Introduction.  The Obama administration has inherited a very complex and potentially costly problem from its predecessor; namely cyber security. While the terms used to characterize this problem have changed over the years from computer security to information systems security to information assurance, this paper will utilize the theme du jour, cyber security, to refer to this significant issue. The problem of securing the government’s information systems has been a long-standing issue, dating back to the early 1970s. The debate over government’s cyber security posture has taken many different forms ranging to include privacy, national security, continuity of operations, critical infrastructure protection, internal controls, and other important concepts. This paper will provide a perspective on the current status of the government’s cyber security program.

Background.  In January 2008, it was announced that President Bush had signed a combined National Security/Homeland Security directive establishing the Comprehensive National Cybersecurity Initiative (CNCI).  The existence of this program had been publically discussed for the previous four or five months, as the Baltimore Sun, in its September 30, 2007 edition featured a story entitled, “NSA to defend against hackers”.   This story resulted in some public discussion of the CNCI, to include some Congressional inquiries.  The genesis for this initiative appears to be a series of penetrations into various US government networks and databases by foreign government entities.  The Chinese are identified as the most culpable in these activities, but given the global connectivity afforded by the internet these penetrations could have been accomplished by a variety of nation states or sophisticated criminal gangs.

The formal policy document, signed by the President in January 2008 is classified, but various Bush administration officials have talked publically about the program over the past six months to the point that it is possible to identify the twelve basic components of the CNCI.  These are:

• Move towards managing a single federal enterprise network.  This is an OMB lead program that includes a significant reduction in the number of federal agency internet access points (TIC) and the adoption of a common Federal Desktop Core Configuration standard for MS window based systems.
• Deploy intrinsic detection systems.  This program focuses on the deployment of a government developed sensor, called Einstein, at agency/department internet access points.  The Einstein sensor will be provided with signature profiles provided by the intelligence community.  DHS is the principal agency for this program.
• Develop and deploy intrusion prevention tools. There will be an evolution of Einstein from version 1 to version 3 and possibly 4.  This tool will move from intrusion detection to intrusion monitoring capabilities.
• Review and potentially redirect research and related funding.  The government research community is reviewing current cyber related research programs and priorities and seeks to identify “leap ahead” technologies for priority funding.
• Connect current government cyber operations centers.  There are six primary cyber operations centers in the federal government.  These were enumerated in a draft piece of legislation that did not emerge from the last Congress.  The goal is to improve the sharing of threat information between these various operational entities.
• Develop a government-wide cyber intelligence program.  This will seek to leverage and coordinate the efforts of the various intelligence agencies involved in the cyber threat issue.
• Increase the security of classified networks.  If we can’t secure these networks, then the rest of the government’s cyber security program is at risk.
• Expand cyber education.  This project pertains to the expansion of the cyber security workforce.  In a recent presentation Admiral Brown, Acting Assistant Secretary of Cybersecurity and Telecommunication at DHS stated that this component had been refocused to deal with the federal government’s cyber workforce.
• Define enduring deterrent technologies and programs.  This appears to refer to the outreach program to create the National Cyber Security Center directed by Rod Beckstrom of DHS.
• Develop multi-pronged approaches to supply chain risk management.  This project seeks to mitigate the risks posed by the globalization of the IT supply chain and to address the security issues resulting from the off-shore production of computer software, firmware and hardware components that find their way into the US government inventory.
• Define the role of cyber security in private sector domains. Because much of the nation’s infrastructure is owned and operated by the private sector, the government must find ways to partner with the companies and other non-government entities to prevent hostile intrusion into vital national networks.  

Current Developments.  For the first time in a presidential campaign the cyber security issue actually attracted the attention of both major party candidates.  The Obama campaign issued a fairly specific statement on the need to improve the nation’s cyber security posture.  Shortly after being inaugurated as the 44th President, Mr. Obama issued a homeland security agenda document.  In the field of cyber security, this agenda included six major points:

• Strengthen federal leadership on cyber security.
• Initiate a safe computing R&D effort and harden our nation’s cyber infrastructure.
• Protect the IT infrastructure that keeps America’s economy safe.
• Prevent corporate cyber-espionage.
• Develop a cyber crime strategy to minimize the opportunities for criminal profit.
• Mandate standards for securing personal data and require companies to disclose personal information data breeches.

While there are some areas of overlap between the components of the CNCI and the cyber component of the new President’s homeland security agenda, it is interesting to note the addition of privacy and crime prevention concerns to the list of national priorities.

One of the major factors that will underscore the approach of the Obama administration to the cyber security issue will be how it chooses to respond to the recommendation set forth in the report produced by the working group sponsored by the Center for Strategic and International Studies.  Entitled, “Securing Cyberspace for the 44th Presidency”, this document was issued on December 8, 2008 and sets forth a comprehensive set of recommendations for addressing the cyber security issue in the Obama presidency.  One of the most significant of the many recommendations was the creation of a “National Office for Cyberspace” within the Executive Office of the President that would be headed by an Assistant to the President for Cyberspace.  It is envisioned that the new National Office would have the authority to coordinate cyber security matters across the government.  The CSIS report also recommends that this new office develop and maintain a national strategy to secure cyberspace.

While there is no concrete information about whether or not the new administration will adopt this recommendation, there does appear to be some evidence that the President will appoint a special assistant for cyber security at some future date.  It is also interesting to note that shortly after taking office, the new Secretary of Homeland Security, Janet Napolitano, ordered a study of the Department’s cyber security program and strategies to be accomplished on a priority basis.  The results of this review will be provided to the Secretary by the end of February.

As the new administration is getting organized, several key positions in the cyber security program remain filled by individuals from the previous administration.  Among these is Melissa Hathaway, Cyber Coordination Executive for the Office of the Director, Executive for the Office of the Director of National Intelligence.  This office is the driving force behind the CNCI and underscores the national security orientation of this program. While Ms. Hathaway is a career Senior Intelligence Service executive, it will be interesting to see what changes the new Director of National Intelligence, Admiral Dennis Blair, makes in the program and its management.  According to one press report, Admiral Blair emphasized at his confirmation hearing the leadership role of the intelligence community, “in particular the National Security Agency—had in protecting networks”.

Another senior official that for the present is continuing in his current position is Admiral Mike Brown, the Acting Assistant Secretary for Cyber Security and Communications, Department of Homeland Security.  In this capacity, Admiral Brown is overseeing the implementation of the TIC and Einstein components of the CNCI and the operation of the US CERT—an umbrella organization that supports the majority of DHS’s operational cyber security program.

Conclusion.  This is the first in a continuing series of updates on the government’s cyber security program.  While much of the CNCI remains obscured by the shroud of classification, it is hoped that the new administration will introduce some additional transparency of this program.  It is also anticipated that the new Congress will be an active participant in the cyber security issue by exercising its oversight responsibilities and through the introduction of new legislation focused on this problem.