System Advancements at the Monastery

“The very concept of information security has undergone a massive refinement over the last decade. Once confined to methods for keeping potentially harmful users out, security is currently much more focused on enabling users to extract value from computing infrastructure—that is, security is concerned with letting the right people access the right information and services in a trusted environment. Security features in IT systems are, in a sense, like brakes on automobiles. Although brakes are used to slow or stop vehicles, their real purpose is to enable drivers to go faster by enabling them to avoid accidents caused by external threats (such as mechanical failure in other vehicles, rude or reckless drivers, road hazards, stop signals and heavy traffic). Better security is an enabler for greater freedom and confidence in the cyber world.” — Computing Research Association (CRA) Report

I do not normally do news summaries, but I was sent an interesting article concerning the Trusted Internet Connections (TIC) initiative. Curious, I started to pull up other news items and found that the Office of Management and Budget (OMB) has been very active lately. First there is the OMB memo from Clay Johnson III. If you have not heard the name before, he is reported to be one of President Bush’s closest friend. His job is not an easy one. He has been tasked with reforming the government in order to make it more effective and efficient. The bottom line is that his words, and memos, are to be taken very seriously. With folks in government, it is wise to read exactly what is stated. With that in mind, here is the complete memo:

M-08-05
MEMORANDUM FOR THE HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES
FROM: Clay Johnson III
SUBJECT: Implementation of Trusted Internet Connections (TIC)

I am announcing the Trusted Internet Connections (TIC) initiative to optimize our individual network services into a common solution for the federal government. This common solution facilitates the reduction of our external connections, including our Internet points of presence, to a target of fifty.

Additionally, the role of the US-CERT will be enhanced to improve our response capabilities. Each agency will be required to develop a comprehensive plan of action and milestones (POA&M) with a target completion date of June 2008. Initial agency POA&Ms must be sent to the Department of Homeland Security’s (DHS’s) National Cyber Security Division (NCSD) by January 8, 2008, for review and agreement with OMB, DHS, and the agency.

To discuss this initiative further, we are planning a government-wide meeting on Friday, November 30, 2007. I have asked Karen Evans, Administrator of the Office of Electronic Government and Information Technology and Robert Jamison, Deputy Under Secretary for National Protection & Programs Directorate, DHS, to ensure adequate collaboration among the various interested parties such as the Chief Information Officers and Chief Acquisition Officers.

Karen will be sending out the details for the government-wide meeting, including the agenda, to your Chief Information Officers and I will be inviting the President’s Management Council to attend the meeting as well.

With the work completed to date in the Lines of Business (LOB) initiatives for Information Systems Security and IT Infrastructure, the General Services Administration (GSA) award of the NETWORX contract for telecommunications service, and your current initiative to implement the secure desktop configurations (i.e. Federal Desktop Core Configuration – FDCC), we are presented with a unique opportunity to optimize our network delivery capabilities. I ask for you to devote people from your agency to work on the development and implementation of TIC throughout the federal government.

Information assurance and cyber security are important priorities and a responsibility shared by all officials. If you have any questions, please contact Karen Evans at 202-395-1181.

The Federal Computing Weekly (FWC) site is reporting an interesting move on OMB’s part in an article titled, “OMB to Limit Number of Internet Connection for Agencies” by Jason Miller. Normally I do not copy complete articles, but this article has major implications, so please bear with me:

The Office of Management and Budget wants to reduce the number of Internet connections across government to 50 by June. Under a new Trusted Internet Connections initiative, which OMB will kick off with a government wide meeting Nov. 30, agencies will have to develop a plan of action and milestones by Jan. 8 on how they will reduce the number of Internet connections.

Clay Johnson, OMB’s deputy director for management, announced the new program Nov. 20 in a memo to agency leaders. He wrote that the Trusted Internet Connections initiative will “optimize our individual network services into a common solution for the federal government.”

Johnson said with the progress made under the Security Line of Business initiative, the General Services Administration’s award of the Networx telecommunications contract and the Federal Desktop Core Configuration
implementation project, agencies have a unique opportunity to improve their network delivery capabilities.

The memo also will require agencies to use the Homeland Security Department’s U.S. Computer Emergency Response Team Einstein program to improve their response capabilities. The White House requested an additional $115 million Nov. 6 to expand the Einstein program under the DHS fiscal 2007 appropriations bill.

“This is an essential step because the Federal Information Security Management Act-based defenses have failed to stop the attackers from getting inside agencies,” said Alan Paller, director of research at the SANS Institute. “Once they are inside, only very sophisticated monitoring can hope to find the infections.”

