At a closed-door briefing last week, Homeland Security Secretary Michael Chertoff discussed his agency's plans to implement the Comprehensive National Cybersecurity Initiative with a small group of bloggers and journalists. Chertoff waxed enthusiastic about plans to develop rapid-response intrusion countermeasures and the need to change the way we think about identity verification—but also seemed at pains to allay fears that DHS would take a Big Brother approach to securing the Internet.

Alarm bells sounded for many earlier this year when Director of National Intelligence Mike McConnell told The New Yorker that the government would require broad powers to monitor all Internet traffic in order to secure the nation's critical information infrastructure. But Chertoff outlined a far more modest agenda, saying that his agency's primary goal would be to "get control of the dot-gov domain," and insisting that government involvement in securing private networks would be strictly by invitation.



DHS head Michael Chertoff speaks to the press

"The architecture of the Internet and the culture of the Internet is one where I'd be very careful before I suggested the government ought to... intrude in a bigger way," said Chertoff. "We have a history in this country of everybody says let’s do a lot, pass a lot of laws... and then everybody repents at leisure. The Internet, maybe more than any other place, has a distinctive culture that you don’t want to break in order to protect. So, my suggestion has been we proceed in a voluntary way and we proceed in a 21st century kind of collaborative way."

As evidence of that approach, Chertoff cited the appointment of cybersecurity czar Rod Beckstrom, a tech entrepreneur who the secretary described as "attuned to a different culture of operating with the private sector than the command-and-control culture of the 20th century."

So what will DHS be doing with over $300 billion—more than the Department had requested—allocated to cybersecurity? While a "big piece" of that funding is classified, Chertoff said that much of it would go toward upgrading the government's Einstein intrusion detection software. Homeland Security, the secretary said, is looking to hire "over 100 people in the pipeline that we're trying to bring on, that's programmers and people who can actually operate Einstein."

For the moment, that means upgrading from Einstein 1.0, an after-the-fact intrusion analysis engine, to Einstein 2.0, which would provide realtime warnings of penetration attempts, "like a traffic cop sitting on the highway" who "can immediately call in and say someone with license plate X-Y-Z is speeding, and give warning."

The next step—Einstein 3.0—entails "turning it from a passive detection to an active detection device, active meaning that we would have the ability to actually stop an attack as opposed to merely warn about an attack." The next iteration of the software, Chertoff hopes, will be able to automatically detect a hacking attempt and block it on the spot.

DHS also hopes to give the traffic cop fewer highways to monitor. "Every 45 days," said Chertoff, "we are reducing by half and consolidating the number of Internet connections" used by government computers. Starting from thousands of gateways to the Internet, Chertoff hopes to get .gov down to "a hundred or two."

When it came to the security risk posed by the government's own penchant for compiling vast databases, Chertoff offered some obvious steps that could be taken to protect sensitive personal data. He suggested that agencies might "house it in different databases and be able to pulse the databases to get a validation up/down, which is sometimes called the ping system, as opposed to having it all pulled together in a database."

But he also argued that a broader shift in American security practices was required to make those data hoards less attractive to thieves. "We need to change from a model in which your assets are controlled by your, for example, your Social Security number, which is a very weak way to control your assets, to a way in which your assets are controlled by some combination of a biometric, a token, and maybe some secret knowledge that isn't kept in a database," said Chertoff. "You want to move away from a model which I consider inherently vulnerable, where the very information that you’re trying to protect is the information you have to disseminate in order to validate yourself."

Reporters and bloggers who met with Chertoff were required to submit their own Social Security Numbers for a background check. No DNA sample was extracted, however.