RSA 2010: US declassifies key IT security plans

The US government's CNCI announcement came at RSA 2010

The US government is opening up parts of its Comprehensive National Cybersecurity Initiative (CNCI) to public and commercial scrutiny for the first time.

White House internet security adviser Howard Schmidt used the RSA 2010 conference to announce the move, which he said was needed to encourage developers, companies and the public to get behind the CNCI.

The initiative was launched in 2008 by former president George Bush, but was kept tightly under wraps.

"Transparency and partnerships are concepts that have to go hand in hand," Schmidt told delegates.

"This is particularly important in the case of CNCI because there have been legitimate questions about the project. To connect cyber space we need to build partnerships with industry and academia, and more importantly the public needs to be involved."

The CNCI was designed to protect government systems and has a rumoured budget of $40bn (£26.7bn) over the next five years. Schmidt wants to open up the process so that companies can also benefit from the initiative's findings and add suggestions of their own.

There are 12 areas that the CNCI is working on, he said, including research and education as well as developing offensive and defensive technology. Certain parts of the CNCI, particularly those dealing with offensive software and strategy, remain classified for security reasons.

"What this shows most is that Howard has impact, that there's actually movement again on government IT security," Alan Paller, director of research at the SANS Institute, told V3.co.uk.

"It's not the only one you're going to see either. In the past there hasn't been anyone senior enough in the administration to push for better practice, and the government is falling back on cyber security."

Paller explained that, ever since the resignation of Karen Evans as Administrator of the Office of Electronic Government and Information Technology, government work on IT security had stalled.

Evans was unpopular with some in government for her stringent security standards and her practice of removing dangerous or obsolete computer systems from government to shore up IT security. She also insisted on applying the best corporate IT practices to government computing.