Cyber security plans assailed

The Baltimore Sun

In a stinging rebuke, members of Congress from both parties are challenging a $17 billion plan that the Bush administration put on a fast track earlier this year to secure the nation's cyber networks from terror threats and foreign spying.

Critics say the administration's plan to label virtually every part of the project as classified would make adequate oversight impossible.

They also complain that some of the technologies poised to receive funding are "not mature" and that some projects deal more with foreign intelligence collection than protecting America's computer systems. Those systems have grown in recent years to manage nearly all aspects of life, including the flow of electricity, commerce and information.

"For all its ambitions, the cyber initiative sidesteps some of the most important issues that must be addressed to develop the means to defend the country," members of the Senate Armed Services Committee wrote in a report released last week.

In January, President Bush created the initiative, described by intelligence professionals as one of extraordinary scope that will rival in importance the Manhattan Project, the successful World War II-era effort to build the first atomic bomb.

The initiative draws on significant support from the National Security Agency and includes:

Creating a National Cybersecurity Center, akin to the National Counterterrorism Center that coordinates the resources and activities of numerous government agencies.

Reducing the number of federal government Internet connections from 4,000 or more to 50, which will further protect them.

Forming an emergency readiness team to monitor and respond to cyber-threats.

Creating a secure operating system for government computers, and also a computer-monitoring system called "Einstein" designed to look for potential security lapses or major attacks.

Department of Homeland Security officials are heading the project, called the Comprehensive National Cybersecurity Initiative. A spokesman for the agency declined specifically to address the committee's report or other criticisms.

This year, money allocated for the initiative will exceed $1 billion, said several analysts and sources familiar with its budget.

Committees balk

But at least two congressional committees asked the administration this month to scale back the effort. The administration's request for a cloak of high-level secrecy on a program aimed at global "warfare deterrence" seemed paramount in the criticisms. Many classified congressional briefings and hearings in recent months have done little to blunt accusations of unnecessary secrecy.

In letters to Homeland Security officials, several lawmakers noted instances in which committee members were told that certain projects were classified, only to discover that the administration later publicly disclosed them.

"A consensus has developed ... that the administration must do a better job of sharing information with Congress, the private sector and other stakeholders if the National Cyber Security Initiative is to succeed," said Sen. Joseph I. Lieberman, a Connecticut independent who chairs a Senate committee that oversees aspects of the program.

Even in the midst of the Cold War nuclear conflict, lawmakers noted in last week's report, superpowers shared information - if not about weapon designs, then at least about delivery and the circumstances for how weapons might be used.

The Cold War comparisons are no accident, analysts said, as the Defense Department has grown more wary of the ability of Chinese hackers to infiltrate U.S. government systems - as well as the efforts of other governments, terrorists, recreational hackers or "cyber-vigilantes."

"It is difficult to conceive how the United States could promulgate a meaningful deterrence doctrine if every aspect of our capabilities and operational concepts is classified," wrote members of the Senate Armed Services Committee. They "strongly" urged the administration "to reconsider the necessity and wisdom of the blanket, indiscriminate" decisions to classify aspects of the program.

Steven Aftergood, director of the Project on Secrecy for the Federation of American Scientists, called the comments "unusually direct and critical."

"Government intervention in Internet security raises questions for a lot of people," Aftergood said. "Does it imply surveillance? Does it imply unwanted monitoring of legal but private Web activity? What kinds of abuses might become possible that were impossible in the past? There are lots of legitimate questions about this activity that cannot be addressed as long as the program is highly classified."

"Secrecy here is not just unnecessary; it's counterproductive," he added.

The difficulty in revealing too much, however, is that it can telegraph any vulnerabilities, said Danny McPherson, the chief researcher at Arbor Networks, an information security company.

"In our industry, we call it 'security through obscurity,'" he said. "If you don't know what's there, other people can't vet it and secure it. But, on the other hand, if they're not aware of what's there, then attackers have less of an idea of what to target. Being a patriotic guy, I understand why you can't say too much. But depending on how close you hold your cards, there could be some gaping hole in there that you just overlook."

While lawmakers have lauded the creation of such a comprehensive security effort, other aspects of the program in addition to its secrecy have come under fire.

In a May 1 letter, Lieberman and Sen. Susan Collins, a Maine Republican, wrote Homeland Security Secretary Michael Chertoff to raise questions about the department's attempt to use contract employees without detailing what role they would play, and expressed concerns about why private companies had not been more involved in the initiative.

"The private sector controls the vast majority of our nation's cyber infrastructure and is an important partner in our efforts to protect government systems," the senators wrote. "Identifying the actions necessary to secure private networks must be a long-term goal."

Private sector's role

In a speech at a security conference last month, Chertoff spoke candidly about potential cybersecurity threats and the work needed to minimize them, emphasizing what he described as the critical role of the private sector. Protection of the networks "has got to be a shared function" between private industry and government, he said.

But James Lewis, director of the Center for Strategic and International Studies' Technology and Public Policy Program, said too much reliance on the private sector to secure U.S. computer systems could pose problems.

"We've depended on the private sector for 10 years, and that's why we've had a number of disasters," he said, referring to several highly publicized hacking incidents. "We need a more active federal role."

Security analysts have worried for years about the havoc a devastating cyber attack could wreak on the nation, including shutting down the financial system to incite panic or cause mass riots through power outages.

The Chinese have stridently denied involvement in recent breaches of the Defense, State and Commerce departments' computer systems. The Pentagon disclosed in June a hacker's successful penetration of one of its e-mail systems, prompting the department to shut down more than 1,000 e-mail accounts.

The Armed Services Committee report also discussed concerns that the initiative had grown to focus too much on foreign intelligence collection.

Ira Winkler, a former NSA analyst who has written and done extensive consulting work on computer security, said most of the concerns reflect the corrosive atmosphere that has developed between Congress and the Bush administration on national security matters.

"Everything is now looked at cynically, and NSA doesn't have as much trust as they did before," Winkler said. "It creates an impact on how much Congress will let them do in the future or how easily they should get permission to do all the things they need to do."

Copyright © 2021, The Baltimore Sun, a Baltimore Sun Media Group publication | Place an Ad