WASHINGTON, DC – Today, President Barack Obama named Vivek Kundra the Federal Chief Information Officer (CIO) at the White House.

The Federal Chief Information Officer directs the policy and strategic planning of federal information technology investments and is responsible for oversight of federal technology spending. The Federal CIO establishes and oversees enterprise architecture to ensure system interoperability and information sharing and ensure information security and privacy across the federal government. The CIO will also work closely with the Chief Technology Officer to advance the President’s technology agenda.

President Obama said, “Vivek Kundra will bring a depth of experience in the technology arena and a commitment to lowering the cost of government operations to this position. I have directed him to work to ensure that we are using the spirit of American innovation and the power of technology to improve performance and lower the cost of government operations. As Chief Information Officer, he will play a key role in making sure our government is running in the most secure, open, and efficient way possible.”

The following announcement was made today:

Vivek Kundra, Federal Chief Information Officer
Vivek Kundra formerly served in Mayor Fenty’s cabinet as the Chief Technology Officer (CTO) for the District of Columbia, responsible for technology operations and strategy for 86 agencies. He has been recognized among the top 25 CTO’s in the country and as the 2008 IT Executive of the Year for his pioneering work to drive transparency, engage citizens and lower the cost of government operations. Kundra is also recognized for his leadership in public safety communications, cyber security and IT portfolio management. Before Kundra came to the District, Governor Timothy M. Kaine appointed him Assistant Secretary of Commerce and Technology for the Commonwealth of Virginia, the first dual cabinet role in the state’s history. Kundra’s diverse record also includes technology and public policy experience in private industry and academia. He is a graduate of the University of Virginia’s Sorensen Institute for Political Leadership and holds a MS in Information Technology from the University of Maryland.

• Section 4 – Regulate for Cybersecurity
  

——————————————————————————————————————————————
CSWW is not affiliated with CSIS or the commission that produced this report. The use of “we,” “our,” “us,” etc., throughout the highlights of this report refers to the members of the CSIS Commission and not to CSWW.
——————————————————————————————————————————————

The Highlights:

4
Regulate for Cybersecurity

Recommendations

• The president should task the NOC to work with appropriate regulatory agencies to develop and issue standards and guidance for securing critical cyber infrastructure, which those agencies would then apply in their own regulations.

• The NOC should work with the appropriate regulatory agencies and with the National Institute of Standards and Technology (NIST) to develop regulations for industrial control systems (ICS). The government could reinforce regulation by making the development of secure control systems an element of any economic stimulus package…
• The NOC should immediately determine the extent to which government-owned critical infrastructures are secure from cyber attack…
• The president should direct the NOC and the federal Chief Information Officers Council, working with industry, to develop and implement security guidelines for the procurement of IT products (with software as the first priority).
• The president should task the National Security Agency (NSA) and NIST, working with international partners, to reform the National Information Assurance Partnership (NIAP).
• The president should take steps to increase the use of secure Internet protocols. The president should direct OMB and the NOC to develop mandatory requirements for agencies to contract only with telecommunications carriers that use secure Internet protocols.

It is undeniable that an appropriate level of cybersecurity cannot be achieved without regulation, as market forces alone will never provide the level of security necessary to achieve national security objectives. The reason for this is that those who participate in the marketplace are necessarily constrained by economic forces: they must make a product priced low enough to be successful, they must meet the demands of a wide range of customers (not just governments), and they must ensure profitability. In this environment, companies have little incentive to spend on national defense, as they cannot fully recover their costs.

The role of regulation in cybersecurity has been contested since the drafting in 2003 of the first National Strategy to Secure Cyberspace. That strategy stated that “federal regulation will not become a primary means of securing cyberspace” and that “the market will provide the major impetus.”

We believe it is time to change this. In no other area of national security do we depend on private, voluntary efforts. Companies have little incentive to spend on national defense as they bear all of the cost but do not reap all of the return. National defense is a public good. We should not expect companies, which must earn a profit to survive, to supply this public good in adequate amounts.

