President Bush has never been a poster boy for transparency. The cyber initiative he signed last January to beef up the government's protections against hackers and cyberspies is no exception—much of the multibillion-dollar project remains classified.
But to extend the project's cyber protections to America's private sector—including some of the nation's most vulnerable targets for malicious hackers—the administration is trying something unfamiliar: sharing information.
According to a Department of Homeland Security report obtained by Forbes.com, a group of unnamed private sector executives representing industries including banking, telecommunications and energy have been meeting with the DHS to find ways to more efficiently swap data on cyber intrusions and digital espionage. The DHS wouldn't share any details of the classified meetings, known as Project 12, which began in February and are scheduled to continue through May. But the goal of the conferences, according to one former government official, is to build a better system for sharing classified cyber-threat data with private companies.
Given the program's scope and budget, the government should have plenty to share. Over the next seven years, Bush's cyber initiative will spend as much as $30 billion to create a new monitoring system for all federal networks, a combined project of the DHS, the NSA and the Office of the Director of National Intelligence. The data-sharing plan would offer information gathered by that massive monitoring system to the private sector in exchange for their own knowledge of cyber intrusions and spyware.
The Bush administration's cyber initiative, known as Presidential Directive 54, is partly a response to a series of cyber intrusions that plagued the Pentagon last summer. Hackers seemingly based in China stole untold amounts of e-mail data from the Department of Defense's servers.
The nation's critical infrastructure systems, mostly owned by the private sector, may face a similar threat. Security researchers have long warned of security vulnerabilities in the Supervisory Control and Data Acquisition systems that control things like power plants and public transit. Over the past two years, hackers penetrated and extorted hundreds of millions of dollars from multiple companies using SCADA systems, says Alan Paller, director of the SANS Institute, an organization that hosts a crisis center for hacked companies. (See: "America's Hackable Backbone"). And in January, a CIA official revealed that a power outage affecting multiple cities outside the U.S. had been sparked by a cyber attack.
But the notion of extending the government's network monitoring to the nation's critical infrastructure has raised hackles. Privacy advocates, fearing government intrusion on private networks, have already compared the project to the NSA's warrantless wiretapping program. In a congressional hearing last Thursday, Rep. Paul Broun, R-Ga., said the program seemed "a little like the fox guarding the henhouse."
The information sharing strategy revealed in the DHS report may be a compromise. For now, the government is avoiding the controversy of monitoring commercial networks, and instead trading its cyber-threat information for data about intrusions that private companies have detected on their own computers, says the SANS Institute's Alan Paller. "To find the bad guys, we'll need huge analytic engines, with all the right data," he says. "The government can't force these companies to let it watch traffic in commercial networks, so this is one way to get [the private sector] involved."
That doesn't mean the data-sharing project is a guarantee that government monitoring won't eventually be expanded to some parts of private industry, Paller says. He sees the project as the first step in convincing critical infrastructure companies to allow some government surveillance of their networks. Companies possessing classified government data, such as defense contractors, are especially likely to be brought under the initiative's umbrella of surveillance, according to some former government officials. (See "Bush's Double-Edged Cyber Plan."
Jim Dempsey, the vice president of the Center for Democracy and Technology, takes the opposite interpretation: He says the information-sharing project may be a reassuring sign that the cyber initiative will respect the barriers between the private sector and government. But he still sees the project as giving too much power to the NSA, an agency he says "operates in secret and is bent on stealing information."
"The administration has already crossed the line in giving the NSA too much power to monitor its unclassified system," says Dempsey. "If that monitoring were extended to the private sector, that would be an even greater concern."
Jim Lewis, a former Commerce Department official focused on cyber security, argues that the data-sharing meetings don't foreshadow anything so nefarious. Instead, he says, they're intended to rebuild personal relationships between cyber-security gurus in the government and private industry.
"When companies spot intrusions on their networks, they're going to their general counsels to see what they should share and not share. Instead, the idea is that they could pick up the phone and call someone in the government." Lewis says. "The government knows a little, and the private sector knows a little. We need everyone to throw their pieces in the same pot."