Feds Change Cybersecurity Strategy — Again

Yesterday the Office of Management and Budget (OMB)announced that it will no longer pursue the Trusted Internet Connect (TIC) initiative first announced in November 2007. TIC was considered one of the cybersecurity efforts making up the Comprehensive National Cybersecurity Initiative (CNCI) which was born out of National Security Presidential Directive (NSPD) 54 and Homeland Security Presidential Directive (HSPD) 23 in January 2008.Unless you are somewhere between Foggy Bottom and Independence Ave. SE you are probably confused by all of these acronyms so allow me to explain. Back in 2007 there were thousands of Internet connections across the Federal government. This was viewed as a tremendous problem since each connection was a potential ingress point for malicious code and hacker attacks. TIC proposed a simple solution to the problem — decrease the number of Internet connections to as few as possible and then secure the heck out of the remaining connections. I believe the ultimate goals was to reduce the thousands of Internet connections to something like 50. Throughout 2008 and 2009 the Feds boasted about the tremendous progress they were making.Okay now fast forward to yesterday. OMB throws the TIC baby out with the bath water and announces that it will no longer reduce the number of Internet connections but rather improve security requirements at all Internet ingress/egress points. OMB goes on further to say that the number of Internet connections in 2010 was roughly the same as in 2007. Diane Gowen, SVP of Qwest Government Services summed this up as follows: “Despite the whole TIC Initiative, there are probably as many points of Internet connection as there used to be. The new administration is less concerned with the number, and more concerned about getting them protected.” Back in 2007, many security professionals (including me) thought that TIC was completely misguided because:1. It was never linked to network engineering or architecture. Those internet connections aren’t there by accident. Yes, it is smart to minimize the number but reducing thousands to 50 would have to mean a “rip and replace” of the whole Federal network.2. It ignores network evolution. Data center consolidation, web-based apps, and cloud computing demands network flexibility and Internet connectivity. Reducing the number of Internet connections could be counter-productive here.3. It wouldn’t work. Did OMB really think that DOD, NSA, or homeland security would go along with this? My guess is that these agencies thumbed their noses and other civilian agencies followed.The crime here is that it took 3 years and tens, if not hundreds, of millions of taxpayer dollars to ramp up TIC — and then totally reverse course. Someone should be held accountable.I predict that the next shoe to drop will be some type of pull-back from the Einstein Project — a DHS/US Cert/Carnegie Mellon science project that could have easily been built with commercially available software from ArcSight, NetWitness, Nitro Security, Q1 Labs, RSA or dozens of others. I’m sure President Obama’s Cybersecurity Coordinator, Howard Schmidt, is rolling his eyes at these recent events and the demise of TIC. Let’s hope he introduces some pragmatism into high priced Federal cybersecurity plans before we waste another few hundred million.