We believe that cyberspace cannot be secured without regulation. The intent of such regulation is to increase transparency and improve resiliency and reliability in the delivery of services critical to cyberspace. We propose four sets of regulations: (a) the development of shared standards and best practices for cybersecurity in the three critical cyber-infrastructure sectors (ICT, finance, and energy) to improve performance and increase transparency, (b) the creation of new regulations that apply to supervisory control and data acquisition (SCADA) and other ICSs, (c) changes to federal acquisitions rules to drive security in products and services, (d) mandatory authentication of identity using robust credentials for critical infrastructure sectors…

The next administration should revisit the issue of regulation for cybersecurity and make two significant changes. First, industry and government should identify the level of security that markets will naturally provide.

To get the right regulations, we focus on two key points: the objective of any regulation, and how it is developed. Consistent with national security needs, the intent of any regulatory regime should be to improve security, transparency, reliability, and resiliency. This important because some attacks can be prevented but some cannot, and, in the latter case, it is important that response and reconstitution of critical infrastructures happen quickly.

The U.S. response to the Y2K experience suggests what this new approach could look like, one where a cooperative relationship between government and the private sector would replace command and control. The Y2K had to elements: The first was a government effort to educate, to cooperate in developing responses, and to lead by example. The second was a government mandate, through Securities and Exchange Commission (SEC) regulations, for publicly traded companies to report on the steps they had taken to secure their networks and their operations from disruptions.

A new approach would combine the flexibility of the private sector in identifying best practices with the enforcement strength of the government in ensuring compliance. In this model, the existing regulatory agencies for telecommunications, finance, and energy would oversee a consultative process during which their industries would establish best practices for cybersecurity suited to their field. The agencies would embed these best practices in a regulatory and compliance framework and ensure that companies meet them. Government should set goals; industry should determine how best to accomplish these goals. Government should then ensure compliance.

The still developing relationship between North American Electric Reliability Corporation (NERC) and Federal Energy Regulatory Commission (FERC) demonstrates how this kind of regulation could work. Under the framework established by the Federal Power Act, the electric reliability organization (currently NERC) is responsible for proposing, for the review and approval of the FERC, reliability standards for the electric grid.

Regulation is not a panacea and, if improperly implemented, can actually make matters worse by creating a false sense of security and creating incentives for the wrong behaviors (FISMA, for example, as currently drafted, creates incentives for document reviews rather for improving network security). But we think the next administration should apply the reinforced NERC-FERC model to other sectors. Beginning with existing best practices and standards for cybersecurity, the government could apply a regulatory requirement to secure networks adequately and oversee compliance with those new requirements.

This is where the NOC can play an important role, one that no agency currently plays. Our belief is that the NOC should provide oversight and coordination among regulatory agencies when it comes to cybersecurity, and the NOC could call attention to situations where regulation was inadequate. It would work with the regulatory agencies to issue standards and guidance defining adequacy in cybersecurity. It could assess both the adequacy of cyber security regulations and their implementation. It would review cybersecurity regulations to increase transparency and harmonization among cyber regulations and regulatory agencies so that companies that work across sectors would not be subject to conflicting regulatory regimes. As part of this task, the NOC would assume the Clinger-Cohen authorities currently exercised by OMB for “standards, guidelines, and associated methods and techniques for computer systems.”

The NOC would not have the authority to direct an independent regulatory agency to change its regulations, but if it judged them inadequate (or if an agency refused to provide information), it could call the inadequacy to the attention of the president.

The presidential directive establishing the NOC should include a requirement for the appropriate regulatory agencies to report to the NOC and for the NOC to report to the president annually on the status and adequacy of agencies’ cyber regulations.

SCADA and Industrial Control Systems

One important and atypical area for cyberspace regulations involves industrial control systems (ICS), including supervisory control and data acquisition (SCADA) systems…

We believe that current efforts to secure these critical systems are unfocused and do not specifically target the unique aspects of ICS. The environment for ICS cybersecurity is similar to mainstream IT security 15 years ago—in a formative stage. Changing this will require many actions, including education, standards setting, and research. We believe that some regulation will be necessary.

Use Acquisitions to Increase Cybersecurity

We recommend that the federal government require that the use of IT products it buys be securely configured when they are delivered.

NSA found that inappropriate or incorrect security configurations (most often caused by configuration errors at the local base level) were responsible for 80 percent of Air Force vulnerabilities.

To solve this problem, government and industry must engage on developing preconfigured security features for the federal marketplace designed for user needs and capabilities.

Government can use its procurement process to require that providers of IT products and systems are accountable and to certify that they have adhered to security and configuration guidelines. A further objective would be to examine the usefulness of open standards for addressing IT security problems in ways that both public and private-sector organizations can implement.

