The U.S. government's de facto CIO and other federal officials today downplayed privacy concerns related to the expanded monitoring of federal networks that is planned under a multiyear initiative ordered by President Bush to boost cybersecurity at agencies.
Testifying at a hearing held by the House Committee on Homeland Security, officials from the White House Office of Management and Budget (OMB) and the Department of Homeland Security (DHS) said that the increased network monitoring is designed only to improve the government's ability to quickly detect and stop attacks against its networks.
The governmentwide monitoring that is being planned isn't very different from the intrusion-detection and -prevention capabilities implemented across many private-sector networks, said Robert Jamison, undersecretary of the National Protection and Programs Directorate within the DHS.
Jamison said the current version of a network monitoring system called Einstein, which is used by some agencies, is far too passive and doesn't provide the real-time threat-detection capabilities that are needed to thwart attacks. By comparison, the new monitoring plan is aimed at enabling network administrators to detect intrusions and other malicious activity as soon as they occur, he added.
The Einstein system is due to be upgraded and deployed at all agencies as part of the new security effort. Jamison said that all data traffic flowing through agency networks will be checked, and that it will be inspected at a deeper level than Einstein is capable of now.
The expanded monitoring plan is a key part of the so-called Cyber Initiative, which was mandated by Bush in a classified directive that he issued in January. The directive calls on multiple agencies, including the National Security Agency (NSA), to work together to improve the security of federal systems, which has routinely been criticized in congressional report cards and in reports issued by the Government Accountability Office.
Jamison defended the need for better network monitoring at today's hearing. "Our adversaries are very adept at hiding their attacks in normal everyday [network] traffic," he said, adding that the only effective way to deal with the security threats is to deploy a governmentwide intrusion-detection system. Such capabilities already exist within a few agencies, Jamison noted. "It's just not consistent," he said. "That is what we are talking about [now]."
But, he promised, privacy considerations will be kept at the forefront. "I can tell you that privacy and civil rights have been a top focus of this," Jamison said. Privacy impact assessments are being done to help government officials understand all the implications of the expanded network monitoring activities, he added.
Karen Evans, who basically serves as federal CIO in her role as administrator of e-government and IT at the OMB, testified that all of the monitoring work will be done in an open fashion. As far as privacy and security is concerned, "we have been doing all of these activities in a very transparent way" under the existing approach, Evans said. She added that controls are being implemented to ensure that the privacy rights of federal workers and other individuals who access e-government systems are protected in the future as well.
But few details about the cybersecurity program have been released publicly thus far. The lack of information has spooked some politicians and privacy advocates, especially because of the NSA's involvement in the initiative. Among those concerned is U.S. Rep. Bennie Thompson (D-Miss.), who chairs the Homeland Security Committee.
Thompson demanded more information about the Cyber Initiative in a letter to DHS Secretary Michael Chertoff last October, after The Baltimore Sun published a story that described the impending program as an effort involving up to 2,000 employees at the NSA and the DHS. In the letter, Thompson said that he had tried without success to get more details about the initiative on at least four previous occasions. He also wrote that the initiative raised serious constitutional and privacy issues.
Today's hearing was ostensibly held to examine at least some aspects of the Cyber Initiative, but little information was forthcoming from the witnesses who testified. The only parts of the plan that were described in any detail were those relating to the Einstein system and to a program called Trusted Internet Connections.
TIC requires all federal agencies to reduce the number of their external network connections, including those to the Internet, to no more than 50 by June, Evans said. The idea is to reduce each agency's exposure to network threats, while also making it easier to monitor the remaining connections, she added.
According to Jamison, federal agencies at last count had a total of more than 4,000 external access points. He said that defending so many of them presents a significant challenge, which is why the DHS is working with the OMB to compel agencies to reduce their connections.
The hearing touched on only a very small portion of the overall initiative to boost federal cybersecurity, said Alan Paller, director of research at the SANS Institute in Bethesda, Md. He said Einstein and TIC account for only about $100 million or so in spending. How the government will spend the rest of the money earmarked for the Cyber Initiative — an amount estimated to be in the billions — is classified and will likely remain so, according to Paller.
"My sense is there is a general consensus that the problem is big enough that not spending this money would be considered catastrophically negligent," Paller said. "What has happened is that people in power have gotten a glimpse into what is happening" — and now they're pushing the government to respond.
But a continued shroud of secrecy could pose some problems, Paller added. For instance, he said that not fully disclosing all of the attacks against government networks could make it harder to justify the huge investment being planned for the Cyber Initiative.