Ned Einsig, Computer Systems Analyst,
United States Department of Defense
Cyber security is a critical part of our national security plan in the 21st century. Critical infrastructure relies on our cyber capabilities now more than it ever has. Assets that depend on information systems include transportation, financial systems, healthcare, energy, communication, manufacturing, and several other areas. The threats brought on by breaches, malware, ransomware, social engineering, and denial of service (DOS) attacks are constantly carried out by rogue governments, terrorist, criminals, and showoffs. The government felt that the role of cyber was so important that in 2008 President George W. Bush introduced the Comprehensive National Cyber security Initiative (CNCI) to lay the groundwork for information security that would keep our nation safe. President Obama further expanded upon the initiative by determining that its activities should be part of a broader U.S. cyber security strategy. Another part of his new strategy was better transparency with the public, which is why CNCI was unclassified in 2010. The CNCI was part of the 54th National Security Presidential Directive (NSPD) on Cyber security Policy. This directive was meant to address updated security threats, anticipate future threats, and protect the confidentiality, integrity, and availability of both classified and unclassified networks. There are a total of twelve initiatives within the CNCI that effect multiple federal agencies including the Department of Homeland Security (DHS) the Office of Management and Budget (OBM), and the National Security Agency (NSA).
While the CNCI is a government-wide initiative that affects just about every branch at the federal level there were a few agencies that played a larger role. From development to implementation the DHS, NSA, or OBM were involved in carrying out each individual initiative. That was because of the unique role that each of these agencies plays in the federal governments’ cyber security mission. The DHS was originally the Office of Homeland Security, created in response to the September 11th attacks. In November of 2002 that office became a department with five key missions. Those missions were to prevent terrorism, secure our borders, enforce immigration laws, safeguard cyberspace, and improve national preparedness and resilience. Agencies under the DHS include U.S. Customs and Border Protection (CBP), the Transportation Security Administration (TSA), the Coast Guard, the Secret Service, and the Federal Emergency Management Agency (FEMA). An office within the DHS called the National Cyber security Center (NCSC) handles information on systems belonging to the NSA, FBI, DoD, and DHS. This office was created from NSPD 54, the same legislation that created CNCI.
On October 24, 1952 the NSA was born under great secrecy. The two primary missions of the NSA are information assurance and signals intelligence. Under the mission of information assurance the agency is responsible for the protection of federal communications. They are the largest intelligence agency on the planet and believed to be capable of intercepting and storing 1.7 billion communication acts per day. The agency’s headquarters in Ft. Meade use as much power as the city of Annapolis. While there is much controversy over the agency’s domestic signals collection the information assurance mission remains unchallenged.
The GAO was formed in July of 1921 for the purposes of auditing, evaluating, and carrying out investigations for the U.S. Congress. It is the premier auditing institution within the federal government. The GAO handles mostly financial audits to hold the government accountable for its spending but it will also do security audits on federal cyber security systems. According to 2014 reports 17 of 24 investigated federal agencies had inadequate information security controls.
The Comprehensive National Cybersecurity Initiative (CNCI) is a vital part of NSPD 54. It laid out initiatives for the federal government with timeframes for multiple agencies to meet these goals. As few examples of these initiatives include, but are not limited to, having the OBM enhance the Einstein program and reduce external access points in coordination with the Secretary of Homeland Security. Working on educating the existing cyber workforce of the federal government to guarantee capable individuals and sure up specialized skillsets. Another goal would be for the Office of Science and Technology Policy to come up with plans that would expand cyber research to sustain our technological superiority in cyberspace.
According to the White House website there are twelve initiatives within the CNCI that impact our national cybersecurity. The Cybersecurity Coordinator put forth a summary explanation of the CNCI for the public. The first initiative was directed towards Trusted Internet Connections (TIC). The OBM and the DHS took primary ownership of this goal to reduce the number of external access points and set up a security baseline. This change to a single federal enterprise network consolidated security efforts for agencies.
The second initiative was to install an enterprise wide intrusion detection system (IDS) that would be capable of finding out when and where unauthorized access was attempted and identifying malicious content. To make this happen a new technology called Einstein 2 would be implemented. The system is capable of providing alerts in real time and presenting information in a visual format. Resources were invested to acquire the manpower to utilize this system and now analysts have an improved awareness of what is going on within our networks and the vulnerabilities they have.
Yet another decision made was to roll out intrusion prevention systems (IPS) called Einstein 3. This third initiative is where the assistance of the NSA would come into play for the purpose of adapting cyber threat signatures to the latest threats. The NSA has also been involved in piloting and developing Einstein 3 to assist the DHS. Intrusion prevention works differently from intrusion detection in that rules can be set that automate network defense countermeasures during an attempted breach
Initiative four called for better coordination and redirection of our federal research and development (R&D) undertakings. The main goals of this effort were to prioritize, make sure that efforts were not being doubled, and fill gaps in research. The desired outcome of this initiative was less wasteful spending of taxpayer dollars and better outcomes for R&D.
