Saturday, October 04, 2008

FCW on Comprehensive National Cybersecurity Initiative

Brian Robinson's FCW article Unlocking the national cybersecurity initiative caught my attention. I found these excerpts interesting, although my late 2007 article Feds Plan to Reduce, Then Monitor discussed the same issues.

The cybersecurity initiative launched by the Bush administration earlier this year remains largely cloaked in secrecy, but it’s already clear that it could have a major and far-reaching effect on government IT operations in the future.

Everything from mandated security measures and standard desktop configurations across government to a recast Federal Information Security Management Act (FISMA) could influence the way agencies buy and manage their IT.

Overseeing all of this will be a central office run by the Homeland Security Department, the first time that the government’s efforts in cybersecurity will run through a single office tasked with coordinating the work of separate federal cybersecurity organizations...

[First was the] creation of a National Cybersecurity Center (NCSC), which will serve as the focus for improving federal government network defenses. Rod Beckstrom [mentioned here], a well-known technology entrepreneur, was appointed the center’s director in March...

[Second,] Trusted Internet Connections (TIC)... this program is designed to reduce the number of external connections that agencies have to the Internet to just a few centralized gateways that can be better monitored for security. In January, more than 4,300 agency Internet connections existed, and those had been cut to some 2,700 by June. The target is less than 100 connections.

[Third,] Einstein is a system that automatically monitors data traffic on government networks for potential threats. As a program under the CNCI, Einstein will be upgraded ["Einstein II"] to include intrusion-detection technology. [I thought that was dead!]

Also, participation in Einstein for those agencies managing Internet access points will no longer be voluntary, as it was before. If Einstein finds a connection is not being properly managed, DHS will be able to shut it down.

[Finally, the] Federal Desktop Core Configuration (FDCC)... initiated by OMB last year, mandates that agencies adopt a common [desktop]...

As part of the CNCI, NIST proposed in February to extend the FDCC to other operating systems, applications and network devices beyond the existing support for Windows XP and Vista.
(emphasis and comments added)

I loved this part:

The expansion of Einstein, for example, is a major change because it mandates the use of network security monitoring tools that are controlled by an entity outside the agencies.

“Before, they would do this [monitoring] themselves and not necessarily be forthcoming if anything happened,” he said. “Now it’s out of their hands.”

Now, my sources tell me that Einstein is basically garbage, and that the data from it (purely flows) is fairly useless unless it is used to identify traffic to or from know bad IP addresses. That's still worthwhile in my opinion, but it demonstrates why real NSM needs all four forms of data (alert, statistical, session, and full content) to have a chance at winning. What is more significant than simply deploying Einstein capabilities would be getting "hardware footholds" at each gateway.

If each TIC gateway is only forwarding flow data via router NetFlow exports, that's nice but insufficient. If each TIC gateway is tapped and connected to a stand-alone, preferably open source platform, then the game changes. Once a centralized monitoring agency can deploy its own tools and utilize its own tactics and techniques on a platform it controls, you will see real improvements in network-based enterprise visibility and situational awareness. That's what you get when you can implement what I've called self-reliant NSM, and the final story excerpt alluded to that idea as well.

Of course, it is important to implement these programs as openly as possible, with plenty of oversight and defined goals and governance. That is my biggest problem with the secrecy around CNCI. Overclassification breeds paranoia and ultimately reduces security by underminding the faith of the citizenry in our government.


Rocky DeStefano said...

We should catch up live about real-world TIC deployments.

SEO Firm said...

Nice Post. Thanks for sharing this information with us.

nick said...

Strenghten the cyber security.

Anonymous said...

It is important to understand that Einstein was setup to provide "situational awareness" across ALL civilian agencies. 4 years ago no one knew what the civilian agencies IP space was, which is a huge problem. Einstein helped "map" each agency. On the SA side, since there isn't an equivalent of the .mil on the civilian agencies, there was no way to quickly determine if several agencies are being penetrated at the same time, coordinated attack. Einstein isn't perfect but it has provided vital information on the structure of agencies IP space and it does provide a good level of SA. However, now that is has become so politicized, VENDORS are trying to make it into something it was never meant to be.

George said...


There is a CNCI group on LinkedIn that I would like to invite you to join. You can access it at:

Feel free to invite others to join as well. I've posted some discussion items on the group board, including some of your posts from TaoSecurity blog.