And Since We’ve Been Talking about Contracting, Secrecy, and Spying…

…In our discussion of Tim Shorrock’s Spies for Hire, it seems appropriate to post on the Senate Armed Services Committee’s report on the Cyber-Security Initiative.

As you’ll recall, the Bush Administration has been struggling for their entire term to address the fact that our cyber-infrastructure is woefully exposed to cyber-attacks. After a series of cyber-czars who either wouldn’t or couldn’t address this problem, back in January the Administration began to make some progress–not least, by taking the project out of Michael Chertoff’s hands. The SASC’s report notes that the Administration has made some progress, though it has three substantive complaints.

The committee applauds the administration for developing a serious, major initiative to begin to close the vulnerabilities in the government’s information networks and the nation’s critical infrastructure. The committee believes that the administration’s actions provide a foundation on which the next president can build.

However, the committee has multiple, significant issues with the administration’s specific proposals and with the overall approach to gaining congressional support for the initiative.

First, the SASC objects to the way the Administration has shielded what is supposed to be at least partly a deterrent program in so much secrecy that the program has lost its deterrence ability.

A chief concern is that virtually everything about the initiative is highly classified, and most of the information that is not classified is categorized as `For Official Use Only.’ These restrictions preclude public education, awareness, and debate about the policy and legal issues, real or imagined, that the initiative poses in the areas of privacy and civil liberties. Without such debate and awareness in such important and sensitive areas, it is likely that the initiative will make slow or modest progress. The committee strongly urges the administration to reconsider the necessity and wisdom of the blanket, indiscriminate classification levels established for the initiative.

The administration itself is starting a serious effort as part of the initiative to develop an information warfare deterrence strategy and declaratory doctrine, much as the superpowers did during the Cold War for nuclear conflict. It is difficult to conceive how the United States could promulgate a meaningful deterrence doctrine if every aspect of our capabilities and operational concepts is classified. In the era of superpower nuclear competition, while neither side disclosed weapons designs, everyone understood the effects of nuclear weapons, how they would be delivered, and the circumstances under which they would be used. Indeed, deterrence was not possible without letting friends and adversaries alike know what capabilities we possessed and the price that adversaries would pay in a real conflict. Some analogous level of disclosure is necessary in the cyber domain.

Not only can’t citizens debate aspects of the program with so much secrecy, but we also can’t tell the Chinese hackers who would like to shut our systems down what will happen if they try to do so. (Hmm, I wonder if the worry is that the Chinese hackers wouldn’t be too concerned?) For more on this complaint, see Steven Aftergood.

To add to the concerns that secrecy prevents any meaningful debate, SASC notes, the initiative is moving far ahead of standard requirements for acquisitions: the Administration is trying to get Congress to pay for stuff that just isn’t ready yet.

The committee also shares the view of the Senate Select Committee on Intelligence that major elements of the cyber initiative request should be scaled back because policy and legal reviews are not complete, and because the technology is not mature. Indeed, the administration is asking for substantial funds under the cyber initiative for fielding capabilities based on ongoing programs that remain in the prototype, or concept development, phase of the acquisition process. These elements of the cyber initiative, in other words, could not gain approval within the executive branch if held to standards enforced on normal acquisition programs. The committee’s view is that disciplined acquisition processes and practices must be applied to the government-wide cyber initiative as much as to the ongoing development programs upon which the initiative is based.

Hmm. The Committee seems right to be worried that the Administration wants us taxpayers to pay for "concepts" in secret.

And then, there’s the issue that Ryan Singel hits on–the Administration is trying to get us to pay for stuff, in the name of Cyber-Security, that is really just more spying.

The committee also concludes that some major elements of the cyber initiative are not solely or even primarily intended to support the cyber security mission. Instead, it would be more accurate to say that some of the projects support foreign intelligence collection and analysis generally rather than the cyber security mission particularly. If these elements were properly defined, the President’s cyber security initiative would be seen as substantially more modest than it now appears. That is not to say that the proposed projects are not worthwhile, but rather that what will be achieved for the more than $17.0 billion planned by the administration to secure the government’s networks is less than what might be expected.

The Administration is waving a $17 billion price tag around, which won’t get us the Cyber-Security the project is intended to, but will get us a bunch of other spying programs that really aren’t about Cyber-Security. No word, then, on what the real price tag would end up being to actually implement a Cyber-Security program that, you know, is something more than a concept. $17 billion is an awful lot for a concept with some more spying added in just for kicks.

