Enterprise Strategy Group | Getting to the bigger truth.TM

Feds Change Cybersecurity Strategy — Again

Yesterday the Office of Management and Budget (OMB) announced that it will no longer pursue the Trusted Internet Connect (TIC) initiative first announced in November 2007. TIC was considered one of the cybersecurity efforts making up the Comprehensive National Cybersecurity Initiative (CNCI) which was born out of National Security Presidential Directive (NSPD) 54 and Homeland Security Presidential Directive (HSPD) 23 in January 2008.

Unless you are somewhere between Foggy Bottom and Independence Ave. SE you are probably confused by all of these acronyms so allow me to explain.

Back in 2007 there were thousands of Internet connections across the Federal government. This was viewed as a tremendous problem since each connection was a potential ingress point for malicious code and hacker attacks. TIC proposed a simple solution to the problem — decrease the number of Internet connections to as few as possible and then secure the heck out of the remaining connections.

I believe the ultimate goal was to reduce the thousands of Internet connections to something like 50. Throughout 2008 and 2009 the Feds boasted about the tremendous progress they were making.

Okay now fast forward to yesterday. OMB throws the TIC baby out with the bath water and announces that it will no longer reduce the number of Internet connections but rather improve security requirements at all Internet ingress/egress points. OMB goes on further to say that the number of Internet connections in 2010 was roughly the same as in 2007. Diane Gowen, SVP of Qwest Government Services summed this up as follows: “Despite the whole TIC Initiative, there are probably as many points of Internet connection as there used to be. The new administration is less concerned with the number, and more concerned about getting them protected.”

Back in 2007, many security professionals (including me) thought that TIC was completely misguided because:

  1. It was never linked to network engineering or architecture. Those internet connections aren’t there by accident. Yes, it is smart to minimize the number but reducing thousands to 50 would have to mean a “rip and replace” of the whole Federal network.
  2. It ignores network evolution. Data center consolidation, web-based apps, and cloud computing demands network flexibility and Internet connectivity. Reducing the number of Internet connections could be counter-productive here.
  3. It wouldn’t work. Did OMB really think that DOD, NSA, or homeland security would go along with this? My guess is that these agencies thumbed their noses and other civilian agencies followed.

The crime here is that it took 3 years and tens, if not hundreds, of millions of taxpayer dollars to ramp up TIC — and then totally reverse course. Someone should be held accountable.

I predict that the next shoe to drop will be some type of pull-back from the Einstein Project — a DHS/US Cert/Carnegie Mellon science project that could have easily been built with commercially available software from ArcSight, NetWitness, Nitro Security, Q1 Labs, RSA or dozens of others.

I’m sure President Obama’s Cybersecurity Coordinator, Howard Schmidt, is rolling his eyes at these recent events and the demise of TIC. Let’s hope he introduces some pragmatism into high priced Federal cybersecurity plans before we waste another few hundred million.

Related posts:

  1. Why Are There Still So Many Problems with The Federal Cybersecurity Effort?
  2. House Cybersecurity Bill Passes. What’s Next?
  3. National Cybersecurity Awareness Month: Wait until next year!
  4. Cybersecurity Coordinator Political Hot Potato
  5. National Cybersecurity Awareness Month: More Than a PR Event

Tags: CNCI, Comprehensive National Cybersecurity Initiative, , , , , OMB, , TIC, Trusted Internet Connect

All views and opinions expressed in ESG blog posts are intended to be those of the post's author and do not necessarily reflect the views of Enterprise Strategy Group, Inc., or its clients. ESG bloggers do not and will not engage in any form of paid-for blogging. Click to see our complete Disclosure Policy.

4 Responses to “Feds Change Cybersecurity Strategy — Again”

  1. Tim Clinton says:

    Sir –

    How could you have received “official” word of this cyber policy change from OMB on a day the fed govt was CLOSED due to winter storms in DC?

    Reply
  2. Eliot Ness says:

    Jon:

    Howard is “pragmatic” indeed.

    Even when he is consulting directly to an “insider threat.”

    http://www.PrintcafeSecuritiesFraud.com/#HowardSchmidt

    Beam me up!

    Reply
  3. Gene Cartier says:

    Hmmmm……have not been able find this policy reversal in writing anywhere. When was it announced and has the OMB M-08-27 been recinded? We are still getting asked for info from HHS HQ so not sure where the communications gap is.

    Reply
  4. Fed cyber follower says:

    You know you are way off base…..And you don’t source anything in our “article” You are the perfect example of what’s wrong with bloggers…

    The fact is DHS and OMB are still pursuing TIC and the Federal Trade Commission just awarded AT&T a $5 million contract to implement TIC services through the GSA Networx contract.

    Next time try checking your facts before writing an article…you know like a journalist would do.

    Reply

Add a comment

Search
© 2010 Enterprise Strategy Group, Milford, MA 01757 Main: Fax:

Switch to our mobile site