U.S. Cyber Security Coordinator Howard Schmidt announces declassification of CNCI initiatives

Howard Schmidt at RSA

In his keynote speech at the RSA 2010 Conference, U.S. Cybersecurity Coordinator Howard Schmidt reminded the audience of President Obama’s memo to all federal departments and agencies, which says, “My administration is committed to creating an unprecedented openness in government.”

Schmidt went on to say, “I’m pleased to announce that the Administration has updated the classified guidance for the Comprehensive National Cybersecurity Initiative, or CNCI, which began in 2008 and forms an important component of the efforts within the national government. As of noontime today, in about 15 minutes, you’ll be able to go to whitehouse.gov/cybersecurity and download the unclassified description of CNCI in each of the 12 efforts under CNCI.”

With this declassification, Schmidt stated, “The American people can partner with government.” But, to be successful in protecting the nation’s cyber-security, he added, “We must continue to seek out new and innovative partnerships involving government, industry, academia and the public at large.”

Schmidt’s presentation described some of the steps that led to the administration’s present policies. In May 2009, he recalled, the President declared that cyber-threats are one of the most serious threats we face as a nation, and America’s economic security will depend on cyber-security. Schmidt then described the progress that has been made in the near-term recommendations of the cyber policy review, which Obama had commissioned.

• The first recommendation, said Schmidt, was that a senior policy adviser be appointed, “and here I am.”
• The second was to update strategy, which is an ongoing effort. “We still have vulnerabilities, we still have resiliencies, we still have issues,” he said, “but we need to look at it in today’s terminology so that we can adapt.”
• The third was to bring the private sector into the discussion, to maintain the richness and robustness of our efforts. There’s been a lot of discussion about FISMA [the Federal Information Security Management Act], he said, which argued that you can be FISMA-compliant and still not be secure. “And we agree with that,” Schmidt added. “Work needs to be done. And that is why we have developed real-time metrics with continuous monitoring that provides real-time situational awareness.”
• Fourth, designate a privacy and civil liberties professional. This has been done, Schmidt said, and the person is already on board.
• Fifth, government inter-agency legal analysis. There are about 40 legal questions that need to be addressed, said Schmidt, and this will require ongoing legal analyses.
• Sixth, how do we create a national and international awareness campaign to promote cyber-security? This is a question that has been divided into four tracks: (1) national awareness, which is being handled by the Department of Homeland Security; (2) cyber-security education, which is being handled by the Department of Education; (3) the Federal Infrastructure Workforce, which is now being handled by the Office of Personnel Management and the Department of Defense; and (4) national workforce training, which is being handled by the Department of Homeland Security, the Department of Defense and the Director of National Intelligence.
• Seventh, the International Cybersecurity Program. A policy framework need to be established, said Schmidt, but without impeding the private sector’s research and development efforts.
• Eighth, the Cyber Security Instant Response. There should never be a question, said Schmidt, where the private sector should go during a cyber incident.
• Ninth, the development framework for research and development. Schmidt indicated there is a lot of research to be done, and the Office of Science and Technology is working on questions such as, “How do you deal with the moving target defense.”
• Tenth, cyber-security identity management strategy, with particular emphasis on a secure online transaction capability. It must be interoperable, said Schmidt, and it must not try to make one size fit all.

Transparency and partnerships, Schmidt reiterated throughout his presentation, must go hand-in-hand. The government and industry must work together with the American people to develop a harmonized and systematized cyber-security policy that is effective and efficient.