System Advancements at the Monastery

“Question with boldness even the existence of God; because, if there is one, he must more approve of the homage of reason than that of blindfolded faith.” — Thomas Jefferson

As a follow up to “The Trusted Internet Connections (TIC) Initiative?”, Robert Lemos has written an interesting article in SecurityFocus titled “Law Makers Voice Concerns Over Cybersecurity Plan“. The TIC initiative mandates that officials develop plans for limiting the number of Internet connections into their departments and agencies. The initiative also asks chief information officers to develop a plan of action and milestones for participating in the Homeland Security Department’s U.S. Computer Emergency Readiness Team’s Einstein initiative. The Einstein pilot program for cyber situational awareness (formerly the Strategic Analysis Program at the Transportation Department) monitors network security activity and is meant to increase global situational awareness.

There are many positive ideas behind TIC. Karen Evans, OMB’s administrator for e-government and information technology, points out, “The reduction of access points to trusted Internet connections will improve our situational awareness and allow us to address potential threats in an expedited and efficient manner. While we optimize and improve our security, it is also our goal to minimize overall operating costs for services through economies of scale.” Evans continues to point out, “We have to know what we own in order to protect it. We also must know we are managing risk at an acceptable level.” Those are good soundly accepted security ideas. It is difficult to argue with the idea that reduction of gateways with the addition of enhanced monitoring will not produce better, stronger, faster and less expensive security for government.

What I find most interesting in Lemons’ article is Robert Jamison, Under Secretary for the DHS National Protection and Programs Directorate, statements in relation to the Einstein program:

• “We only monitor a very small percentage of federal network traffic,” Jamison told the committee members. “We want, through this initiative, to increase that to 100 percent of all federal network traffic.”
• The information is analyzed on a daily basis, and so cannot detect threats in real time, Jamison said. He went on to explain, the system would be enhanced to do more real-time analysis.
• “We are currently not looking at any content,” Jamison said. “We are proposing that we are going to do that. The threats are real. Our adversaries are really adept at hiding their attacks in normal everyday traffic. The only way to really protect your networks is to have intrusion detection capabilities.“

Reading Jamison statements, one is reminded that the devil is always in the details. Law makers and former OMB employees are voicing concerns on several of the unclassified details. Below are a few of those details causing concerns.

Data Handling

With about 15 agencies voluntarily participate in the Einstein program, the Einstein program has been tested on a very small subset of government traffic. The Einstein program also has not been monitoring traffic in real time. The Einstein program is suppose to be enhanced to handle full packet inspection in real time. The enhancements are fairly major, being made to a program that is currently viewing a very limited set of data not in real time. Adding addition concern is the fact that no data has been produced indicating the effectiveness of the current system. Then again, such data might be part of the classified component of this initiative. Either way, there is little to indicate that the Einstein program is ready to handle the data in an effective manner with the future quantity and speed required.

Privacy

Evans testified as far as privacy and security is concerned, “we have been doing all of these activities in a very transparent way” under the existing approach. Jaikumar Vijayan writes in his article “Feds downplay privacy fears on plan to expand monitoring of government networks,” that Evans stated controls are being implemented to ensure that the privacy rights of federal workers and other individuals who access e-government systems are protected in the future as well.

Currently, the Einstein program only conducts flow analysis which tracks the source, destination, port and size of packets on the networks of 15 federal agencies. The privacy impact assessment, performed in 2004 was based on the flow analysis model and stated “the program is not intended to collect information that will be retrieved by name or personal identifier.” Once full packet capturing begins, personal identifiable information will be part of the data payload. How will privacy issues be addressed?

Personnel and Clearances

Another possible problem is that DHS Secretary Michael Chertoff’s wants to appoint Scott Charbo, the former CIO for the department, to the position of Deputy Under Secretary in charge of implementing the program. Some have voiced concerns over Charbo appointment. These concerns go back to when Charbo told the committee previously that he had not been briefed on incidents involving infiltration of government systems by foreign attackers. The reason he was not briefed was because Charbo, and other key personnel lacked the clearance to listen to classified briefings about cyber threats or attacks. Charbo explained to lawmakers, “This is an issue that needs to be addressed for a lot of CIOs. They need their classification levels raised.”

Charbo points out a major concern in the administration’s new cyber directive. Many CIOs don’t have clearance to view classified material. Since most of the directive is classified, this creates a problems since CIOs need to be in the loop to implement cybersecurity requirements or understand where potential threats are coming from.

