White House outlines secret cybersecurity plan

SAN FRANCISCO--Ever since President Bush signed a secret cybersecurity directive two years ago, executive branch officials have been dropping hints about what might be in the highly classified document known as NSPD54.

Former Homeland Security Secretary Michael Chertoff once likened it to a new "Manhattan Project," and The Washington Post reported that the multibillion Comprehensive National Cybersecurity Initiative represented the "single largest request for funds" in last year's classified intelligence budget. A Homeland Security assistant secretary previously acknowledged there were "plans to expand" a network monitoring component, named Einstein, which has prompted protests by privacy advocates.

On Tuesday afternoon, the White House let slip a few more tidbits. It has not released the text of NSPD54, also known as National Security Presidential Directive 54, but a five-page PDF posted on Whitehouse.gov does feature a summary.

There's not much in the way of details, but those that are included are likely to raise questions about the role of the National Security Agency in network surveillance and how intent President Obama is on continuing some of the more controversial cybersecurity policies of his predecessor. After the Bush-era warrantless surveillance controversy, many politicians and civil libertarians have become wary of greater NSA involvement in network monitoring.

"We must all partner together to make sure cybersecurity is secure," Howard Schmidt, Obama's cybersecurity coordinator, said in a speech at the RSA Conference here on Tuesday. Schmidt used his speech to announce the publication of the five-page summary, saying that without transparency, "we can't ask industry to help the government."

One portion of the summary talks about "extending cybersecurity into critical infrastructure" used by the federal government, a category that appears to include the Internet as well as electrical power and telephone links. Another dealing with intrusion prevention says that a Homeland Security program called Einstein 3 will involve the NSA receiving "alerts" involving "detected network intrusion attempts."

While the initial purpose of Einstein was to monitor (and eventually prevent) electronic attacks on federal government networks, the parallel goal of protecting critical infrastructure operated by the private sector could blur that line. The White House's summary takes pains to reassure Americans that their privacy is being protected, saying "government civil liberties and privacy officials are working closely with DHS and US-CERT to build appropriate and necessary privacy protections into the design and operational deployment of Einstein 3."

"The government does have to protect its own networks, but it shouldn't try to take responsibility for critical infrastructure" owned and operated by the private sector, said Jim Harper, a policy analyst at the free-market Cato Institute, who is a member of Homeland Security's Data Privacy and Integrity Advisory Committee.

Harper says this glimpse of Bush's cybersecurity plan, which includes an endorsement by Obama, shows that not much has changed between administrations in this area. "The bureaucrats run everything: the policies of the Bush administration are the policies of the Obama administration," he said. "I don't think there's much of a change of tone in cyberspace policy areas."

Homeland Security has published a privacy impact assessment for a less capable system called Einstein 2--which aimed to do intrusion detection and not prevention--but has not done so for Einstein 3. The Bush Justice Department wrote a memo saying Einstein 2 "complies with" the U.S. Constitution and federal wiretap laws.

Members of Congress have raised questions before about the Comprehensive National Cybersecurity Initiative, including a secretive National Cyber Security Center created by NSPD54.

And the House Intelligence Committee, which tends to be hawkish on secrecy, has complained that details about NSPD54 "remain vague" because of "excessive classification" and said the 2009 budget request was "excessive."