Warren Suss, president at Suss Consulting, said he is not sure if the new initiative is what agencies need right now. “OMB must be careful with the new initiative to avoid layering yet one more mandate on agencies who are working hard to address a very real security threat,” Suss said. “Centralization is not necessarily the answer because agencies have needs for redundancy for the Internet and can have unique requirements. To limit the number of Internet connections to a target of 50 could be an overreaction to the cybersecurity problem and it has potential to create more problems than it solves.”

He added that agencies have network design and architecture challenges that could be limited under this program.

Agencies already are trying to meet the June deadline to implement IPv6 on their networks’ backbone. OMB officials also have touted IPv6 has a way to improve agencies’ defenses against cyberattacks.

“Agencies at some point need to take responsibility for security and the management of their technology,” Suss said. “There are very serious threats out there and I don’t mean to minimize them, but forcing yet another constraint on the solution may do more harm than good.”

On November 13th, Exec. Order 13450 “Improving Government Program Performance” was passed. The order requires federal agency heads to set clear annual goals, devise specific plans for achieving those goals, and designate performance improvement officers (PIOs) to assess progress, use performance data in budget requests and set up Web sites that describe “the successes, shortfalls and challenges of each program” and efforts to improve them. The order directs agencies to appoint a PIO who will coordinate “sufficiently aggressive” goals and plans for programs. It also requires that PIOs be a member of the Senior Executive Service or equivalent service. It requires the creation of a Performance Improvement Council (PIC) to consist exclusively of the OMB Deputy Director for Management (Clay Johnson III), serving as Chair, and:

• such agency Performance Improvement Officers, as determined by the Chair; and
• such other full-time or permanent part-time employees of an agency, as determined by the Chair with the concurrence of the head of the agency concerned.

Robert D. Behn, a performance-management expert who teaches at Harvard’s Kennedy School of Government, points out “You never know from an executive order. They can do something or not do something. Who knows?” For additional analysis, Stephen Barr, columnist for the Washington Post wrote a very interesting article titled “From Bush, an Order for Agencies to Track Progress.”

Just to emphasize these numbers. The Bush administration is seeking $154 million in new cyber security spending as part of the the $436 million package to increase Homeland Security and Justice departments new cybersecurity and counterterrorism programs. Additional numbers from the President’s 2008 DHS budget is available off the OMB site, though the document lacks any real details. Jonah Czerwinski over on Homeland Security Watch filed the report, “New White House Cybersecurity Initiative Underway.” Homeland Security Watch is an interesting site featuring “breaking news, rigorous analysis, and informed commentary on the critical issues in homeland security today.” I have mentioned the site before in my posting, “Security Data Visualization” while discussing “The National Strategy for Homeland Security“.

The administration has also asked for $115 million to enhance DHS’ ability to deploy the Einstein program through the U.S. Computer Emergency Readiness Team. In case you are unaware of the Einstein program, Federal Computing Weekly provides a description:

Einstein monitors about 13 participating agencies’ network gateways for traffic patterns that indicate the presence of computer worms or other unwanted traffic. By collecting traffic information summaries at agency gateways, Einstein gives US-CERT analysts and participating agencies a big-picture view of bad activity on federal networks.

Alan Paller, Director of Research for the SANS Institute, is quoted as saying, “They know monitoring works and they want more monitoring. The money will be used to get out more monitoring more quickly and do more analysis of the data. That is useful and necessary because what they discovered is the federal perimeter is broken. One of few ways to find bad guys in [the] perimeter is a more intent analysis of traffic coming out of the computers.”

To put these numbers in perspective, the American Association for the Advancement of Science (AAAS) provides some interesting budget numbers. As of FY 2007, the overall federal investment in research and development (R&D) was nearly $137 billion. The funding levels actually appropriated to federal IT R&D is at $3.0 billion. That funding is controlled through multi-agency enterprise called the Networking and Information Technology Research and Development (NITRD) program, which is coordinated by the Interagency Working Group (IWG) on Information Technology Research and Development of the National Science and Technology Council (NSTC). NITRD is the successor of the High Performance Computing and Communications Program established in 1991. NITRD program would increase 0.4 percent in the President’s FY 2008 request.

NITRD agencies coordinate research in eight Program Component Areas (PCAs):

• High End Computing Infrastructure and Applications
• High End Computing Research and Development
• Human Computer Interaction and Information Management
• Large Scale Networking; Software Design and Productivity
• High Confidence Software and Systems
• Social, Economic, and Workforce Implications of IT
• Software Design and Productivity
• Cyber Security and Information Assurance.

