Former Director of National Intelligence Mike McConnell has made himself the fly in the ointment of the Obama administration’s plan to rely on public-private partnerships to defend the country’s privately held critical infrastructure against cyber attacks.

Experts inside and outside the Obama administration agree that the country’s public networks — the dot-com, dot-net and dot-org domains — are potential routes for a zero-day attack, the industry’s term for a cyber blitz of unprecedented scale and technique. If the attack were sophisticated enough, it could cascade through the country’s financial system, electrical grids and telecommunications networks.

In McConnell’s view, articulated through a series of public talks, the U.S. has done “zero” to protect these networks. That is a problem, he said, because those networks comprise 98 percent of the U.S. vulnerability. The government’s work to date — such as the Einstein project to install intrusion detection computers at the portals where private cyber users access the government’s dot-gov networks — is geared toward protecting the government networks, a step Obama administration officials describe as an appropriate priority. For the private infrastructure, Obama will rely mostly on corporations to select security measures under a process monitored by the government. As for response during a crisis, the administration is still working on a plan for how the government and corporations would coordinate.

McConnell’s April talk at the National Space Symposium in Colorado was the latest riff in his cyber-awareness offensive to push for a stronger and clearer government role.

In a brief interview after his Colorado talk, he said the country needs a Sen. Barry Goldwater-like figure to define cyber defense authorities for the intelligence agencies, the Defense Department and the Department of Homeland Security (DHS). The Defense Department is an outward-looking agency, but cyber attacks are complicated affairs quickly crossing national borders, he said.

“Baby steps” was his term for the U.S. plan, now in its final stages, to establish a new Cyber Command under Strategic Command. The Obama White House is distracted, he said. “The strategy for health care, Afghanistan, the Middle East. When you sort of work through that, it fills up the day.”

Administration cites progress

Obama officials and allies in industry are pushing back against McConnell, but gingerly, given that he is a retired Navy vice admiral and former director of the National Security Agency who served a few days in the Obama administration as director of national intelligence. McConnell is now an executive at the Booz Allen Hamilton consulting firm.

In testimony before Congress and in media interviews, Obama officials describe a nation that is getting its cyber house in order on some of the pressing policy and technical issues McConnell has raised. They cite progress — the opening of a cyber attack watch floor in Virginia and their initiative to more precisely define the roles of the Defense and Homeland Security departments in an attack — in the months since Obama’s major cyber speech May 29, 2009. On that day, executives from the critical infrastructure companies came to the East Room of the White House and heard Obama promise to work with industry to protect private networks as “strategic national assets.” In the view of some, Obama undercut the sense of urgency by taking more than six months to fill the new position of White House cyber coordinator. In December, the administration announced cyber expert Howard Schmidt as the coordinator.

Resolving the military role

The delays are behind them, administration officials say. In the coming weeks, the administration plans to resolve the role of the military in responding to attacks against the private infrastructure.

“That’s probably the most difficult [problem], and the one that we’re going to spend the most time trying to work our way through: How does the Defense Department help Homeland Security in a crisis?” said Army Gen. Keith Alexander during his April confirmation hearing to become commander of U.S. Cyber Command in addition to his current role as director of the National Security Agency.

Sen. Carl Levin, D-Mich., asked Alexander to describe his actions in a hypothetical scenario involving a cyber attack on the electricity distribution system originating outside the U.S. with malicious software routed through “computers owned by U.S. persons” located in the U.S. “How would you respond and with what authority?” Levin asked, according to a webcast.

“Department of Homeland Security could, working through the defense support for civilian authorities, reach out to the Defense Department and ask for support,” Alexander said. But he said that would be tricky because Levin’s scenario involved American citizens, civil liberties and privacy.

The question should not have taken Alexander by surprise, Levin said his staff had provided the scenario in advance of the hearing. In the end, Alexander said the processes and authorities were still being worked out: “I think that’s one of the things that the administration is trying to address with the Department of Homeland Security and with the Defense Department: How do we actually do that with industry?”

Alexander said yes when Levin asked him if the relationships and authorities would be sorted out by the end of the year.

Interagency discussions aside, McConnell worries that Alexander’s command won’t have the authority it needs because it is positioned under Strategic Command. In Colorado, he shared new details of his conversations with Defense Secretary Robert Gates during early discussions over the possibility of creating a cyber command. McConnell said he suggested the command be independent — the equivalent of the U.S. Strategic Command, which ties together strategy with operations and the equipping of forces. Gates, according to McConnell, said, “Mike, I can’t do that. I can’t do it without an act of Congress. It’s too hard.” Five months after McConnell left office, Gates announced that the new command would be placed under Strategic Command.