One precedent for this recommendation is the Federal Desktop Core Configuration (FDCC), an element of the CNCI. The FDCC is an OMB mandate that requires all federal agencies to standardize the configuration of settings on operating systems and for applications that run on those systems. The FDCC is aimed at strengthening federal IT security by reducing opportunities for hackers to access and exploit government computer systems.

To oversee the development and implementation of the security guidelines, we recommend that the NOC and OMB use the Chief Information Officers Council to undertake the development of standard security guidelines, settings, or specifications and to coordinate incorporation of those guidelines, settings, and specifications into government-wide contracting strategies (Smart Buy, GSA schedule, and Federal Acquisition Regulation, for example).

Configuration requirements can be reinforced by reforming the current practice for assessing security in hardware and software using the NIAP—a joint effort of NIST and NSA.

Improving the NIAP process means moving from a post-facto review of documentation to processes that provide guidance and incentives to vendors to improve the security of their products in the design phase and in the methods for building secure IT systems from these products.

Acquire Secure Internet Services

While there is general agreement that more secure Internet protocols should be deployed, there has not been sufficient demand to lead Internet infrastructure providers to invest in them.

Federal acquisitions can remedy the lack of demand for secure protocols. Federal acquisitions can create incentives. The federal government is one of the largest purchasers of telecommunications services in the world. Federal acquisitions mandates could rapidly drive the market and provide benefits beyond the federal government. The United States can use this power as an incentive to move to a more secure Internet.

————————————————————————————————————————-

Coming soon…

The Highlighter: Securing Cyberspace for the 44th Presidency – Part VI

Section 5 – Identity Management for Cybersecurity

————————————————————————————————————————-

Read the full CSIS report
About The Highlighter
The Highlighter: Securing Cyberspace for the 44th Presidency – Part I
The Highlighter: Security Cyberspace for the 44th Presidency – Part II
The Highlighter: Securing Cyberspace for the 44th Presidency – Part III
The Highlighter: Securing Cyberspace for the 44th Presidency – Part V

John Brennan, Assistant to the President for Homeland Security and Counterterrorism, passed along this update about the ongoing review of our nation’s communications and information infrastructure.

In response to President Obama’s direction, the National Security Council and Homeland Security Council are presently conducting a 60-day review of the plans, programs, and activities underway throughout the government that address our communications and information infrastructure (i.e., cyberspace). The purpose of the review is to develop a strategic framework to ensure that our initiatives in this area are appropriately integrated, resourced and coordinated both within the Executive Branch and with Congress and the private sector.

Our nation’s security and economic prosperity depend on the security, stability, and integrity of communications and information infrastructure that are largely privately-owned and globally-operated. Safeguarding these important interests will require balanced decision making that integrates and harmonizes our national and economic security objectives with enduring respect for the rule of law. Guided by this principle, the review will build upon existing policies and structures to formulate a new vision for a national public-private partnership and an action plan to: enhance economic prosperity and facilitate market leadership for the U.S. information and communications industry; deter, prevent, detect, defend against, respond to, and remediate disruptions and damage to U.S. communications and information infrastructure; ensure U.S. capabilities to operate in cyberspace in support of national goals; and safeguard the privacy rights and civil liberties of our citizens.

The review will be completed by the end of April 2009. At that time, the review team will present its recommendations to the President regarding an optimal White House organizational construct to address issues related to U.S. and global information and communications infrastructure and capabilities. The recommendations also will include an action plan on identifying and prioritizing further work in this area.

• Strengthens the capabilities of the Nation’s intelligence agencies to furnish timely, accurate, and
insightful intelligence on the capabilities and intentions of foreign powers, including international
terrorist groups.
• Enhances Federal cybersecurity capabilities.
• Prioritizes resources to support a U.S. Government-wide counterterrorism action plan.
• Improves the sharing of terrorist-related information with Federal, State, local, tribal and foreign
partners.
• Increases collection capabilities and continues transforming intelligence analysis.

The National Intelligence Program (NIP) funds intelligence activities in several Departments and the Central Intelligence Agency (CIA). NIP’s budget is classified, so the 2010 Budget does not publicly disclose funding requests for intelligence activities. However, since NIP supports key elements of America’s national security,
this chapter highlights some NIP-funded activities without detailing funding information.

