Comprehensive National Cybersecurity Initiative

Overview
In January 2008, the Bush Administration established the Comprehensive National Cybersecurity Initiative (CNCI) by a classified joint presidential directive, in an effort to make the United States more secure against cyber threats. The CNCI establishes a multi-pronged approach the federal government is to take in identifying current and emerging cyber threats, shoring up current and future telecommunications and cyber vulnerabilities, and responding to or proactively addressing entities that wish to steal or manipulate protected data on secure federal systems. The Homeland Security Presidential Directive 23 and National Security Presidential Directive 54 establishing the CNCI are still classified, although some details of the initiative have been made public through departmental press releases, speeches by executive branch leaders, and analysis offered by individuals who follow cybersecurity- and terrorism-related issues.



Shortly after taking office, President Obama, in February 2009, ordered a review of cybersecurity-related plans, programs, and activities underway throughout the federal government, including the CNCI projects. This review resulted in a May 2009 report that made recommendations for achieving a more reliable, resilient, and trustworthy digital infrastructure.

Stated goals
The CNCI consists of a number of mutually reinforcing initiatives with the following major goals designed to help secure the United States in cyberspace:


 * To establish a front line of defense against today’s immediate threats by creating or enhancing shared situational awareness of network vulnerabilities, threats, and events within the Federal Government &mdash; and ultimately with state, local, and tribal governments and private sector partners &mdash; and the ability to act quickly to reduce our current vulnerabilities and prevent intrusions.


 * To defend against the full spectrum of threats by enhancing U.S. counterintelligence capabilities and increasing the security of the supply chain for key information technologies.


 * To strengthen the future cybersecurity environment by expanding cyber education; coordinating and redirecting research and development efforts across the Federal Government; and working to define and develop strategies to deter hostile or malicious activity in cyberspace.

In building the plans for the CNCI, it was quickly realized that these goals could not be achieved without also strengthening certain key strategic foundational capabilities within the Government. Therefore, the CNCI includes funding within the federal law enforcement, intelligence, and defense communities to enhance such key functions as criminal investigation; intelligence collection, processing, and analysis; and information assurance critical to enabling national cybersecurity efforts.

The CNCI was developed with great care and attention to privacy and civil liberties concerns in close consultation with privacy experts across the government. Protecting civil liberties and privacy rights remain fundamental objectives in the implementation of the CNCI.

In accord with President Obama’s declared intent to make transparency a touchstone of his presidency, the Cyberspace Policy Review identified enhanced information sharing as a key component of effective cybersecurity. To improve public understanding of Federal efforts, the Cybersecurity Coordinator has directed the release of the following summary description of the CNCI.

Functions of the CNCI
Reportedly, the CNCI “establishes the policy, strategy, and guidelines to secure federal systems.” The CNCI also delineates “an approach that anticipates future cyber threats and technologies, and requires the federal government to integrate many of its technical and organizational capabilities to better address sophisticated threats and vulnerabilities.” Rather than serving as an overarching national strategy document with specific instructions for federal agency implementation activities, the CNCI is seen as a plan of action for programs and initiatives to be addressed at the operational and tactical level.

Given the classified nature of the presidential directives and the secrecy accompanying department and agency activities related to this issues, few details are known about CNCI-related federal government implementation efforts. According to one media account, Steven Chabinsky, Deputy Director of the Joint Interagency Cyber Task Force (JIACTF) for the Office of the Director of National Intelligence, stated at an information technology security conference that there are 12 objectives supporting the initiative’s goal of comprehensively addressing the nation’s cyber security concerns. These include the following:


 * Move toward managing a single federal enterprise network (an integrated communications system architecture for the federal government with common security standards across the network).
 * Deploy intrinsic detection systems.
 * Develop and deploy intrusion prevention tools.
 * Review and potentially redirect research and funding.
 * Connect current government cyber operations centers.
 * Develop a government-wide cyber intelligence plan.
 * Increase the security of classified networks.
 * Expand cyber education.
 * Define enduring leap-ahead technologies (investing in high-risk, high-reward research and development to ensure transformational change).
 * Define enduring deterrent technologies and programs.
 * Develop multi-pronged approaches to supply chain risk management (potential tampering within the production line and the risk associated with computer products and parts made outside the United States).
 * Define the role of cybersecurity in private sector domains.

