US cyber defense strategy details hit the Internet (Update)

White House Internet security coordinator Howard Schmidt described bits of the strategy at the RSA cybersecurity conference here, saying the revelation was part of a promise of transparency by President Barack Obama.

Parts of a Comprehensive National Cybersecurity Initiative (CNCI) declassified by Obama became available online Tuesday at whitehouse.gov/cybersecurity.

"We can't ask industry to help government and government can't help industry if we don't have transparency," Schmidt said while making the announcement.

"It gives the American people the ability to partner with their government."

Scott Charney, Microsoft corporate vice president of Trustworthy Computing, was among those that welcomed the idea of the government being more forthcoming with cyber defense information.

"The public-private partnership is in need of improvement; it always has been," said Charney, who was head of computer crime prosecution at the Justice Department from 1991 to 1999.

"It seems the government has moved from a phase of consideration to a phase of action, and that is a good thing."

Sharing cyberattack information between government and private business has been muted by national security concerns on one side and fears of tainting brand images on the other.

"It never really happened," Charney said. "The government didn't share and the industry didn't share."

Schmidt said he hoped releasing declassified versions of the strategy would drive alliances between government cyber warriors and security firms, academics and others skilled in the field.

"Our collective knowledge is our biggest strength," Schmidt said. "We will not beat our adversaries because they are weak; we will beat them because we become stronger."

CNCI was crafted as the result of a presidential directive signed by Bush in January of 2008. Its budget remains a mystery but is estimated to be in the tens of billions of dollars.

The declassified strategy includes consolidating the government computer network and deploying sensors to detect intrusions.

Government agencies must work together on research and link "cyber ops" centers to more astutely assess situations, according to the CNCI.

"There is a pressing need to ensure that government information security offices and strategic operations centers share data regarding malicious activities against federal systems," according to freshly declassified documents.

One of the initiatives calls for a government-wide cyber counterintelligence plan to "detect, deter, and mitigate the foreign-sponsored cyber intelligence threat" to US networks and private businesses.

The government must also figure out its role in the cyber defenses of power grids, financial markets and other computer infrastructure that have become critical to daily life in this country, according to the CNCI.

The US government will need to show it can be trusted to fairly balance cyber defense with respect for privacy of online information.

Some RSA attendees were skeptical, citing Bush-era shenanigans that evidently included snooping on email and other Internet communications without proper court orders.

"You lose trust, it gets harder to do the right thing," Charney said. "If you are Howard Schmidt, the NSA, or whoever, you need to explain what you want to accomplish and how you will execute on it while balancing privacy concerns."

Public-private partnership is imperative to cyber defenses, said Melissa Hathaway, who served as interim cyber chief for Obama before becoming a consultant to computer security firms such as Cisco.

"We are almost at epidemic levels of online fraud and crime; pillaging and looting on the Internet," she said at RSA.

Hathaway proposed the creation of a non-profit organization to act as a neutral party or "safe house" for inside information shared by businesses to alleviate fears of disclosing weaknesses to competitors.

(c) 2010 AFP