Sunday, July 05, 2015

Declassified 2008 directive: Hackers and insiders hit utilities on three continents

Posted: June 6, 2014
Bookmark and Share

Utilities on at least three continents have been "penetrated or shut down" by hackers and insiders, according to a formerly classified 2008 presidential directive on cybersecurity that was obtained through the Freedom of Information Act and released today by privacy advocates.

The Electronic Privacy Information Center disclosed a redacted 16-page copy of National Security Presidential Directive 54, which former President George W. Bush used to set U.S. "policy, strategy, guidelines, and implementation actions to secure cyberspace" and to launch the Comprehensive National Cybersecurity Initiative.

A clear statement on successful major attacks against critical infrastructure worldwide – contained in a paragraph that had been classified secret and not releasable to foreign nationals – is striking and among the few interesting elements of the directive, Jason Healey of the Atlantic Council told Inside Cybersecurity.

"Hackers and insiders have penetrated or shut down utilities in countries on at least three continents," the directive states. "Some terrorist groups have established sophisticated online presences and may be developing cyber attacks against the United States."

Healey said the initial decision to classify much of the information in the document – including a definition of computer network exploitation – now appears inane. It also makes no sense, he said, that officials classified that definition while using the less restrictive label "for official use only" on a paragraph about developing offensive cyber capabilities.

Federal officials have in recent years repeatedly underscored the risk that cyber attacks pose to critical infrastructure. Gen. Martin Dempsey, chairman of the Joint Chiefs of Staff, recently voiced concerns at the Atlantic Council about the nation's lack of preparedness for a cyber attack, cited strategic shortcomings and assigned blame to Congress.

"There are some big issues involved with achieving that kind of coherence -- issues related to privacy and cost, information sharing and all of the liabilities that come in the absence of legislation to incentivize information sharing," Dempsey said.

A White House spokeswoman said that current U.S. cyber strategy is coherent. "Given that cyberspace permeates every aspect of the economy and national security, no single document can meaningfully capture our strategic direction. Instead, our efforts are informed by specific strategy and policy documents," she said. Earlier this year, the administration released a federal framework of cybersecurity standards as directed in President Obama's cybersecurity executive order.

The Obama administration is "working to close out the 2008 Comprehensive National Cybersecurity Initiative and transition ongoing programs to steady state management," the White House spokeswoman said, noting officials are "continuing to review existing policy and develop new policy as warranted."

There is a consensus among the president, the National Security Council staff and Dempsey that certain key powers and resources needed to realize federal cybersecurity goals -- including new statutory authorities -- can only be bestowed by Congress. Lawmakers acknowledge that time is running out for this Congress to enact comprehensive cybersecurity legislation. The leaders of the Senate Intelligence Committee are working to reach consensus on a bipartisan information-sharing bill for cybersecurity. -- Christopher J. Castelli (This e-mail address is being protected from spambots. You need JavaScript enabled to view it )


Free Trial

Inside Cybersecurity is a subscription-based premium news service for policy professionals who need to know about evolving federal policies to protect cyberspace.

Sign up for a free one-month trial to Inside Cybersecurity. You'll get a morning email Daily Report each business day, news alerts throughout the day, access to hard-to-find policy documents and reports, and our exclusive Weekly Analysis every Monday.

Subscribe now and save 50%. Your free trial will include this special introductory offer: You'll save 50% off the first-year subscription price for Inside Cybersecurity. You'll pay just $447.50 for a full twelve months of service for a single-reader license. This is an unbeatable deal for exclusive news on the hottest issue in federal policymaking.

Additional readers can be added to a single-reader license for just $200 each, up to five. The 50% discount will be applied to the entire cost of the license. If you have more than five readers, or would like an organization-wide site license, even further discounts will apply. Contact or call 703-562-8992.

Form for a free trial

Get exclusive news on the cybersecurity debate in Congress and more.

Sign up for a free one-month trial to Inside Cybersecurity for daily news and analysis on emerging federal standards for cybersecurity, including the debate over information sharing, liability waivers and privacy protections.

Form for a free trial

Already a subscriber? Click here to log in.