touted a proposal to enable computer users, if they wish, to obtain a "smart identity card" that authenticates their identity for online banking and other online transactions.

"Are we more secure than last year? Absolutely," he said. "Is the private sector more engaged? Absolutely. We're better off now than we have been, and we'll continue to strive to get better."

Indeed, one sign of the private sector's engagement is an increase in the number of leading technology firms that, spurred by government contracting rules, have adopted a common lexicon to describe computer configurations and vulnerabilities. The increasing adoption of these protocols by firms such as Symantec, McAfee and Microsoft is making more feasible the automated monitoring of networks to detect and patch vulnerabilities more rapidly, officials say.

The Department of Homeland Security - which is responsible for protecting civilian government systems and helping to secure commercial networks - would like to see such "continuous monitoring" applied across the entire federal government and beyond, said Phil Reitinger, deputy undersecretary of the National Protection and Programs Directorate.

"We certainly want to build out a fundamentally more secure ecosystem that can be adopted by the private sector as well," he said.

Despite such advances, experts say that DHS remains beset by bureaucratic challenges, a lack of authority to demand results from civilian agencies, and a plethora of other priorities - including combating domestic terrorism, securing the borders and enforcing immigration laws.

DHS has struggled to implement Einstein 3, a program that is supposed to detect and block malicious software before it enters government networks.

More than a year after the department said it was moving forward, the program remains in pilot mode, in part because DHS has been unsure whether to use technology from private industry or from the ultra-secret National Security Agency. The agency has powerful electronic surveillance capabilities, but its involvement might raise privacy concerns.

Civil liberties advocates, for instance, are wary of any potential effort to extend government monitoring to the private sector, despite Obama's pledge that the government would not do so. "If the NSA is planning to play a broader role in cybersecurity authority, it must be subject to the same open government obligations of other federal agencies," said Marc Rotenberg, executive director of the Electronic Privacy Information Center, which on Monday filed a lawsuit to force NSA to disclose information on any assistance it provided Google following the attack on its networks.

Defense officials believe that NSA's advantage over industry is its ability under law to infiltrate adversaries' computers overseas to obtain never-used malicious code. NSA can then attempt to ensure those codes are blocked from military networks.

But DHS has also been under pressure to explore commercial alternatives. Telecom companies, for instance, say that they have vast data sets of malicious code that they have amassed over years of monitoring their own networks for threats.

The NSA technology is being tested at the Agriculture Department, on the networks of the telecommunications giant AT&T. But DHS has made no decision on deployment, said an industry official.

"They don't have a strategy," an industry official said. "They don't have a plan. They keep going around in circles."

Reitinger acknowledged DHS is still developing its strategy for Einstein 3, but said, "We're moving forward as rapidly as possible."

At the Department of Defense, a new U.S. Cyber Command to protect military networks has been launched, leveraging the NSA's potent abilities. But even Cyber Command, which is led by NSA Director Gen. Keith Alexander, must work through concerns over privacy, private sector liability and legal authorities.

Perhaps nowhere is this more pronounced than in the debate over how to ensure critical industries are protected. Both the Pentagon and DHS are trying to deepen partnerships with the private sector. The Pentagon is concerned that foreign adversaries such as China have siphoned from companies great amounts of technical weapons systems data.

In June, Lynn directed the development of a voluntary pilot program with defense contractors in which a consortium of Internet service providers would monitor companies' traffic for threats, using malware signatures and other data provided by DOD, according to industry officials.

Companies have raised concerns, including cost, and the fear it could become an unfunded mandate. Some firms feel that they can do the job themselves, if the government would provide them timely data.

"The debate," said a former Pentagon official, "is a healthy one - to figure out how to accommodate corporate America's legal responsibilities to shareholders while respecting the legitimate national security concerns of the Defense Department."

But technical measures alone will fail without bolder steps globally, argued Rob Knake, a cyber expert at the Council on Foreign Relations, who on Monday started a new job at DHS. The White House should establish a "declaratory policy" that puts adversaries on notice as to how it will view aggressive acts, he said. "We're simply being outmaneuvered in the international forums that will determine the future of the Internet, by China, Russia and other countries."

© 2010 The Washington Post Company