The cybersecurity mess on the White House front steps

March 16th, 2009

Special to Threatpost
by Byron Acohido (LastWatchdog.com)
March 16, 2009, 7:55 AM

obama_flag_cropIf President Obama thinks fixing the broken U.S. economy is a challenge, and ending the ground wars in the Middle East a conundrum, wait until he gets around to tackling cybersecurity.

Obama must reverse the abject lack of any sort of meaningful coordinated defense against intensifying and overlapping cyber attacks on U.S. citizens, businesses, schools, hospitals, governments and military from unseen enemies.

Yet when the president is finally ready to turn his attention to cybersecurity, he will benefit from important groundwork laid down by a small cadre of concerned lawmakers, bureaucrats, military leaders and corporate executives who fully grasp how chaotically out-of-control cyber intrusions have become.

This includes some key Bush appointees and supporters who pushed hard to get the 43rd president to take cybersecurity more seriously – and who will likely emerge as key operatives on the 44th president’s cybersecurity team.

At a Congressional hearing this week, NetWitness CEO Amit Yoran, testified that the U.S. has been “experiencing a 9/11 in cyber attacks” for a number of years. “Because there is no visible catastrophic outcome, we lie in bed at night asleep without realizing how much damage is being done,” testified Yoran, a former senior Bush appointee in the Department of Homeland Security.

Tough-talking Oracle Chief Security Officer, Mary Ann Davidson, called for the U.S. to stand up and aggressively defend its cyberturf. “We are in a conflict, some would call it war,” Davidson testified. “Let’s call it what it is. Given the diversity of potentially hostile entities building cadres of cyberwarriors, probing our systems for weakness, infiltrating government networks and making similar attempts against businesses and critical industries, including our defense systems, is there any other conclusion to be reached?”

Basic tenets

The March 10 hearing was held by the House Subcommittee on Emerging Threats [homeland.house.gov], Cybersecurity, Science & Technology to get a mid-way status report of a 60-day review of U.S. cybersecurity policy being conducted by management collaboration expert, Melissa Hathaway, at Obama’s behest.

Come April 1 or 2, Hathaway is widely expected to present Obama with a set of options that tilt toward the establishment of truly collaborative public/private partnerships and the start of hard-ball diplomacy with foreign powers. It will take a concerted effort along these lines – orchestrated by the White House, and backed by new federal laws – to address the spectrum of escalating cybersecurity threats.

Hathaway probably won’t stray too far from the basic tenets hammered out by a bi-partisan commission of senators and tech executives that has been meeting for over a year to derive a consensus view of what U.S. cybersecurity policy should look like. The commission, convened by the Center for Strategic and International Studies (CSIS), commission delivered this stack of recommendations, titled “Securing Cyberspace for the 44th President,” to Obama last December.

The CSIS commission’s conclusions were reinforced by the Dartmouth College-based Institute for Information Infrastructure Protection (I3P), which delivered this complementary report, titled “National Cyber Security Research and Development Challenges,” to the U.S. Senate last month.

Some lawmakers, notably Representatives James Langevin (D-RI), Al Green (D-Tex), Michael McCaul (R-Tex), Bill Pascrell (D-NJ), Yvette Clarke (D-NY), Daniel E. Lungren (R-Calif.), Ben Ray Lujan, (D-NM), and Bennie G. Thompson (D-Miss.) are paying close attention. “I hope the administration can strike the balance between civilian and military cybersecurity capabilities,” noted Thompson at the hearing. “We here in Congress are looking toward the administration for leadership on this critical issue.”
Massive penetrations

A well-thought-out national policy, complemented by enforceable international agreements and protocols, are vitally needed for the Internet to thrive. Such policies and international protocols exist for use of the high seas, nuclear armaments and outer space.