Rep. Bennie Thompson (D-MS), chairs the Homeland Security Committee, in a February letter to DHS Secretary Michael Chertoff voiced concerns when he stated “Your decision to promote Mr. Charbo to Deputy Under Secretary of National Programs and Plans effectively places him in charge of the cyber initiative at the Department. Given his previous failings as Chief Information Officer, I find it unfathomable that you would invest him with this authority.” Some lawmakers are concerned with Charbo being put in charge of one of the most complicated national security issue in terms of threat and jurisdiction.

Intelligence vs. Security

Previously in my post, “FWC Reporting “Experts Find Fault With Cyberdirectives,” I quoted Glenn Schlarman, a former OMB official in charge of security policy who is now a consultant, concerns, “To solve the security problem, they want to use intelligence monitoring? DOD has not done a great job of defending its own networks. There are “starkly different needs and purposes for intelligence gathering and computer security.” Bruce McConnell, who was at OMB for 15 years and was chief of the information policy and technology branch for many years, went further when he told House lawmakers, “It is impossible for DOD to balance the needs of security and monitoring.”

Secrecy

Thompson stated in his letter to Chertoff that he had tried without success to get more details about the initiative on at least four previous occasions. Alan Paller, director of research at the SANS Institute said Einstein and TIC account for only about $100 million or so in spending. It is interesting to consider how the government will spend the rest of the $30 billion earmarked for the Cyber Initiative. That information is classified and likely remain so, according to Paller.

“My sense is there is a general consensus that the problem is big enough that not spending this money would be considered catastrophically negligent,” Paller said. “What has happened is that people in power have gotten a glimpse into what is happening and now they’re pushing the government to respond.” But a continued shroud of secrecy could pose some problems, Paller added. For instance, he said that not fully disclosing all of the attacks against government networks could make it harder to justify the huge investment being planned for the Cyber Initiative.

Conclusions

Many ideas behind the Trusted Internet Connections Initiative are based on good soundly accepted security principles. The Einstein program may turn out to be the best security initiative the government has ever implemented. Still, many questions are being raised about the tactics and possible leadership.

During the Senate Homeland Security and Governmental Affairs Committee Hearing on the Fiscal 2009 Budget for the Department of Homeland Security, regarding the virtual border fence, Secretary Michael Chertoff stated “I would say it is a partial model for the future. I think that it was a concept. We wanted to make sure that, A, there’s the basic concept functionality work and, B, the thought was to give the contractor an opportunity to present something that essentially thought out of the box, that wasn’t just a follow-on to the traditional way of doing business.”

The past has many lessons. Christopher Spencer invented the repeating carbine rifle in 1860. There were good and the bad aspects about the Spencer rifle, depending on your point of view. It was a seven shot repeater. This allowed an experienced man to shoot all seven shots in about fifteen seconds. For the soldier who possessed such a rifle, this was fantastic. The Army, however, was reluctant to purchase the Spencer early in the Civil War. The thinking was that the available wagon transportation would be incapable of delivering the additional ammunition the soldiers would shoot when given a repeating firearm. It was only when President Lincoln intervened after test firing the Spencer in 1863, halfway through the war, that the rifle was introduced into the union army. Bertram Barnett, from the Gettysburg National Military Park, writes, “Often, Federals with Spencers fired only one shot together to simulate a volley of musketry and waited for the Confederates to advance. When they did, the Unionists unleashed the other six shots in a rapid fusillade of fire that devastated the Southern lines.” One Confederate expressed the most convincing point of view, in terms of the usefulness of the Spencer, when he stated, “There’s no use fighting against such guns…”

The lesson to be learned is that when better technology is available, it can prove most effective. Sometimes, when doing long term planning, one has to factor in technology that might not currently exist. It is reasonable to expect certain advancements during certain time periods. The Einstein program with limited data from 15 agencies that does not include full packet inspection in real time, appears to be similar to the DHS’s virtual border fence, in that it provide only a basic concept of functionality work. While the enhancements seem significant, they might be based on reasonable technological advancements that will occur in the next five years. The government certainly would prefer to be fighting their security war with the latest technologies. In addition to avoiding fighting tomorrow’s cyber war with the previous war’s weapons, DHS also needs to make sure they are not fighting with the generals who can only think to use the previous war’s strategies. At the very least, it seems prudent to address the concerns already being raised in order to insure the best possible strategy combined with the proper personnel. Key people need to have the required clearances. Otherwise you are fighting tomorrow’s war with soldiers who can’t even see the battlefield. Soldiers fighting blind, even with the latest and greatest weaponry, are frightening and dangerous to friend and foe alike.