Finally, the SASC attaches a laundry list of other major problems with the program–which basically make it sound like this isn’t a "program" yet at all.

Finally, the committee concludes that, for all its ambitions, the cyber initiative sidesteps some of the most important issues that must be addressed to develop the means to defend the country. These tough issues include the establishment of clear command chains, definition of roles and missions for the various agencies and departments, and engagement of the private sector.

Though, given the discussion we had earlier today, it sure seems like the Intelligence Community really hasn’t yet figured out the chain of command, defined the roles and missions, and figured out how to integrate the private sector effectively anyway.

All in all, this report looks like the kind of report you’d get from a very positive elementary school teacher. "Very nice try, Johnny. It’s so nice to see you trying to finish the homework you’ve been working on for eight years. Now let’s talk about the bare minimum you’re going to need to do in order to actually complete this homework. And no, you can’t have $17 billion dollars for what thus far is still C minus work."

image_print
15 replies
  1. MadDog says:

    I read Ryan’s report earlier and was gonna throw up an OT Comment, but I got sidetracked on Ryan’s other hot news of “Senators Ask FBI to Explain Flawed ‘National Security Letter’ to Internet Archive”.

    In any event, this passage from the SASC report seems to be missing something. I wonder what it could be?

    Finally, the committee concludes that, for all its ambitions, the cyber initiative sidesteps some of the most important issues that must be addressed to develop the means to defend the country. These tough issues include the establishment of clear command chains, definition of roles and missions for the various agencies and departments, and engagement of the private sector.

    I wonder why the SASC left out “protecting the Constitutional rights of the US Citizen”?

    Oh, I forgot. That’s somebody else’s job. Can anyone remind me just who that might be?

  2. bmaz says:

    Aviso! Thread buster alert! Just received from Congressman Robert Wexler:

    Last night, I appeared on MSNBC’s Verdict with Dan Abrams to discuss Karl Rove’s outrageous refusal to appear before Congress regarding serious allegations that he used the US Justice Department to take down a prominent Democratic politician. It is alleged that Mr. Rove personally instigated the prosecution of former Alabama Governor Don Siegleman. The case has been criticized by legal experts, and 52 former state attorney generals – both Republicans and Democrats – have criticized the case and called for an investigation. (You may view the clip here.)

    If Rove refuses to testify voluntarily and ignores the subpoenas that will certainly be issued, he should be held in Inherent Contempt of the House of Representatives.

    No American is above the law. None of us should be able to ignore Congress without consequence. If Mr. Rove ignores a subpoena from the Judiciary Committee, then the House of Representatives should pass an Inherent Contempt citation and exercise our right to send the House Sergeant-of-Arms to gather Mr. Rove and bring him before Congress to testify.

    I do not advocate this option lightly, but the reality is that Congress has few options left against an Administration that totally refuses to submit to any type of reasonable Congressional oversight. Congress has both the right and obligation to investigate these matters. Never before has an Executive so upset the checks and balances inherent in our Constitution. If we back off or delay, we effectively forfeit the power of Congress to investigate the Executive branch.

    Rove is not the first White House official to ignore Congress. We have seen a pattern of refusals based on laughable claims of executive privilege. First, White House Chief of Staff Joshua Bolten and former White House Counsel Harriet Miers ignored subpoenas on the investigation into the firing of US Attorney Generals for partisan political motives.

    Their refusal to testify was unprecedented: never before have executive officials totally refused to even show up before Congress. Bolten and Miers are the highest officials ever held in contempt of Congress. Unfortunately, Attorney General Mukasey – in a dereliction of duty – has refused to enforce the contempt decree and now Congress is suing them in District Court to demand compliance. Then, the Vice President’s Chief of Staff, David Addington, refused to testify on the investigation into the Bush Administration’s ordering of torture. Now, Rove continues this executive arrogance by also refusing to testify.

    Enough is enough. We have a Constitutional obligation to provide accountability to a White House that is trying usurp the constitutional powers of Congress.

    These are the very reasons why I have been pushing for impeachment hearings for Vice President Cheney. The Bush Administration has been running roughshod over the Constitution for eight long years. We should not allow the promise of a positive election be used as an excuse to ignore our duty to investigate crimes that weaken the very fabric of our Democracy.

    I thank you again for your commitment to the causes that we hold so dear.

    With warm regards,

    Congressman Robert Wexler

    This may well be just a bright fund raising bent Wexler has been on, but I’ll take this attitude any way I can get it. More of this please.