Gates’ spokesman Geoff Morrell said Gates would not engage in a “tit for tat” exchange with McConnell over that piece of history. By e-mail he added, “There is no daylight between [Gates] and the former DNI with regard to cyber requiring more attention and resources.”

“The bottom line is this is an emerging and developing threat, and it is one we need to adapt to and confront quickly. That is precisely why the secretary has set up the structure he has set up,” Morrell said. “If we were to set up an independent command, you would be setting up a whole, additional bureaucracy to support it. You’d have to populate it with the requisite people. You’d have to house it somewhere. That quickly adds up.”

Cyber Storm 3

The Obama administration reports it is closing in on establishing a National Cyber Incident Response Plan that would address the questions Levin raised in the Alexander hearing. The plan has to be done by the end of June so officials can meet in July to set the details of the country’s next Cyber Storm exercise, which will test the responses of the Defense Department, Energy Department, DHS and private-sector partners in a simulated attack, said Rear Adm. Michael Brown, deputy assistant secretary of homeland security for cyber security and communications.

The private sector has been deeply involved, he said. “The incident response plan is a public-private sector partnership. We’ve got lots of the sectors that have participated — over 200 participants thus far from the government and the private-sector side,” he said.

Homeland Security’s new cyber watch floor, the National Cyber Security Communications and Integration Center that started operations in October, will be the nerve center for Cyber Storm 3. The exercise will be an opportunity to test-drive the cyber incident response plan and identify security vulnerabilities, Brown said.

“Part of what we want to be able to do is to define those gaps, if they exist, and then take whatever the appropriate action is to figure out how to solve those gaps,” he said.

Brown did not rule out the possibility that closing gaps could require new laws. That might “potentially” be the case, he said. “You would have to figure out: Is that a responsibility that we would think the private sector should take care of, or is that something we think the federal government should take care of? Or is it a combination of both?” Brown said. “You’ve got to do analysis of what’s the best method to actually solve that gap.”

Establishing the national response plan was No. 8 on the administration’s list of 10 “near-term” action items released on the day of Obama’s May 2009 speech. (Finding a cyber coordinator was the first priority.) Brown said the work is “not necessarily taking so long” considering the level of detail that must be sorted among agencies and with the private sector.

“The incident response plan is a strategic document that will lay out the roles and responsibilities for the partners,” he said. “But we all feel there are subset plans that need to be put together based on specific scenarios that we think could happen.”

Cyber Storm 3 will be a major test of the administration’s progress because it will involve numerous agencies and executives from such companies as McAfee, which sells network security software and services to government and industry customers.

Looking at Cyber Storm 3, “You have certain people who are going to be the observers. Certain people who are going to be the attackers. Certain people who are going to be the defenders. You have your support mechanisms around it, and then on the day of the actual exercise, you essentially launch the scenario,” said Tom Conway, director of federal business development for McAfee. “You get to go through stages of who gets attacked, how do you respond to it — all these different layers.”

Based on past exercises, the scenarios will require private companies to cope with the unexpected. During Cyber Storm 2 in 2008, the scenario denied companies the ability to communicate by network. McAfee suddenly lost its ability to issue its virus-protection updates, called “dats,” over the Internet, so it sent them by fax and phone, Conway said.

Figuring out how to respond to attacks is not the only issue the administration faces. It wants to stop the zero-day attack before it happens. Obama officials are working with private industry to define strategies to do that. Individual sectors — including the financial sector — are establishing information-sharing and analysis centers, Brown said. Experts in these centers share information about the details of cyber intrusions, he said.

McConnell — whom Brown knows well as a fellow Navy admiral — has said the financial system poses special risks because most people now carry only a little cash and wealth is almost totally digital, threatening pandemonium if sophisticated terrorists figured out how to paralyze the system. In Colorado, McConnell said that if the Sept. 11 hijackers had been really smart, they would have attacked Wall Street through cyberspace.