The 2008 budget broken down by PCA is available off the NITRD site. The National Science Foundation (NSF) is the lead agency in NITRD. The NSF and the National Security Agency (NSA) are the only agencies that are looking at significant increases to their computing research efforts under the President’s 2008 plan.

Since the NSF is the lead agency, it is important to try and understand the agency’s vision for cyber security. In November 2003, the Computing Research Association (CRA) convened an invitation only workshop on the “Grand Challenges” in digital security the National Science Foundation should concentrate a decade of funding on. The results were four grand challenges:

• No further large scale epidemics
• Enable Trusted Systems for Important Societal Applications
• Develop Accurate Risk Analysis for Cybersecurity
• Secure the Ubiquitous Computing Environments of the Future

While 2003 might be ages ago in computing time, the four grand challenges are at work today. Back in September, Siobhan Gorman from the Baltimore Sun reported in the article “NSA to defend against hackers” that the NSA was going to “helping protect government and private communications networks from cyberattacks and infiltration by terrorists and hackers.” The article went on to state:

The plan calls for the NSA to work with the Department of Homeland Security and other federal agencies to monitor such networks to prevent unauthorized intrusion, according to those with knowledge of what is known internally as the “Cyber Initiative.” Details of the project are highly classified.

The NSA appears to be working towards “Secure the Ubiquitous Computing Environments of the Future” challenge in relation to the network. Concerning securing the systems, and the “Enable Trusted Systems for Important Societal Applications challenge,” OMB this week told agencies that use Microsoft Windows XP or Vista to begin using the government’s approved secure desktop configuration by February 2008. OMB hinted that the Windows operating system was only the beginning of a more extensive program. Once more, quoting Alan Paller, “Vendors who compete with Microsoft saw the White House announcement as a threat. OMB was not standardizing on Microsoft and said they would talk to others to ensure their products are secure, too.” Paller said that once NSA gives its blessing to a vendor’s product, it would make sense for non-Defense Department and intelligence agencies to follow NSA’s lead. Exec. Order 13450, appears to be moving towards addressing the challenge to “Develop Accurate Risk Analysis for Cybersecurity.”

Michael Posner from the GovernmentExecutive.com site in an article titled, “America already is in a cyber war, analyst says” states “currently there are 1,300 avenues in all federal agencies for possible cyber terrorists.” The Trusted Internet Connections initiative plans to reduce the number of “trusted” Internet connections to below 50 across government. The article quotes Andrew Palowitch, a former CIA official, during a talk to a Georgetown University’s Center for Peace and Security Studies, as saying that the United States is in the midst of an active cyber war and is now implementing still-secret security plans for protection. Palowitch might be referring to the “2006 National Military Strategy for Cyberspace Operations” classified document, which is reported to be the blueprint for the military defining both defensive and offensive measures. Maybe in that document I could finally find out what the “1,300 avenues in all federal agencies for possible cyber terrorists” and “reducing below 50 the trusted Internet connections” is suppose to mean.

To help us understand the reduction of trusted Internet connections, Karen Evans, OMB’s administrator for e-government and information technology, explains, “The reduction of access points to trusted Internet connections will improve our situational awareness and allow us to address potential threats in an expedited and efficient manner. While we optimize and improve our security, it is also our goal to minimize overall operating costs for services through economies of scale.” A follow up post in FWC by Jason Miller titled “OMB directs agencies to close off most Internet links” sites Roger Baker, former chief information officer at the Commerce Department who is now chief executive officer at Dataline, as pointing out that having a limited number of Internet connections will mean that agencies must become shared-service providers for field offices outside of headquarters, which will add an unwanted level of complexity. “It will be hard to agencies to agree on a standard security policy for connections,” Baker said. “What they need to do is set that security policy across government and then audit every organization to ensure they are abiding by it.” Baker added that the key to solving many federal IT security challenges will depend on how well agencies have architected their Internet connections. Several letters to FWC editor, to quote FWC, “warned about unintended consequences of OMB’s initiative. Both teleworkers (’Closing Internet links will lead to more unauthorized telecommuting‘) and satellite offices (’Closing Internet links will hurt satellite offices‘) would suffer, several readers said. Another suggested that the policy could hamstring some research and development efforts (’Closing off Internet links will hurt R&D‘).”