The fifth initiative challenged the federal cyber operation center to improve their current situational awareness. To achieve this they would have to assure that agencies were sharing information and taking advantage of each agencies unique proficiencies to build the best national cyber defense cooperative conceivable. The improved collaboration would enhance federal capacity in all cyber mission areas. A new office within the DHS called the National Cyber security Center was created to oversee this objective and protect U.S. government communication networks. They would also share data between the FBI, NSA, Department of Defense (DoD), and the DHS.
Sixth on the initiative list would be to design and execute an enterprise-wide cyber intelligence strategy. The goal of this would be to deter and mitigate threats to both federal and private sector computer networks. The plan called for the expansion of our current cyber counterintelligence (CI) education and awareness programs. The cyber CI plan works hand in hand with the National Counterintelligence Strategy of the United State of America from 2007 and is to support other components of the CNCI plan.
The goal of the seventh initiative put forward would be to increase the security of our classified networks. Classified information is anything deemed top secret, secret, or confidential by the United States government. Examples of the type of information that can be found under these distinctions include information relating to war strategy, diplomatic relations, counterterrorism, law enforcement, and intelligence.
The eighth initiative was set forth to expand cyber education programs. The government realized that an information system is only as good as the people who run it. In response they started a cyber-education upgrade comparable to the science and mathematics upgrades we saw in the 1950s. The NSA does partnerships with educational programs such as the Security and Risk Analysis (SRA) major at Pennsylvania State University. These partnerships label an educational system as being a Center of Academic Excellence (CAE). The DHS and NSA also gave this label to the University of Maryland’s Cybersecurity Center (MC2).
Moving on to the ninth CNCI initiative the goal was set forth to define and develop enduring "leap-ahead" technology, strategies, and programs. The goal here was to be thinking five to ten years in advance and prepare for serious cybersecurity threats. In this focus area they encouraged ‘out of the box’ thinking in order to predict some of the grand challenges we would face. The government also made it a priority to communicate with the private sector in this effort in hopes of seeking out the best mutual outcomes.
In order to secure cyberspace you need methods to deter your adversaries. This is the tenth initiative in the CNCI and an important one. It calls for senior policymakers to think beyond traditional approaches and think about long-range calculated alternatives. The proposed measures included ramping up warning capabilities, finding roles for the private sector and worldwide allies to play in the cybersecurity community, and implementing responses to actions from both state and non-state actors.
Eleventh on the CNCI initiative list requests an approach for global supply chain risk management. This initiative tackles the risks brought on by globalization of our commercial information supply chains. There must also be support for devices and services throughout their lifecycle. There is also a call for action to work with private sector industry leaders to manage and mitigate risks to the supply chain.
The twelfth and final initiative rolled out by the CNCI stated that the federal government would have to define its role for spreading cybersecurity to our critical infrastructure. The government itself relies on many private sector resources that are susceptible to cyber-attack. The American population also depends on Critical Infrastructure and Key Resources (CIKR). This initiative builds on preexisting cooperative efforts between the government and private sector vendors of critical infrastructure. To make this happen the DHS and their private sector companions have set forth a series of milestones. There are long term and short term goals put forth to reach these goals. Finally, the initiative puts a focus on sharing information on cyber threats between the public and private sectors so both sides can maintain the best awareness possible.
The level of secrecy in government and the amount of time needed to make these initiatives happen make it difficult to do a full spectrum analysis on how the government has implemented the CNCI. In spite of that there is evidence to be found that CNCI is making an impact from both the government and private sector organizations.
Einstein was a great physicist, Nobel Peace Prize winner, and he helped start the Manhattan Project in World War 2. Einstein is also the name of two systems developed by the United States Computer Emergency Readiness Team (US-CERT) under the DHS for the purposes of intrusion detection and prevention. Einstein 1 was initially to be developed for the purpose of creating "situational awareness" within civilian agencies. Einstein 1 was developed in 2003 and deployed a year later. One state government that deployed Einstein 1 was Michigan for the purpose of collection and analysis of network security information. Einstein 1 monitors IP addresses, ports, times, and protocols of all network communication for the purpose of reactive security.
Einstein 2 was a much needed update to the Einstein program released in 2008. The big difference between Einstein 2 and its predecessor is that it can do more than just passively observe network traffic. The new system could alert when malicious activity occurred on the network and offer insight as to the nature of the threat. This is where reactive network security became active network security. In November of 2007 the OBM mandated that the rollout of any trusted internet connection (TIC) would require the use of an Einstein 2 system. Intelligence collected from the Einstein 2 program reports that there are over 5.4 million intrusion attempts on the federal government in a single year.
