CNCI – A new cybersecurity program

image Viruses small It’s G.W. Bush’s single largest request for funds in the 2009 intelligence budget and its a “highly classified, multiyear, multibillion-dollar project“.

It goes by the name CNCI aka “Cyber Initiative” and the director National Intelligence, Mike McConnell, calls it a pro-active measure to protect the US Government computing infrastructure and in the future potentially also the computing environments of (US) private entities.

While the secrecy surrounding the program does not even provide specific funding figures or a breakdown, the House Intelligence committee in its report on the program “recognizes” that “…it will be imperative that the government also take into account the interest and concerns of private citizens, the US information technology industry, and other elements of the private sector…“.

They call it a public-private partnership and outlined how the oversight should happen by a panel of lawmakers, executive branch officials and some private sector representatives. And the House has already approved 90% of the requested budget.

So far so good, sounds all nice and positive – a fresh start, “unlike any model currently existing“, well, well, well if your memory in that branch of IT goes back long enough (10 years+) then you will say together with us: Nice words but we have heard them before and when we acted within the scheme we got heavily burned and a bunch of gov. crooks around the world filled their pockets with Billions of Dollars.

So if its a “fresh start” back up your words with actions!

Demonstrate that you have learned from the past mistakes and that you want to make up for what went wrong. At least in our definition that’s how “partners” behave towards each others. Otherwise it will be just a continuation of (money/) “jobs for the boys“.

But first things first:

We fully agree that a fresh start is desperately needed and provide some suggestions briefly outlined below:

(1) Let’s simplifying what that “Cyber thing” could potentially mean:

Every security expert – in IT and elsewhere – will agree that creating a secure and trusted platform is a weakest link game. Within infrastructure this results in each of the single elements that together make up the networks is a potential attack / entry point. In short this leads to the most interesting topic of OS hardening / secure operating systems and hardware.

A lot of effort and certainly many hundred of millions dollars went and most likely will be poured into research in that field. But what came from it? And who said we need a fresh start?

This gets us to what we believe is the far more important part in the successful implementation of any potential new program that actually wants to achieve an usable outcome.

It’s creativity.

Nobody will seriously deny that coming up with new and innovative approaches to protect as well as to break into systems or devices requires a certain, often high level of creativity. And there are far less people who possess these talents that one would generally believe. We are not talking about the copy-cats, the ones who’ve stolen other people’s ideas and the ones who believe they “manage” creative people.

Even those fools know that to steal, copy or imitate something, somebody has to create the genuine piece in the first place.

(2) Reviving the creative potential:

So here we are getting closer to the core of the actual problem. While more and more money has been made and that second group of people has grow exponentially, creativity has dried out. So how can the potential of those creative people be revived?

To begin with, there are people that spent years of their lives researching and coming up with new and working solutions in the key fields to secure a country’s or organizational infrastructure. Examples in the field of OS security would definitely include some types of behavior checkers, isolating hardware & software processes in certain ways and advanced sandboxing. These things (including most of the terminology) have been invented / adapted for today’s hard & software approaches more than ten years ago, but the bulk of these results have been suppressed by governments around the world.

We are not talking here about some “tuned up BSD jails” or placebo desktop solutions claiming to do these things. We mean OS solutions re-engineered from the ground up that – lets say – have inspired – most virtualization products available today for PCs etc. Similar things apply to other infrastructure or network protocol suites.

So why are those who have successfully created such solutions (even if you might have never heard about them) not creative anymore?

First, besides the crypto-guys (who seemingly love their maths so much that they don’t see / don’t want to see the change) most individual researchers / independent companies have given up to invent new ways to harden OS / secure servers / desktops as their work has been so massively obstructed. Some of the most successful inventors from the 1990s – when the topic started to attract a broader interest – are today still hindered to do any reasonable work, even outside the field of IT security. Others went hiding in the walled gardens of large international IT conglomerates and are (at least officially) not working on the topic anymore.

Second, most of those creative inventors are also freethinkers and the first question arising from that would be why anybody should help to protect systems for governments that are oppressive and by definition closer to totalitarian states than to democracies. Maybe we’re completely mistaken with this, but an answer will definitely be more than interesting.

Third, forgive us, but it looks a bit like the same people who have blocked progress in IT security for at least a decade, are now claiming they want to change their course diametrically. Well we’re always open for surprises. Maybe they have learned that the path they were steaming along full speed is a cul-de-sac? Maybe they did realize that to assure a functioning administration having a secure infrastructure is a prerequisite. Whatever – it’s nice to play with words.

(3) Do it:

We say – back it up with facts – demonstrate the change by first repairing the damages you’ve done to the most creative minds in that field of research & development!

And if this might be foremost your best self-interest, may it be.

Then and only then one could start giving back credibility to those who created that cause to an extent we are facing it now. Private organizations are/will certainly start to put more efforts into this topic as well, but with most off-the-shelf hard- & software having so many build-in flaws that these computers / devices look more like a Swiss cheese than a “wall”, it’s not surprising that break-ins and abuses are on the rise.

To make things worse the change in the political landscape and approaches / attacks on researchers in the field of computer security have created a climate where sharing discovered issues has become less and less attractive to most (only a few believe that their 15min of “fame” will contribute to an overall solution).

The most important now is to get back to an systematic approach on these issues, demonstrate change and clean up the mess from the past decade.

It’s about time.

More information:
The Washington Post on the CNCI program approval
The Permanent Select Committee on Intelligence web site

It’s time to save Molly and neither 3Jane, Rivieva, Willis Corto or Wintermute should hold us back.

Related Posts:

  1. VoIP encryption in a surveillance society
  2. link to article
    Those of you that have time to get over to the Stanford campus this Wednesday afternoon (March 7th) should do and listen to “Phil Zimmerman’s” talk on VoIP encryption in a surveillance society. For all of you who can’t make it Stanford will put a video online at their “Computer Systems Colloquium (EE380)” site. Phil is the creator of Pretty Good Privacy (PGP), the most widely used email encryption software in the world. He is also known for his work in VoIP encryption protocols…

    Continue reading…

  3. Research: Autodesk Design on Perceptive Pixel Multi-Touch
  4. link to article
    You might have seen Jeff Han’s Perceptive Pixel Multi-Touch screens in action on CNN when following the 2008 primaries and caucuses. And he demonstrated the device with Google Earth and some drawing programs.

    The video below shows you the potential of Multi-Touch screens with…

    continue reading…

  5. Fun: The HP Printer Hack finds new friends
  6. link to article
    Just wait a little while and then tell it to some other people – Works with jokes and seemingly still on “”.

    This time its the good old prank to change the display message on HP (and other printers) with a little program. But script kiddies wake up – no perl needed to do this as mentioned in the “latest version” of this joke. There is since long a “small .Net application” around that does the job even with a configuration window for your message…
    continue reading…

  7. Non-Profit: WWF introduces gift catalog
  8. With his first ever holiday gift catalog the conservation organization WWF has added another possibility to purchase goods that pay back. The printed catalog that the WWF sends on request to potential donors showcases 38 species of animals available for symbolic adoption. Additionally it features the WWF’s unique Extraordinary Gifts Program that includes gifts ranging [...]

(2) Comments »

2 Responses to “CNCI – A new cybersecurity program”

  1. Says:

    is this what you were referring to in class?

  2. fpp Says:

    The author of this opinion piece does not give lectures (anymore) but is an insider of the “security trade” for decade(s)

    Which class were you referring to?