  3. Professor Foland says:

    It’s a number I’ve never seen, but someone here might know: how much did it cost to develop TCP/IP, NSFNET, the major backbones, etc for the internet? I’d be surprised if, at the infrastructure level, it originally cost anything close to $17BB.

    $17BB is, as near as I can tell, enough to pay the entire Google payroll for two years. You ought to be able to get a lot further than a collection of prototypes for that.

    • readerOfTeaLeaves says:

      That’s a great question; I don’t know that I’ve ever seen a total, probably because it was so ‘bottom up’ and dispersed that no one could easily track or quantify it. A lot of people who put the pieces together were making student wages, or were working on NSF grants or academic salaries.

      Even tossing in Bell Labs salaries, the total sum in 1960s, 1970s, 1980s, and early 1990s dollars wouldn’t come close to $17 Billion.

      • MadDog says:

        Even tossing in Bell Labs salaries, the total sum in 1960s, 1970s, 1980s, and early 1990s dollars wouldn’t come close to $17 Billion.

        Minor correction, but the primary corporation involved in the development of the Internet was not Bell Labs, but BBN (Bolt, Beranek and Newman).

        Bell Labs only created Unix, the “C” programing language and sundry other worthless things. *g*

  4. earlofhuntingdon says:

    Though, given the discussion we had earlier today, it sure seems like the Intelligence Community really hasn’t yet figured out the chain of command, defined the roles and missions, and figured out how to integrate the private sector effectively anyway.

    One suspects that the administration is waiting for its private contractors to define those things, a “cost plus” price tag, with them providing all the “plus”, as they assume the role that K Street lobbyists had under Gingrich and DeLay.

    If unregulated by Congress and invisible to the citizenry, such programs would be the engines for laying siege to representative democracy. Asking taxpayers to fund programs like this is asking them to pay not for the ships or the goods on them, but the rats that brought their fleas and Yersinia pestis.

  5. earlofhuntingdon says:

    From Ryan Singel’s article, this stands out:

    But according to the Armed Services Committee’s analysis, there’s a lot of spying being proposed under the guise of e-security.

    That confirms THREAT LEVEL’s suspicions that the highly classified proposal could have far-ranging implications for the internet generally, especially as the government contemplates becoming the firewall for all Americans on the net.

    (emph. added)
    http://blog.wired.com/27bstrok…..ort-g.html

    Guess we’d better stop yelling at the Chinese government (they own too much of our debt, anyway) and the American companies that comply with its requests for information so that it can spy on and intimidate its citizens, eh?

  6. readerOfTeaLeaves says:

    This may be the first time in memory that it’s seemed as if the Senate and some of their staff are actually earning their paychecks.

    Indeed, the administration is asking for substantial funds under the cyber initiative… based on … prototype, or concept development, phase of the acquisition process. … The committee’s view is that disciplined acquisition processes and practices must be applied to the government-wide cyber initiative as much as to the ongoing development programs upon which the initiative is based.

    SSCI to WH: Got a prototype?
    **** WH: No, but we think it’ll cost X amount… we’ll get back to you in the indefinite future.
    SSCI to WH: Got a timeline?
    **** WH: No, trust us.
    SSCI to WH: Got specs?
    **** WH: We can’t show you; they’re classified.
    SSCI to WH: What standards to you plan to meet?
    **** WH: That’s classified; we can’t tell you.
    SSCI to WH: How do you plan to test for usabilty?
    **** WH: Usability…? You’ll never use it anyway, it’s going to be classified.

    I take it that this is the WH Gravy Train for GOPers, Blackwater, Mafiosa, and MoneyLaunderers version of Cyber-Security?

    Duly noted.

  7. strider7 says:

    does anybody care to speculate on the fisa/immunity aspect after these revelations from spies for hire? I mean this puts the whole fisa argument in a different light.

  8. MadDog says:

    Would that be the secret annex located in Deadeye’s secret bunker which is the secret headquarters of the 21st Century’s Maginot Line that is this Cyber Security Initiative?

  9. readerOfTeaLeaves says:

    *g*
    My historical perspective of the Toobz is astigmatic, I fear 8-0
    Appreciate the correction

  10. PetePierce says:

    But But Mrs. Woman of Steel (John Edwards’ term yesterday) Mrs. Ready for the 3AM call is on the Senate Armed Services Committee.

    How can it not be cutting edge on top of things?

Comments are closed.