However, cybersecurity was not a priority with the Bush administration — until cyberspies began to step up infiltrations of government and military networks in the U.S. and across Europe in 2006 and 2007. A hint at how deep intruders had begun to penetrate U.S. government and military systems at the time bubbled up in scattered news stories.

In this Oct. 6, 2006 story , Alan Sipress told how hackers launched attacks from Chinese servers to get deep inside computers of the Department of Commerce ‘s Bureau of Industry and Security. Hundreds of workstations had to be replaced and employees were blocked from using the Internet for more than a month.

Thereafter, in 2006-2007, allegations flew that Chinese military hackers had cracked into the Navy War College and even infiltrated the Pentagon . The Chinese government perfunctorily denied responsibility. But the Financial Times of London surfaced a Pentagon report indicating Beijing had prepared a detailed plan to disable America’s aircraft battle carrier fleet with a cyber attack, as well as push for “electronic dominance” over the USA, Britain, Russia and South Korea by 2050.

“The U.S. government got whacked,” CSIS director and senior James Andrew Lewis told me in a recent interview. “We had a massive penetration of a number of critical agencies by unknown foreign powers usually alleged to be China. It was a major failure. We probably had our cyber Pearl Harbor, but it was an intelligence Pearl Harbor, not one where infrastructure blew up or failed. The administration realized they had this huge problem, and something had to be done.”Gen. Keith Alexander, Director of National Security Agency, and Ret. Adm. Mike McConnell, Director of National Intelligence, persuaded President Bush to green light development of a 12-point plan later to be dubbed the “Comprehensive National Cybersecurity Initiatives” (CNCI).

Getting the Beltway moving

In March 2007, McConnell, a former senior partner at Booz Allen Hamilton , rang up his old consulting firm and told them to send over Mellissa Hathaway, a crack project manager. Hathaway had spent 15 years rising through the ranks at Booz Allen’s Virginia office. She displayed a knack for lowering barriers between “stovepiped” military and intelligence organizations, says Booz Allen Senior Vice President Mark Gerencser one of Hathaway’s mentors. Hathaway took to the emerging field of “info ops” – information warfare, including cyber raids and cyber defenses – like a fish to water.

“We were doing things to support information operations for the Army, Navy, the CIA and others, and her role was to integrate our collective thinking to benefit the clients,” says Gerencser. “She was an integrator. She knew were all the synergies were.”

Hathaway jumped in to help Alexander, McConnell and several other top Bush officials refine what was to become Bush’s 12-point cyber plan, a multi-year, $30 billion exercise focused on reducing connections to government networks and shoring up cyber defenses. Hathaway was then given the difficult assignment of rallying appointed officials and entrenched career bureaucrats at a cross section of large federal agencies to support Bush’s plan. To make her assignment even more challenging, Bush insisted that the cyber plan be classified Top Secret.

Certain things, such as offensive and counter attack strategies, ought to be classified, says NetWitness CEO Yoran. “But the majority of the program should be unclassified,” he says. “For any security strategy to be effective you have to work hand in glove with the private sector; they run the systems and develop the technologies that protect the systems. If you can’t talk to the folks developing and operating your systems your program will be less than successful.”

Even so, Hathaway pulled off what many Beltway wags viewed as impossible. “The only sensible survival strategy for senior bureaucrats in the Bush-Cheney Washington was to keep your head down and avoid starting anything or doing anything that would make you visible,” says Alan Paller, research director of security think tank The SANS Institute. “Innovation was a four letter word. Initiative was considered antagonistic to the common good. There were wonderful exceptions, but they were rare.”

And yet Hathaway was able to get agency heads to “step up, commit resources, re-prioritize and make things happen faster than they had ever done anything in their government lives,” says Paller. Within six months “every agency that needed to act was acting.”

CSIS gets Bush’s cold shoulder

Meanwhile, in the same time frame, but on a separate track, the bi-partisan CSIS commission got rolling – and got a cold shoulder from the White House. “The Bush administration was afraid it was going to be criticized,” says Lewis. “They wanted to have their talking points in place. ‘We’ve taken the following steps to secure America,’ and then check all the right boxes. They were talking-point motivated.”

