Disclaimer: The opinions of the columnists are their own and not necessarily those of their employer.
C. Warren Axelrod

Comprehensive National Cybersecurity Initiative (CNCI) … Why Doesn’t Anybody Listen or Learn?

We are increasingly discovering in the press snippets of the “largely classified government-wide cybersecurity initiative.” This is the commonly used title of the National Security Presidential Directive 54/ Homeland Security Presidential Directive 23, which President Bush signed into law in January 2008 … see the August 1, 2008 article in NextGov at www.nextgov.com/nextgov/ng_20080801_9053.php

Specifics are hard to come by, since much of the directive is classified. However, the NextGov article reports that Steven Chabinsky, deputy director of the Joint Interagency Task Force is reported to have stated that the initiative, which some estimate will cost $30-40 billion over seven years, comprises eleven components in the following areas:

  • Intrusion detection
  • Intrusion prevention
  • Research and development
  • Situational awareness
  • Cyber counter intelligence
  • Classified network security
  • Cyber education and training
  • Implementation of information security technologies
  • Deterrence strategies
  • Global supply chain security
  • Public/private collaboration

 When I read about the initiative and the areas that it will cover, one question comes to mind, namely “Where have we been for the past decade?” In May 1998, President Clinton issued Presidential Decision Direction 63 on Critical Infrastructure Protection. It mandated that, by May 2003, the nation’s critical infrastructure would be protected against all known threats and attacks, including cyber attacks. The CNCI appears to have a seven-year time frame. So a most distressing aspect of this revelation is that appears that we have lost about a dozen years and will likely be spending many times what the original cost might have been ten years ago to achieve the same end

The other aspect, which I find particularly galling, is that many of the issues to be addressed in the CNCI have been raised many times by many others, including me in my November 2001 testimony before Congress.

On the positive side, the ball has started rolling again. Let us hope and pray that the initiative is not delayed by even more years because of the transition to a new Administration, as happened the last time around. This initiative is too important to our national security for us to go through another not-invented-here delay as we saw happen eight years ago. The protection of our critical infrastructure and our secrets against cyber attacks must be a national priority and receive the attention by the new Administration that it deserves and must have. Those unaware of history are bound to repeat its mistakes. Now that you have been made aware, please don’t let it happen again.

One Comment

  1. Bill Sieglein Jan 13, 2009 at 8:28 am | Permalink


    A few observations and thoughts. First, these unfunded mandates and PDDs don’t come to fruition largely because they are unfunded and because there is no agency given authority to enforce. While non-federally focused industry mandates such as PCI DSS have been somewhat successful – its due to the fact that enforcement occurs and people see penalties. Federal agencies are not motivated to comply with these PDDs because there is really no consequence of non-compliance.

    Secondly, while I am not a big Obama supporter I do think he embraces technology and will be likely to move this forward. The down side is, in a bad economy, the focus while not likely be on these unfunded mandates.

Post a Comment

Your email is never published nor shared. Required fields are marked *