“Cybersecurity” is one of those hot topics that has launched a thousand seminars and strategy papers without producing much in the way of policy. But that’s beginning to change, in one of 2011’s most important but least noted government moves.
This summer, with little public fanfare, the Obama administration rolled out a strategy for cybersecurity that couples the spooky technical wizardry of the National Security Agency with the friendly, cops-and-firefighters ethos of the Department of Homeland Security. This partnership may be the smartest aspect of the policy, which has so far avoided the controversies that usually attach themselves like viruses to anything involving government and the Internet.
The new initiative was explained at a conference here last week sponsored by the Aspen Strategy Group, a forum that has been meeting each summer for 30 years to discuss defense issues. Among the participants were the two people who helped frame the plan, William Lynn and Jane Holl Lute, the deputy secretaries of defense and homeland security, respectively.
What’s driving the policy is a growing recognition that the Internet is under attack — right now, every day — by foreign intelligence agencies and malicious hackers alike. Experts cite some frightening examples: An attack in May on Citigroup, in which hackers stole credit card information on 360,000 clients; a still-mysterious assault last October on the Nasdaq stock exchange; a 2009 breach of the U.S. electrical grid by Russian and Chinese intruders; and a 2009 heist of plans for the F-35 joint strike fighter.
And that’s just what’s public. McAfee, the computer security firm, registers 60,000 new bits of malicious software every day. But classified estimates are said to be much scarier — with a hundred attacks for every one that’s publicly disclosed. It’s good to be skeptical about such unspecified threats — when officials warn direly, “If only you knew what we know” — but in this case, the danger is obviously real. The question is what to do about it.
The heart of the new cyberdefense strategy is to spread the use of secret tools developed by the NSA. For example, the spy agency devised a system known as Tutelage to defend against malicious intrusions of military networks; a DHS version called Einstein 3 is now being used to protect civilian agencies. These systems are known as “active defense” because they use sensors and other techniques to block malicious code before it can affect operations.
This summer’s big innovation was using the government’s expertise to begin shielding the nation’s critical private infrastructure. In late May, the Pentagon and Homeland Security launched what they called the DIB Cyber Pilot (that’s short for “defense industrial base”). To protect about 20 defense companies that volunteered for the experiment, Homeland Security worked with four major Internet service providers, or ISPs, to help them clean malicious software from the Internet feed going to the contractors.
What made this recipe powerful was that the NSA provided what officials like to call its “special sauce,” in the form of electronic signatures of malicious software, which the NSA gathers 24-7 through its intelligence network.
The experiment has been running for 90 days now, and officials say that it’s working. The ISPs have blocked hundreds of attempted intrusions before they could get to the defense companies. The lesson for Lynn: “It’s possible for the government to share threat information with private industry” under existing laws.
The National Security Council soon will be debating whether to extend this pilot program to other sectors of critical infrastructure. Obvious candidates are the big financial institutions supervised by the Treasury Department and the national laboratories and nuclear-energy facilities overseen by the Energy Department. Two questions down the road are whether to set regulatory standards that require all ISPs to provide a clean Internet pipe to key users and how to extend protection to the huge and nakedly vulnerable world of the dot-coms.
Here’s what I took from five days of discussion: The Internet was deliberately built with an open architecture, which was once its greatest strength but is now a vulnerability. Regulatory norms may be useful (just like fire codes and clean-water standards). But real security will come when it’s a moneymaker for private companies that want to satisfy public demand for an Internet that isn’t crawling with bugs.
The NSA can help by sharing its secret tools. But it needs a civilian interface, in Homeland Security, to reassure the public that this is about security, not spying.