In September, as part of an expanding mission to prepare for war in cyberspace, the US Air Force established a provisional Cyber Command. According to Major General Charles Ickes, it is expected that the provisional command will, within a year, create the the full Air Force Cyber Command with the mission to “train and equip forces to conduct sustained global operations in and through cyberspace, fully integrated with air and space operations.” Air Force officials report as many as 40,000 Air Force personnel are assigned to cyber-tasks. It is reported that those officials envision an emerging breed of warrior who fights with a computer and keyboard. Dr. Lani Kass, special assistant to Gen. T. Michael Moseley, Air Force chief of staff, told a recent seminar that this new breed of warrior is expected to be as formidable as soldiers with guns. She goes on to say, in relation to developing an offensive cyber capacity, that the Air Force needs “not a bunch of geeks, I want a bunch of trained killers who understand that non-kinetic does not mean non-lethal.” While she has a point, I cannot let that statement go without comment. I would recommend Dr. Lani Kass read Rob Goffee and Gareth Jones article titled, “Leading Clever People.” Better yet, read my posting discussing managing clever people titled, “Herding Cats.” It contains many good sources that can help the Air Force effectively manage the Cyber Command personnel. Otherwise, I fear the Air Force will always be reliant on purchasing, and not developing, solution from geeks who do not carry guns.

Possibly adding to political need for action is the US-China Economic and Security Review Commission, which was released last week. The report addressed the “scope of China’s military buildup and the extent to which it is aimed at defeating the U.S. in any conflict over Taiwan.” The report states, “China has developed capability to wage cyber-warfare and to destroy surveillance satellites overhead as part of its tactical, asymmetrical warfare arsenal.” Gen. James Cartwright, commander of the U.S. Strategic Command, told the commission, “I think that we should start to consider that regret factors associated with a cyber-attack could, in fact, be in the magnitude of a weapon of mass destruction.” The general was referring to the psychological after affects of disruption of services. China has denounced the charges and characterized the “wild accusations” as smacking of a bygone era. Wang Wenfeng from the ChinaDaily addresses the report in the article “Commission’s report full if inaccuracies.” On the heels of the report, the Times of London reported Jonathan Evans, the director-general of MI5, has sent out a confidential letter to 300 executives and security chiefs at banks, accountants and legal firms this week warning them that they were under attack from “Chinese state organisations.” Alan Paller called the MI5 warning “the most vibrant example of how the British are doing a better job of cybersecurity leadership. You cannot ask people to act unless they understand the problem. The British have consistently been willing to speak the truth.” In contrast, Paller said the United States has relied on a failed paperwork policy built around the Federal Information Security Management Act and “vapid guidance” from the National Institute of Standards and Technology. Bruce Schneir, a security consultant with BT Counterpane, said he found it significant that both Evans and Cartwright decided to identify China as a serious cyber threat. Despite reports of Chinese attacks this fall against government and military networks in the United States and U.K. as well as Australia, Germany and New Zealand, top leaders in those countries have not publicly identified China as the culprit until now. Chinese Foreign Ministry spokesman Qin Gang denied the report, saying China opposed computer hacking and that it was cooperating with British authorities. He also accused the British media of spreading inaccurate information. The Pittsburgh Tribune, in the article “Confronting Confucius“, points out that “the same day the commission’s study was published, another was released by two respected Wall Street companies. It showed in detail how half the venture funding for Chinese business and consumer services came from America, particularly seed capital for the critical information services and technology industries.”

Antivirus software company McAfee stated in its annual Virtual Criminology Report released at the end of November that 120 nations worldwide have started to develop cyberattack commands, with China well ahead of the others. Bob Brewin, of GovernmentExecutive.com, in his artcile “U.S., British officials target Chinese as source of cyberattacks” states the McAfee report also “fingers the Chinese government as the source of widespread cyberattacks. James Mulvenon, director of the Center for Intelligence Research and Analysis at the Defense Group Inc. in Washington, told McAfee that ‘the Chinese were the first to use cyberattacks for political and military goals….Whether it is as battlefield preparation or hacking networks used by the German chancellor, they are the first state actor to jump feet first into 21st century cyberwarfare technology. This is becoming a more serious and open problem.’” The report goes on to state that China is not along in its military exploitation of cyberspace. Peter Sommers, a computer security expert at the London School of Economics, said there are signs that intelligence agencies around the world are constantly probing government networks for signs of weakness, and countries he did not identify “are gearing themselves up to launch all-out online attacks.” The McAfee report predicted that over the next few years, governments will pursue “punitive action” against cyberattackers and “will … go after them, regardless of their location.”

Rightly or wrongly, the mood in Washington appears to be to do something. No matter what the motive, efforts to implement some form of the four grand challenges in trustworthy computing on a national level may be under way. This would result in some major changes in how government agencies do business. Personally, I look forward to additional details and explanations on the Trusted Internet Connections initiative. In the end, I have to agree with Robert Behn, when he said, “They can do something or not do something. Who knows?“