To protect America’s national security, the Intelligence Community (IC) provides effective intelligence collection, the analysis of that intelligence, and the production of finished intelligence products. IC is responsible for ensuring timely and effective dissemination of intelligence to those who need it, ranging from the President, to heads of Executive Departments, military forces, and law enforcement agencies. To meet this country’s national security challenges, IC is strengthening its components’ abilities to collect intelligence, increasing the security of Federal cyber networks, and protecting against the threat of international terrorism in the United States.

The 2010 budget for NIP will support the Administration’s national security objectives. The Director of National Intelligence, the Director of the CIA, and Department Secretaries with intelligence organizations will use 2010 NIP funds to defeat terrorist networks, prevent the spread of weapons of mass destruction, penetrate and
analyze the most difficult targets of U.S. foreign policy, and anticipate developments of strategic concern.

The Administration will request funding for IC for the remainder of 2009 and for 2010 to cover the costs of global intelligence operations. The details of the 2009 supplemental appropriations request will be provided to the Congress in the next few weeks while the detailed 2010 request will be transmitted with the President’s 2010
Budget request.

Increases funding for Cybersecurity. The threat to Federal information technology networks is real, serious, and growing. To address this threat, the President’s 2010 Budget includes substantial funding for cybersecurity efforts; such activities will take an integrated and holistic approach to address current cybersecurity threats, anticipate future threats, and continue innovative public-private partnerships. These
efforts encompass the homeland security, intelligence, law enforcement, military and diplomatic mission areas of the U.S. Government.

Implements Counterterrorism Plan. The National Counterterrorism Center (NCTC) has developed a U.S. Government-wide counterterrorism action plan. This plan lays out broad strategic objectives aligned with policy objectives to guide the overall implementation of this national strategy on counterterrorism. The Administration will work with NCTC, IC, and relevant Departments such as Defense, State, and Homeland Security to direct resources in support of counterterrorism implementation objectives.

Facilitates information Sharing. The President’s 2010 Budget will support initiatives to improve the sharing of intelligence, including terrorist-related information, with Federal, State, local, tribal and foreign partners. These efforts include advancing the National Suspicious Activity reporting Initiative; establishing agency-based, outcome-oriented performance targets for information sharing; and institutionalizing the use of
effective business practices.

Improves Collection and Analysis Capabilities. The 2010 Budget provides funding to improve mission performance by increasing intelligence collection capabilities and continuing to transform intelligence analysis in IC.

Despite the fact that many Americans distrust the National Security Agency for its role in the Bush Administration’s warrantless wiretapping program, the agency should be entrusted with securing the nation’s telecommunications networks and other cyber infrastructures, President Obama’s director of national intelligence told Congress on Wednesday.

Director of National Intelligence Admiral Dennis Blair told the House intelligence committee (.pdf) that the NSA, rather than the Department of Homeland Security which currently oversees cybersecurity, has the smarts and the skills to secure cyberspace.

“The National Security Agency has the greatest repository of cyber talent,” Blair said. “[T]here are some wizards out there at Fort Meade who can do stuff.”

Blair added that “because of the offensive mission that they have, they’re the ones who know best about what’s coming back at us and it’s defenses against those sorts of things that we need to be able to build into wider and wider circles.”

He acknowledged that the agency had a trust handicap to overcome due to its role in the Bush Administration’s secret domestic spying program, and therefore asked Congress to help convince the public that it’s the right agency for the task.

“I think there is a great deal of distrust of the National Security Agency and the intelligence community in general playing a role outside of the very narrowly circumscribed role because of some of the history of the FISA issue in years past. . . . So I would like the help of people like you who have studied this closely and served on commissions, the leadership of the committee and finding a way that the American people will have confidence in the supervision, in the oversight of the role of NSA so that it can help protect these wider bodies. So, to me, that’s one of the keys things that we have to work on here in the next few months.”

Blair is not without support for his view. Paul Kurtz, who led the cybersecurity group on Obama’s transition team and was part of Bush’s White House National Security Council, recently told Forbes that he supports the NSA taking a prominent role in cybersecurity.

Continue reading…

WASHINGTON (Reuters) – The budget proposed by President Barack Obama includes funding aimed at improving the security of U.S. private and public computer networks.

“The threat to federal information technology networks is real, serious and growing,” said an outline of the budget proposal for fiscal 2010 that begins October 1 and released by the Obama administration on Thursday.