Even so, Lewis says Bush’s secret plan, put into motion with barely a year left in his presidency, did, in fact, make far-reaching inroads into locking down federal networks. “They were identifying the right problems. But this is where ideology hampered them and really crippled the initiatives,” he says. “They called it comprehensive, but it wasn’t really comprehensive.”

Bush’s plan just plain ignored the need to forge alliances with European nations undergoing similar attacks. And there was no thought of engaging superpowers Russia and China, or smaller nations like the Urkraine, Romania, Turkey and Nigeria, about increasing cyber attacks against the U.S. originating on their soil.

Furthermore, the Bush cyber plan gave only a token nod to partnering with – and regulating, if need be – private sector telecoms, ISPs and domain registrars that operate the backbone of the Internet. “It was good as far as it went, but it didn’t go far enough,” says Lewis. “Ultimately it is a single global network we’re talking about. Something that focuses on the DOD and the federal government won’t do. The Bush administration didn’t like regulations and wasn’t a big fan of international cooperation, and that was reflected in the CNCI. ”

By the fall of 2008, despite a cold shoulder from the White House, the bi-partisan CSIS commission had hammered out extensive recommendations and rationale calling for Bush’s successor, whether it be Obama or John McCain, to go beyond locking down government systems, and to directly engage the private sector and foreign allies in stemming cyber attacks.

“I really hope we don’t go for a perimeter mentality,” says Melih Abdulhayoglu. “We live in a connected world. We can’t just look at what government assets need to be protected. We have to secure every single node on the Internet that could be used for any sort of cyber criminal attack or attempts at cyber terrorism.”

Ideally suited

Not long after Obama won the presidential election, Hathaway quickly surfaced on the Obama transition team’s radar. “We wanted somebody who had a full grasp and understanding, so she was ideally suited for [conducting the 60-day cybersecurity review],” a senior White House official told me. “I was very impressed with her understanding, her scope, and the fact that she didn’t have any type of parochial view about who should be doing what. She’s a very smart person who has a lot of familiarity, not just with the issues, but also with the people involved, and the different type of capabilities that reside in the different departments and agencies.”

By all accounts, Hathaway has been laser focused on delivering a thorough, cogent report to Obama by early April. Hathaway has kept a low profile, declining interview requests.
It would come as a surprise if she did not endorse the CSIS commission recommendation calling for Obama to create a cabinet-level position – a cybersecurity czar reporting directly to the president who’s assigned to fast-track the shaping and implementation of a strong U.S. cybersecurity policy.

CSIS commission member Paul Kurtz, a partner at Good Harbor Consulting and a longtime Beltway insider with a great resume, played a prominent role on Obama’s transition team. Kurtz has long been rumored as a front runner. At one point, Forbes magazine picked serial entrepreneur Rod Beckstrom as a darkhorse candidate . Beckstrom was brought in by McConnell and former Homeland Security Director Michael Chertoff last March to help focus DHS’s cybersecurity efforts. But Beckstrom resigned suddenly last week after being what he characterized as unduly stifled by the National Security Agency.

Beckstrom’s resignation underscored the fractious infighting between the highly secretive intelligence gathering branch of the federal government and the civilian branches, which Obama has vowed to make more transparent. And yet according to this Washington Times report, the Obama administration is moving ahead with plans to name not Kurtz as the new cyber czar, but Gen. Alexander, the head of the NSA under Bush. Alexander and former Director of National Intelligence McConnell were the two senior-most officials who persuaded Bush to finally take cyber security more seriously.

Whoever becomes the president’s go-to person on cybersecurity, Paller says he should not be referred to as a czar. “A czar is all powerful,” says Paller. “The director of the cyber defense agency would not be all powerful. His role would be managed from the National Security Council.”