Ongoing projects
NSPD-54/HSPD-23 established 12 CNCI projects and identified lead agencies for each. Since January 2008, the lead agencies have been responsible for tracking progress on each of the projects specified in the directive.

Four agencies have responsibilities for multiple projects of CNCI:


 * Department of Homeland Security’s responsibilities focus on protecting civilian agency information systems, including reducing and consolidating external access points, deploying passive network sensors, and defining public and private partnerships.
 * The Department of Defense is charged with monitoring military information systems, increasing the security of classified networks, and deploying intrusion prevention systems, among other things.
 * The Office of the Director of National Intelligence (ODNI) is responsible for monitoring intelligence community information systems and other intelligence-related activities, including the development of a government-wide cyber counterintelligence plan.
 * The Office of Science and Technology Policy (OSTP), which is responsible for providing advice on the effects of science and technology on domestic and international affairs, is responsible for the two CNCI projects that focus on advanced technology research and development.

The Office of Management and Budget, the Department of Justice, and the National Security Council also have lead roles on specific CNCI projects.

The twelve projects currently being pursued under the CNCI are:



Criticism of the CNCI
In response to the CNCI and other proposals, questions have emerged regarding: (1) the adequacy of existing legal authorities &mdash; statutory or constitutional &mdash; for responding to cyber threats; and (2) the appropriate roles for the executive and legislative branches in addressing cybersecurity. The new and emerging nature of cyber threats complicates these questions. Although existing statutory provisions might authorize some modest actions, inherent constitutional powers currently provide the most plausible legal basis for many potential executive responses to national, security-related cyber incidences.

Given that cyber threats originate from various sources, it is difficult to determine whether actions to prevent cyberattacks fit within the traditional scope of executive power to conduct war and foreign affairs. Nonetheless, under the Supreme Court jurisprudence, it appears that the President is not prevented from taking action in the cybersecurity arena, at least until Congress takes further action. Regardless, Congress has a continuing oversight and appropriations role. In addition, potential government responses could be limited by individuals’ constitutional rights or international laws of war.

Lack of transparency
Since CNCI’s inception, former and current government officials have voiced concerns regarding the lack of publicly available information. For example:


 * The federally-chartered Information Security and Privacy Advisory Board (ISPAB) stated that greater clarity and transparency was necessary to ensure both the effectiveness and trustworthiness of CNCI. Specifically, the ISPAB advised that government agencies release key documentation regarding the impact of CNCI activities on personal privacy.
 * The CSIS commission noted that because the CNCI directive and projects are classified, little information could be shared with the public, the cybersecurity industry, or allied nations. The commission concluded that greater openness is important given the large role played by those outside the federal government in cybersecurity. In addition, the commission stated that the United States should open the discussion of how best to secure cyberspace and present the issues of deterrence and national strategy to the broad national community of experts and stakeholders.
 * The White House policy review stated that, in moving forward, transparency would be important to build trust between the public and federal cybersecurity programs. The review added that it would be important to bring transparency and effective management to the overall cybersecurity portfolio.

While certain aspects and details of CNCI must necessarily remain classified, it is claimed that the lack of transparency regarding CNCI projects hinders accountability to Congress and the public. In addition, current classification may make it difficult for some agencies, as well as the private sector, to interact and contribute to the success of CNCI projects.

Interagency cybersecurity review
On February 9, 2009, President Obama directed a 60-day interagency cybersecurity review (Cyberspace Policy Review) to develop a strategic framework to ensure the CNCI is being appropriately integrated, resourced, and coordinated with Congress and the private sector. On May 29, 2009, President Obama issued the results of the Administration’s 60-Day Cyberspace Policy Review.

External link
John Rollins & Anna C. Henning, Comprehensive National Cybersecurity Initiative: Legal Authorities and Policy Considerations (Mar. 10, 2009) (CRS Report R40427.