The document called for $355 million in funding for the Department of Homeland Security to make private and public sector cyber infrastructure more resilient and secure.

The money would help support the operations of the National Cyber Security Division, as well as initiatives under the Comprehensive National Cybersecurity Initiative, according to the document.

In addition, the administration said it would put “substantial” funding for cybersecurity efforts into the national intelligence program, but gave no details since that funding is kept secret.

That money would be used for “an integrated and holistic approach to address current cybersecurity threats, anticipate future threats, and continue innovative public-private partnerships,” it said.

Continue…

America has to face up to the realities of cyberwarfare with tactical and strategic planning, Kurtz says

The intelligence community and the military have crucial roles to play in protecting cyber space, former presidential adviser Paul E. Kurtz said Wednesday, and a clear command and control structure is needed to ensure that our information infrastructure can survive and recover from major disruptions.

In his opening address at the Black Hat Federal security conference being held in Arlington, Va., Kurtz, who served on the National and Homeland Security councils under presidents Bill Clinton and George W. Bush, said the nation has been reluctant to consider the proper role of government in regulating and defending cyberspace. He said it is important that these decisions be made openly after public discussion rather than allowed to happen behind closed doors.

“To those who object to the militarization of cyberspace, I would say, it’s too late: We’re already there,” Kurtz said.

Kurtz, who recently served as cybersecurity adviser on President Barack Obama’s transition team, steered clear of discussing his advice to the new administration. But he praised the 60-day review of federal cybersecurity initiatives announced by the president on Feb. 9 and called Melissa Hathaway, the Bush administration official tapped to conduct it, “exceptionally capable.”

He said the United States should apply some of the lessons learned during the Cold War to cyber conflicts now simmering online. Cyber warfare is not as simple as the bipolar confrontation between the Western democracies and the Soviet bloc, Kurtz said. It is multilateral standoff involving multiple nations, shadowy organizations, and individual hackers and criminals.

“But I do think a number of concepts from the Cold War may apply, and one of these is deterrence,” he added.

A clear policy of deterrence by the United States and its allies helped to avoid the use of nuclear weapons. But no similar policy has been established for battles fought over networks. There is no definition of cyberwarfare, no policy on how and when cyber weapons should be deployed and used, and we do not have a clear idea of who our enemies are.

“We must begin by addressing the question of attribution,” Kurtz said. The ability to collect, share and analyze data in order to tailor responses to a threat is “the beginning of a deterrence policy.”

That ability will require the efforts of the intelligence community, in cooperation with law enforcement and the private sector, he said. Each of these sectors now collects large amounts of data, but the same inability to share and “connect the dots” that led to the 2001 terrorist attacks still plague our cybersecurity, he said.

Continue reading…

An Army lieutenant may be an expert at securing borders and warding off enemies in a war zone. But when it comes to making sure hackers cannot break into the military’s communications network, officers may feel pretty defenseless.

To get a better grasp on technological threats, military officers, agency heads and government contracting executives have found one of the Defense Department’s best-kept secrets: the National Defense University.

NDU is made up of four graduate-level colleges, including the National War College, the Industrial College of the Armed Forces, and the Joint Forces Staff College. But the largest college — the Information Resources Management College — has grown the fastest over the past few years because the skills it teaches are in such high demand.

Located on the District waterfront, at Fort Lesley J. McNair, the college trains mid-career workers, in the public and private sectors, how to leverage the newest consumer technologies as well as how to protect vital information. This expertise used to be reserved for an agency’s chief information officer. But as tools like thumb drives, Facebook, Twitter and voice over Internet Protocol phone services creep into offices and bases, secure digital networks are becoming essential for all employees.

“Web 2.0 and information assurance are such big deals these days, but they are in conflict,” said Robert Childs, senior director of the college. The courses are tailored for people responsible for safeguarding the networks at the National Security Administration and the Department of Homeland Security, for example. The Defense Department is the college’s primary source of funding.

Continue reading…

Dennis C. Blair became the nation’s third Director of National Intelligence on January 29, 2009.

Prior to retiring in 2002, Admiral Blair served as Commander in Chief, U.S. Pacific Command, the largest of the combatant commands. During his 34-year Navy career, Admiral Blair served on guided missile destroyers in both the Atlantic and Pacific fleets and commanded the Kitty Hawk Battle Group. Ashore, he served as Director of the Joint Staff and as the first Associate Director of Central Intelligence for Military Support at the CIA. He has also served in budget and policy positions on the National Security Council and several major Navy staffs.

