White House lifts the veil on Bush cybersecurity initiative

SAN FRANCISCO -- Much of the Comprehensive National Cybersecurity Initiative created by the Bush administration has been declassified and made publicly available, said White House Cybersecurity Coordinator Howard Schmidt.

"The administration has updated the classification guidelines for the Comprehensive National Cybersecurity Initiative," Schmidt said during comments at the RSA Security Conference.

Information on 12 unclassified initiatives under the plan will be available on the White House Web site at www.whitehouse.gov/cybersecurity.

The move is part of President Barack Obama's commitment to open government, Schmidt said, and an effort to ensure that critical information is available for those who need to participate in the effort to secure the nation's and the world's information infrastructure.

The audience greeted the announcement warmly. The security community widely sees the declassification as a positive step. One of the continuing themes of discussion at the conference is the needed for expanded government and industry cooperation. Despite lip service being paid to public and private partnerships, the lack of trust between the parties is repeatedly cited as a stumbling block to creating a really robust and workable national cybersecurity policy.
 
The administration's unilateral decision to make classified information is seen as a step toward establishing the trust needed for meaningful information sharing.
 
Schmidt acknowledged the need for better cooperation not only within the government but between the public and private sectors.
 
"I'm working across all the aspects of federal government," to establish a harmonized cybersecurity policy, he said. "We recognize all the vulnerabilities are shared."
 
He also said that his shared responsibilities with the National Economic Council are important to cybersecurity because of the part IT security plays as an economic driver.
 
Schmidt also said that some long anticipated changes are in the works for compliance with the Federal Information Security Management Act.
 
"You can be FISMA compliant and still not be secure," he said. He said that next month the Office of Management and Budget will announce new performance metrics for FISMA, so that agencies can move from static, compliance-based security to risk management based on real-time monitoring and analysis.

The Bush administration designated much of the CNCI to be secret, which brought criticism from many quarters. One of the most visible elements of it has been the Trusted Internet Connection initiative, under which the government is moving to limit and better control the number of connections federal networks have to the public Internet.

More controversial has been the Einstein initiative, an effort to enable real-time deep-packet inspection on government networks that has been seen as a threat to privacy.

When Obama first announced his intention to appoint a cybersecurity coordinator, in May 2009, he emphasized that his approach to protecting the nation's information systems would not include any violations of civil liberties, wrote Kim Zetter in Wired News. “Our pursuit of cybersecurity will not include — I repeat, will not include — monitoring private sector networks or Internet traffic,” Zetter quoted Obama as saying. "We will preserve and protect the personal privacy and civil liberties that we cherish as Americans.”

The portions of the plan that have been declassified do not discuss cyberwarfare, Zetter reported.

Before his formal presentation, Schmidt told the New York Times that the purpose of the declassification is to show that the government has a good strategy for protecting the nation’s computer systems.

“The CNCI was shrouded in a lot of classification,” Schmidt told the Times. “The president has said very specifically that we need to make sure the administration is transparent with not only the American public but with an international audience as well.”