Brown said securing the financial sector is a major focus of the information-sharing and analysis centers. Banks and investment firms are historically reluctant to share information with one another or the government about network intrusions for fear customers will move their money elsewhere. But security experts throughout the industry and government need to know about such instances so they can design software to defend against them. The administration has set up a pilot program with the financial sector under which DHS is receiving such information anonymously, Brown said. “We now — between DHS and the financial sector — have the ability to bilaterally share technical information,” he said.

Because of the anonymity, DHS can share details of cyber intrusions and vulnerabilities broadly.

“It won’t just go to the financial sector, it will go to all of 18 of sectors, we will distribute what the vulnerability is,” Brown said. “We’ll be able to articulate what the mitigating steps are to counter those vulnerabilities, so it’s raising the cybersecurity level of all of our partners.”

The Obama administration has published voluntary “best practices” for private-sector members, but it does not anticipate establishing broad security regulations across the sectors. Even so, Brown said that, in many cases, it would be a misnomer to call security steps voluntary.

“Several sectors are heavily regulated. Regulation agencies can, and do in some cases, put out cybersecurity measures that must be put in place,” he said.

“It’s not uniform, and it doesn’t cover all 18 sectors, but there are some things that are out there,” he said.

More regulations could be on the way, he said. “By working with our partners at [the Department of Energy] and [National Institute of Standards and Technology], we can work to have specific standards that apply both to the federal and to the private sector, and therefore we’re raising everybody together,” Brown said. “So there are multiple ways to look at how we can raise the cybersecurity standards on the private sector and the public sector, and that’s part of how we have approached things in the past, and we think we’ll be doing a lot more of it in the future.”

The administration does not claim to have an overarching strategy to defend the private sector networks.

“We haven’t come up with a single strategy. I fully expect that that is something that will come, but we need to get over the hump quickly on securing the dot-gov networks. That’s part of what the private sector is working with us on,” Brown said.

The administration has intentionally focused first on securing the dot-gov networks through programs such as Einstein, Brown said. In a related effort, it is working to reduce the number of public entry points into the government’s networks under a project called Trusted Internet Connections, which is run by DHS and the White House Office of Management and Budget. Einstein computers are to be installed at the remaining entry points, initially to detect intrusions — a capability called Einstein 2 — and eventually to stop intruders, called Einstein 3.

In March, the Government Accountability Office, the investigative arm of Congress, reported slow progress on installing Einstein computers and establishing Trusted Internet Connections. GAO recommended that DHS “define future requirements” before setting deadlines on the 23 agencies affected by the initiatives. DHS also should “make agencies aware of their ability to access Einstein data flow,” according to the report, “Information Security: Concerted Effort Needed to Consolidate and Secure Internet Connections at Federal Agencies.”

In the private-industry realm, a cross-sector cybersecurity working group is examining security strategies that might be implemented across multiple industries. “What are things that we can do to provide greater level of coverage across all 18 sectors, and what are the mechanisms for that to occur?” Brown said.

Detecting intrusions

The closest thing to a standard across the industry is a downloadable intrusion detection and prevention technology called Snort, developed by Martin Roesch, founder of the company Sourcefire of Columbia, Md., according to the company’s website. The software roots out intruders based on their signatures similar to the way a pig snorts for a scent, said Dave Marcus, director of security research and communications at McAfee labs. The Einstein computers use Snort.

Snort works well, but Marcus and Conway said the industry needs the flexibility to improve security measures quickly, rather than be bound by standards or regulations. For example, instead of scanning for the specific signatures of intrusions that have already happened elsewhere, McAfee is working on technologies to stop intruders by spotting their broader cyber behaviors. Is a user “accessing an area of memory that it shouldn’t be accessing? Is there data in a part of the packet that there shouldn’t be?” Marcus said.

The industry is leery of a fixation with standards and regulations. “Standards take a long time to determine, and usually the threats don’t wait for the standards to get fleshed out. About the time you decide on a standard, the threat has changed or morphed and the standard could potentially be irrelevant,” Conway said.

As for McConnell, the industry and DHS are taking him seriously. “I think his point — the anecdote he talked about, 9/11 — there was a huge loss of life, which is horrible, but for lasting economic damage, if they had taken out the financial sector, you could argue that that would have been even harder to recover from,” Conway said.

Brown said he is not frustrated with McConnell’s criticism. “We are all inside and outside government working very hard in this mission space. I think there’s a lot of things that have been done. There are a lot of things that are underway. But I don’t think anybody will tell you that we have discovered the silver bullet or can rest on our laurels.”