From 2003 to 2006, Blair was President and CEO of the Institute for Defense Analyses — one of the nation’s foremost national security analysis centers. Most recently, he served as the John M. Shalikashvili Chair in National Security Studies at the National Bureau of Asian Research, and the Deputy Director of the Project on National Security Reform, an organization that analyzes the U.S. national security structure and develops recommendations to improve its effectiveness.

A 1968 graduate of the U.S. Naval Academy, Blair earned a master’s degree in History and Languages from Oxford University as a Rhodes Scholar, and served as a White House Fellow at the Department of Housing and Urban Development. He has been awarded four Defense Distinguished Service Medals and has received decorations from the governments of Japan, Thailand, the Republic of Korea and Australia.

WASHINGTON, Feb. 16, 2009 – (This is the third in a series on the intelligence community’s annual threat assessment.)

Russia’s perceived strengths and its policies, tensions in Eurasia, Caucasus and Central Asia, and instability in the Balkans all pose challenges to U.S. interests in Europe, the director of national intelligence said Feb. 12.

Dennis C. Blair, a retired Navy admiral, told the Senate Select Committee on Intelligence that Russia continues to rebuild its military and, as events in Georgia last year show, use those forces to impress on the world that the nation is still relevant.

“Russian challenges to US interests now spring more from Moscow’s perceived strengths than from the state weaknesses characteristic of the 1990s,” Blair said in prepared testimony.

“U.S. involvement in Iraq and Afghanistan and general anti-Americanism have created openings for Russia to build alternative arrangements to the US-led international political and economic institutional order,” he said.

Russia is attempting to increase its ability to influence events, he said, by “actively cultivating relations with regional powers, including China, Iran, and Venezuela.”

Blair said Russia’s energy policy is aimed at increasing the country’s importance on the European continent.

“Moscow also is trying to maintain control over energy supply and transportation networks to Europe to East Asia, and protect and further enhance its market share in Europe through new bilateral energy partnerships and organizing a gas cartel with other major exporters,” he said.

“Russia appears to believe the continued heavy dependence of European countries and former Soviet states on Russia’s state gas monopoly, Gazprom, provides Moscow with political and economic leverage,” he said.

The United States and Russia can continue to work some issues together, Blair said, but some issues – such as NATO enlargement, European Missile Defense and the breakaway Georgian provinces of Abkhasia and South Ossetia – will pose difficulties.

Russia’s relations with its neighbors – and once vassals – will always be strained to one extent or another. Armenia, Azerbaijan, Ukraine, Georgia, Belarus all have complicated relationships with Moscow, he said.

Ukraine will have a presidential election next winter, and pressure applied by Russia pressure and by the global financial crisis will work on the country, he said.

“Ukraine has moved toward democracy and Western integration despite numerous political tests since independence,” he said. Progress will be difficult because of weak political institutions and on-going conflicts with Russia over gas-pricing and contracts, he said, noting that the Ukrainian economy is weak, and this may affect stability in the nation.

The former Central Asia soviet socialist republics – Kazakhstan, Kyrgyzstan, Turkmenistan, Tajikistan and Uzbekistan – are ill-equipped to deal with growing Muslim extremism, he said.

“Energy helped make Kazakhstan a regional economic force, but any sustained decline in oil prices would affect revenues, could lead to societal discontent and will derail to momentum for domestic reforms,” he said.

The global financial crisis will affect Tajikistan and Kyrgyzstan the most, since over 40 percent of the gross domestic product of both countries comes from remittances, but all of the Central Asian countries – with their weak governments – will be affected, Blair said.

The Balkans are the greatest threat to stability within Europe, Blair said. Kosovo could be a flashpoint. The new country is effectively divided into a Serbian ethnic majority north and a Kosovar-Albanian south. Even as Serbia’s government in Belgrade seeks to align itself more closely with the European Union and NATO, it will not compromise on Kosovo.

There is also continued shakiness in Bosnia-Herzigovina and the future of the nation as a multi-ethnic state remains in doubt, Blair said, noting that inter-ethnic tensions may have increased in that country to “perhaps the highest level in years.”