WPost: Cybersecurity Will Take A Big Bite of the Budget

John Gilmore gnu at toad.com
Mon Jul 21 17:16:04 EDT 2008


[News report below.]

This highly classified little-publicized multi-billion dollar "vague"
program to secure Federal computers seems doomed to failure.  People
like you and I, in the unclassified private sector, design and build
and program all those computers and networks.

But of course we've never heard of this initiative.  And we probably
don't share its goals.

NSA's occasional public efforts to secure the civilian infrastructure
have been somewhat interesting.  Not that they've succeeded: they
crippled DES, wouldn't admit it was broken, and tried to force us all
to use it; the IPSEC they designed was painfully complex, impossible
to administer, easy to penetrate, and wouldn't scale; the export
controls they championed torpedoed civilian efforts to secure
ANYTHING; and Secure Linux seems to be no more secure than any other
Linux.  Do we know of *any* honest and successful NSA effort to raise
the integrity and security of the public infrastructure (even at the
expense of their ability to illegally tap it)?

Now that NSA, the President, and Congress have gone totally to the
Dark Side, we'd better assume that any such initiative does not have
the public's best interests at heart.  The theory is that the public's
computers will be easy for the government to break into, while
Wiretapper-General McConnell can shield every unconstitutional thing
he does from the prying eyes of the public and the courts?  It'd be
better for private-sector engineers to follow our own muses, rather
than become the rats following government-contractor Pied Pipers into
a totalitarian sewer.

Let's guess why they would classify this effort at all.  For "security
through obscurity"?  So that "foreigners" won't find out how to secure
their own computers against NSA intrusions (ahem, foreigners build ALL
our computers)?  Merely to hide their own incompetence?  Or because
the effort would be quickly identified as malfeasance, like trying to
impose a national ID system and routine suspicionless checkpoint
searches on a free people?

	John

Forwarded-By: Melissa Ngo <ngo at privacylives.com>

http://www.washingtonpost.com/wp-dyn/content/article/2008/07/20/AR2008072001641_pf.html

Cybersecurity Will Take A Big Bite of the Budget
By Walter Pincus
Monday, July 21, 2008; A13

President Bush's single largest request for funds and "most important  
initiative" in the fiscal 2009 intelligence budget is for the  
Comprehensive National Cybersecurity Initiative, a little publicized  
but massive program whose details "remain vague and thus open to  
question," according to the House Permanent Select Committee on  
Intelligence.

A highly classified, multiyear, multibillion-dollar project, CNCI --  
or "Cyber Initiative" -- is designed to develop a plan to secure  
government computer systems against foreign and domestic intruders and  
prepare for future threats. Any initial plan can later be expanded to  
cover sensitive civilian systems to protect financial, commercial and  
other vital infrastructure data.

"It is no longer sufficient for the U.S. Government to discover cyber  
intrusions in its networks, clean up the damage, and take legal or  
political steps to deter further intrusions," Director of National  
Intelligence Mike McConnell noted in a February 2008 threat  
assessment. "We must take proactive measures to detect and prevent  
intrusions from whatever source, as they happen, and before they can  
do significant damage." His conclusions echoed those of a 2007  
interagency review that led to CNCI's creation.

During debate on the intelligence authorization bill last week, Rep.  
Jim Langevin (D-R.I.), a member of the House intelligence committee  
and chairman of the Homeland Security subcommittee on emerging  
threats, described cybersecurity as "a real and growing threat that  
the federal government has been slow in addressing."

Without specifying funding figures, which are classified, Langevin  
said the panel approved 90 percent of the funds requested for CNCI but  
warned that the committee "does not intend to write the administration  
a blank check."

The committee's report recognized that as the initiative develops, "it  
will be imperative that the government also take into account the  
interests and concerns of private citizens, the U.S. information  
technology industry, and other elements of the private sector."

Such a public-private partnership will be "unlike any model that  
currently exists," said the committee, which recommended a White House  
study leading toward establishment of an oversight panel of lawmakers,  
executive branch officials and private-sector representatives. The  
panel would review the intelligence community's development of the  
initiative.

The committee said it expects the policy debates over the initiative  
to extend into the next administration, and major presidential  
candidates have addressed the issue.

On the same day the intelligence bill passed the House, Sen. Barack  
Obama (D-Ill.) told an audience that, "as president, I'll make  
cybersecurity the top priority that it should be in the 21st century."  
He vowed to appoint a national cyber adviser to coordinate policy to  
secure information -- "from the networks that power the federal  
government, to the networks that you use in your personal lives."

In a July 1 speech, Sen. John McCain (R-Ariz.) addressed  
cybersecurity, as well. "To protect our energy supply, air and rail  
transport, banking and financial services, we need to invest far more  
in the federal task of cyber security," he said. Neither Obama nor  
McCain mentioned the cybersecurity initiative underway.

National security and intelligence reporter Walter Pincus pores over  
the speeches, reports, transcripts and other documents that flood  
Washington and every week uncovers the fine print that rarely makes  
headlines -- but should. If you have any items that fit the bill,  
please send them to fineprint at washpost.com.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list