The most recent and advanced release to date was the Einstein 3 Accelerated (E3A) system. E3A was developed and released with the help of the NSA, going live in 2013. What makes the new system different is that it not only detects threats but acts upon them. To paraphrase instead of being alerted an enemy missile is on its way to your base, the system would automatically shoot them down without human interaction. E3A would also be capable of deep packet inspection and the use of indicators based on recognized suspected malicious behavior. Another major change to affect E3A is that it was now designed to provide a managed security service through Internet Service Providers (ISP). This was pushed by the DHS after the OPM cyber incidents of 2015 that put the records of 4.2 million people at risk. As of late 2015 the massive private sector companies AT&T, Verizon, and CenturyLink adopted E3A firewalls to filter traffic on government networks. After AT&T joined in November of 2015 the Vice President of Technology, Chris Smith, wrote the following blog post; "Today, information is currency, power and advantage. The combination of government threat information and commercial threat indicators boosts our ability to help the federal government and businesses in their ongoing fight against cyber threats." (Boyd, Web.).
The Einstein program alone touched on many of the initiatives put forth by the CNCI. Trusted connections, intrusion detection, and intrusion prevention from the first three initiatives were settled by the Einstein program. Initiative seven to increase security of classified networks received major help form the program as well. The fifth initiative set the goal of enhancing situational awareness which Einstein certainly helped with as well. Based on the fact that ISPs are now using Einstein 3 themselves an argument could be made that the government is protecting critical infrastructure by providing this technology to the companies that run the cyber backbone of the United States.
Another result of the CNCI would be the Utah Data Center, officially titled the Intelligence Community Comprehensive National Cybersecurity Initiative Data Center. Completed in May 2014 at the estimated cost of 1.2 billion dollars for the three years of its construction it was the largest ongoing DoD project. The facility was built to support the efforts of the intelligence communities’ mission to keep America safe. The data center was made for NSA use and has sparked controversy as to why a facility that big is mandatory. Leaked media documents have related the facility to mass data collection of communication data but no official evidence has been released. The facility is believed to be capable of retaining five-thousand servers that could hold up to five zettabytes of data. To match this amount of data you would need one trillion gigabytes or 62 billion iPhones. Outsiders believe that the NSA is using a custom UNIX operating system to help protect its information. It is likely that the Utah Data Center was implemented not only because of a need for more information storage but also the sixth initiative of the CNCI to expand our counterintelligence abilities.
While these two advances in infrastructure and technology certainly get the ball rolling more needs to be done to make sure all twelve of these goals are met. The DHS and NSA lead the way in what is called the Networking and Information Technology Research and Development (NITRD) program. Over twenty government agencies participate in this program including the DHS, Department of Justice (DOJ), National Aeronautics and Space Administration (NASA), and the Department of Commerce (DOC). The forth initiative of sharing and coordinating R&D efforts is well on its way because of this NITRD program that was originally started in 1991 under the title ‘High-Performance Computing Act’.
In 2008 another component of the CNCI, initiative nine, called for leap-ahead technology which is again commonly a task carried out by the DHS and NSA. In 2009 an event was held called the National Cyber Leap Year Summit that brought ideas forward that could improve cyber defense. Among the ideas brought forward by this event were enabling hardware to counter attacks by making security a priority in hardware design and a cyber ‘interpol" that could enforce international cyber law and carry out investigations of cybercrimes that cross borders. This event had 150 researches from not only government but also industry and academia. The DHS also has a continuous diagnostics and mitigation (CDM) program to stay on the cutting edge of technology. The goal of the CDM is to expand diagnostic capabilities through higher network sensor capacity and prioritizing risk alerts
Finally in 2014 the DHS implemented a program to address the twelfth initiative of the CNCI which was to extend cyber security into critical infrastructure of the private sector. The Critical Infrastructure Cyber Community (C3) voluntary program is a partnership with the private sector to support in their efforts to use the National Institute of Standards and Technology (NIST) cyber security framework. This program focuses on handling cyber risks from an all-hazards approach at the enterprise level. Some of the services of the C3 program include the cyber resilience review (CRR), consultation in implementing the cyber security framework, and a central location to share knowledge. There are incentives offered by the government for involvement in the program. Among these incentives are cyber security insurance, grants, and public recognition. This program is important in that it provides a central location and easy starting point for private sector entities to seek out help in implementing the best cyber security possible.
Cyber security is a critical part of our national security plan in the 21st century. The Comprehensive National Cyber security Initiative (CNCI) enacted by the Bush administration and supported by the Obama administration has helped the U.S. advance cyber defense by leaps and bounds. The Einstein program has advanced our firewall technology to automate network defense. The Utah data center, while controversial, will aid in the governments future intelligence mission. Education programs in schools will beef up our cyber workforce to understand and respect the complex threats we face moving forward. Investments of time and effort into leap ahead technology will keep the government competitive with its adversaries. Finally the Critical Infrastructure Cyber Community (C3) voluntary program opens the door to the private sector so we can secure critical infrastructure and have cyber security cooperation in America. Moving forward the CNCI will need to be updated and further pursued. It was a critical first step that has made the United States a safe place to utilize cyber, and can be in the years ahead.