The Comprehensive National Cybersecurity Initiative

What Is It?

That's a question many people have been asking ever since President George W. Bush issued National Security Presidential Directive 54 (a.k.a. Homeland Security Presidential Directive 23) on Jan. 8, 2008. The directive called for the formation of the Comprehensive National Cybersecurity Initiative, information that the Bush administration kept confidential, as has, so far, the Obama administration.

Here's what we know.

The Bush administration developed CNCI to improve how the federal government protects sensitive information from hackers and nation states trying to break into agency networks. The Bush White House assembled the initiative after a string of cyberattacks on multiple agency computer systems.

CNCI attempts to unify agencies' fragmented approach to federal cybersecurity by reworking and expanding existing programs and developing new security programs that are better at reducing the risk that networks can be hacked.

The initiative's budget officially has been kept secret, but some cyber analysts estimated it to be $40 billion, spread over several years. According to the Washington Post, Bush's single-largest request for funds in the fiscal 2009 intelligence budget was for CNCI, although specific figures were not released.

A Glimpse Inside

In October 2008, the Bush administration revealed some details about the program -- the biggest glimpse into the initiative to date. The Homeland Security Department revealed CNCI included 12 components that either formalized existing cybersecurity processes or introduced new policies and business practices to better protect computer networks and systems. DHS released details on only a few components, some of which had been previously made public:

Trusted Internet Connections. The Office of Management and Budget announced this program in November 2007 with the goal of decreasing the number of connections that agencies had to external computer networks to 100 or less. Officials believe that the fewer connections agencies have to the Internet, the easier it will be for them to monitor and detect security incidents.

TIC requires agencies to use Einstein, an automated system DHS developed that collects security information and then sends it to the U.S. Computer Emergency Readiness Team. Agencies reduced the number of Internet connections by 39 percent in the first four months of 2008, from more than 4,300 to 2,758, OMB reported.

The Bush White House ordered agencies to provide plans of action and milestones to OMB by Oct. 15, and reminded them that TIC services can be bought through the Networx contract. The Obama administration has not yet provided an update on how many more connections agencies have closed down.

Intrusion detection. Michael Chertoff, the Homeland Security secretary during the Bush administration, outlined in letter dated July 18, 2008, to Congress his plans to deploy sensors in agencies' networks that would detect malicious software and alert the Einstein system to security breaches in real time. The sensors, Chertoff wrote, would provide visibility throughout the federal cyberspace to identify vulnerabilities, risks and how to fight the attacks.

Intrusion prevention. Most cybersecurity specialists say computer networks must be monitored in order to identify cyberattacks before they successfully break into the system. Critics said the initial version of Einstein did not allow for network monitoring or include other intrusion prevention tools, a major flaw of the system. DHS added those capabilities in a later edition of Einstein. Obama requested funds in his fiscal 2010 budget to pay for monitoring and detection tools for the system.

Global supply chain security. There are no standards to secure the flow of goods and services worldwide. This poses huge risks to the global economy from malicious software and hardware, which hackers can implant in equipment and sell to agencies, allowing cyber spies a back door into networks to steal information. The equipment also can find its way into contractors' networks, providing hackers a window into federal systems. How vulnerable the supply chain is to cyberattacks became evident this year when computer networks operated by a Defense Department contractor that supports a major weapons program were breached.

Other CNCI components include research and development, cyber counterintelligence, classified network security, cyber education and training, implementation of information security technologies, deterrence strategies, public-private collaboration and situational awareness.

The Bush administration established the National Cyber Security Center to coordinate information from agencies to secure networks and foster collaboration.

Why So Secret?

The Bush administration said it kept details of CNCI secret for national security reasons. The decision drew criticism.

In May 2008, the Senate Homeland Security and Governmental Affairs Committee sent a letter to DHS requesting specific information about the secrecy of the project. In February 2009, Gregory Garcia, then assistant secretary of cybersecurity and telecommunications at DHS, said, "there was too much classified" under the initiative, "which was not helpful politically and not helpful in getting the word out. We had to walk that line between raised awareness of what was being accomplished and not letting out too much information that could cause us to be targeted. Still, too much was kept secret."

Who Runs the Cyber Show?

Who's in charge of cybersecurity -- and the billions of dollars that come with it -- has been part of the Washington power struggle. DHS and the intelligence community view cybersecurity as part of their mission. The Bush directive authorized the National Security Agency to monitor agencies' computer networks, including systems they had not previously monitored, the DHS deputy secretary announced that Homeland Security would coordinate "the protection of federal networks" that fall within the .gov, .mil and .ic domains.

Ultimately, both were right. The undersecretary for national protection and programs at DHS was charged with directing CNCI, relying on the US-CERT and its Einstein system to monitor agency networks. Defense and intelligence agencies were assigned an operational role, particularly for computer systems and networks deemed more sensitive to national security. Those agencies were expected to focus on counterterrorism efforts.

But the delicate balance of duties was quickly upset when Rod Beckstrom, director of the National Cybersecurity Center, resigned. In a letter dated March 5 announcing his resignation, he expressed frustration over the increasing influence of NSA on cybersecurity, pointing to the agency's high levels of staffing and technology that support cyber initiatives. He also cited the proposed move of two DHS organizations, the National Protection and Programs Directorate and the National Cybersecurity Center, to an NSA facility at Fort Meade, Md. The agency effectively controls DHS cyber initiatives and dominates most national efforts, which Beckstrom called "a bad strategy."

Others believe neither DHS nor the intelligence community should be placed in charge of cybersecurity initiatives. The Commission on Cybersecurity for the 44th Presidency, which was created in October 2007 to provide recommendations in cybersecurity policy for the next administration, said the White House should take the lead in managing the government's cybersecurity program. "We need to let people know that this is part of what a responsible government does," said Jim Lewis, program manager for the commission. "For that to happen, the White House has to push this. People won't listen to another agency telling them what to do."

What's Next?

Obama has not commented publicly about the status of CNCI, but he made clear two months into his presidency that cybersecurity would be a top priority. In February, the White House announced that Melissa Hathaway, who serves as the cyber coordination executive at the Office of the Director of National Intelligence and was senior adviser to the former DNI Mike McConnell, would lead a 60-day review of overall cyber organization and strategy in the federal government.

As senior director for cyberspace for the National Security and Homeland Security councils, Hathaway described the review as an opportunity to start from a clean slate. The review identified more than 250 requirements that a comprehensive cybersecurity program should address. The requirements fall into four areas of interests that officials identified:

-- Governance. How policy coordination and operational activities will be organized across the executive branch.

-- Architecture. How to enable performance, cost and security in cyberspace through standards, research and development, procurement, and monitoring the supply chain.

-- Normative behaviors. How best to introduce laws, regulations and international treaties that encourage a more secure cyberspace.

-- Capacity building. How to bolster resources, activities, research and training to support cybersecurity efforts in the public and private sectors.

Specifics won't be available until results of the review are released, but components of CNCI likely will continue under the Obama administration in some form -- though with greater oversight from the White House. Administration officials confirmed that the White House will not play an operational role in implementing Obama's cybersecurity agenda, but will provide guidance to synchronize agencies' missions and responsibilities, and many suspect a cybersecurity coordination office will be established to directly advise the president.