August 1, 2008
The Bush administration’s newly created National Cyber Security Center remains shrouded in secrecy, with officials refusing to release information about its budget, what contractors will run it, and how its mission relates to Internet surveillance.
In correspondence with the U.S. Senate posted on Thursday, the Bush administration said it would not provide that information publicly. An 18-page, partially redacted letter from DHS said that disclosure could affect “the conduct of federal programs, or other programs or operations essential to the interests of our nation.”
The censored letter–a nonredacted, “For Official Use Only” version was provided to senators–came in response to queries from the top Democratic and Republican members of the Senate’s Homeland Security committee.
Sen. Susan Collins, a Maine Republican, indicated that the nonredacted version satisfied her, at least for now. “Increased information sharing will benefit the department, Congress and the public, as well as the private-sector, which controls the vast majority of the nation’s cyber infrastructure,” Collins said in e-mail to CNET News. “It is my hope that the release of this information will assist in improving security in both the public and private sectors.”
Sen. Joe Lieberman, an independent from Connecticut who caucuses with Democrats, did not respond to our queries on Thursday.
In March, DHS announced that Rod Beckström, 47, would be appointed as director of the National Cyber Security Center. Secretary Michael Chertoff said at the time that Beckström would “implement cyber security strategies in a cohesive way” and contribute to the “protection of federal networks and the security of our homeland.”
Oddly, DHS seemed to change its mind about whether even the mere existence of the National Cyber Security Center was classified or not.
“On March 20th, you announced that Rod Beckstrom would be the director of the new National Cyber Security Center within DHS,” Lieberman and Collins said in a letter (PDF) to DHS in May. “Prior to this announcement, committee staff had been instructed that the existence of the NCSC was itself classified.”
Their letter to DHS in May asked for a detailed account of the department’s role in the Comprehensive National Cyber Security Initiative, noting a lack of information from the department, in spite of the fact that the administration had claimed that cybersecurity was one of Chertoff’s “top four priorities for ‘08.”
The DHS has requested an additional $83 million for National Cyber Security Center for fiscal year 2009 (which begins in October 2009); including the $115 million awarded for the initiative in 2008, that would increase its budget by $200 million, tripling the amount the DHS has spent on cyber security since 2007.
The department’s new National Cyber Security Center is taking the lead on the CNCI, a “multi-agency, multi-year plan to secure the federal government’s cyber networks” that was established in January by a directive signed by President Bush. In the letter made public on Thursday, DHS described the center as a way to “coordinate and integrate information necessary to help secure U.S. cyber networks and systems and help foster collaboration among federal cyber groups,” and serve as a “single location for all-source situational awareness about cyber activity and security status of the U.S. networks and systems.”
Though just made public Thursday, the letter was initially sent to the senators on June 2. The subsequent redacted version eliminated the department’s response to questions such as: “Why was the determination made that the contract will be for a 10-month period?” and “How will the DHS provide appropriate oversight to ensure that the contractors support efforts do not intrude on inherently governmental functions?”
One question left unanswered is how the National Cyber Security Center will interact with DHS’s so-called Einstein program, which is designed to monitor Internet mischief and network disruptions aimed at federal agencies. (Not much about Einstein is public, but a privacy impact assessment offers some details.)
A Homeland Security spokeswoman told us in April that the primary focus of Einstein at the time was protecting federal-government networks–not monitoring the privately operated Internet, a move that would raise unique legal, technical, and privacy challenges.
The DHS letter refused to divulge any information about Einstein. It said: “Technological upgrades and planning activities are classified. DHS will be happy to provide the committee with a briefing in the appropriate (classified) setting.”