The best-laid plan?

Experts debate whether the National Strategy to Secure Cyberspace is still relevant — if it ever was

Propped on the shelves of many government and industry information technology security offices is a dated, 76-page glossy document titled “The National Strategy to Secure Cyberspace,” perhaps the only tangible evidence that the Bush administration ever set out to spearhead a public/private cybersecurity strategy. Three years after the NSSC’s debut, a simple question lingers: Is federal cybersecurity leadership dead or alive?

Unlike the question, answers are not so simple. The NSSC’s relevance seems to be in the eye of the beholder. Many observers argue that the NSSC’s broad wording and distinctive policy flavor yield guidance that holds true today.

Others cite its general approach to cybersecurity policy as the NSSC’s major downfall. The document merely outlines objectives, such as the need to strengthen law enforcement’s role in combating cyberattacks and the importance of reducing commercial software vulnerabilities.

Critics add that the strategy was never more than a public relations move that was long ago forgotten and is now in need of replacement. Most call for action-oriented plans to batten down major security weaknesses and rally agencies, industry and the public around dire cybersecurity concerns.

But the Homeland Security Department has no intention of revisiting the document. “There are no plans to update the strategy,” said Andy Purdy, acting director of DHS’ National Cyber Security Division. “DHS continues to use the strategy as a guiding framework for its cybersecurity preparedness and response efforts. NCSD’s strategic plan addresses elements iterated in the strategy.”

Purdy also underscored the value of the strategy’s generalized wording. “The national strategy strikes the right balance between overarching priorities and specific implementation strategies,” he said.

Although the NSSC emerged from the Bush administration as high-level policy, the authors wanted to produce a document laden with specifics. Politically appointed officials killed those plans, said Marcus Sachs, one of the NSSC’s drafters. He was with SRI International at the time but is now director of DHS’ Cyber Security Research and Development Center, which SRI manages.

“When it was first drafted in 2002, it had a lot of detail in it, real teeth,” he said. “It included a lot of ‘thou shalts’ and ‘shalt nots,’ along with tons of regulations.”

However, industry feedback garnered through a series of town hall meetings led administration officials to back off from that strategy, Sachs said. They “felt it was too specific and that instead it should be general and not go too far into the weeds,” he said.

Specifics aside, Sachs said he thinks it is not the time to bury the NSSC. “The document is still very much alive and frequently referred to,” he said. “It is how NCSD was started. We began with the strategy, and this is still what everything is built on. It is an anchor point from which ideas begin.”

‘Living fossil’ needs implementation schedule
In contrast to Sachs, others argue that the NSSC is not a living document.

“It’s a living fossil, a survivor from a more primitive era,” said James Lewis, a senior fellow at the Center for Strategic and International Studies and director of its Technology and Public Policy Program. “It’s relevant as a historical document or as a doorstop, but not much else.”

Some say DHS needs to produce a companion implementation schedule to resurrect the strategy.

“I don’t think NSSC should be revised,” said Thom Rubel, research director for Government Insights, a research arm of IDC. “Rather, it should be used as a reference for creating a more specific framework that formalizes actionable objectives, goals and measures for many of the needs it identifies.”

Because the document lacks an implementation guide, the NSSC has missed its chance to rally industry around cybersecurity, said Dave Murphy, founder of the International Association of IT trainers and an IT professor at the University of Phoenix.

“It’s an opportunity lost,” Murphy said. “My biggest concern is that we do not have vibrant coordination.”

Murphy said he rarely hears industry executives discuss the document. “I make it required reading for my upper-division graduate students, and they are always surprised the government has published this document,” he said. “I see it as a broad-brush document for the security industry, but I cannot find one example in all of NSSC’s Priority III that has been implemented.”

Priority III calls for the creation of a National Cyberspace Security Awareness and Training Program.

Others claim the NSSC has fostered an industry awareness of the need to bolster cybersecurity. Specifically, it gave rise to Staysafeonline.org, a consumer site designed to raise the public’s attention to Internet security and safety issues.

“What’s neat about Staysafeonline.org is that it is a campaign that brings together public and private efforts and feeds them into one portal,” said Shannon Kellogg, RSA Security’s director of industry and government affairs. “It is a massive educational campaign.”

Many in the education sector recognize the NSSC as the impetus for efforts such as Staysafeonline.org and Educause — a nonprofit organization that champions IT security and other technology efforts in higher education, said Mark Bruhn, Indiana University’s associate vice president for telecommunications and executive director of the Research and Education Network Information Sharing and Analysis Center.

Yet after spurring such efforts into action, DHS has done little to follow up. “There is demonstrable progress in some NSSC areas, but most of it really isn’t coordinated by, or even with, DHS,” Bruhn said.

Benign neglect may be the best industry could have hoped for, said Paul Kocher, president and chief scientist of Cryptography Research, a security systems company. “Nothing much concrete has happened, which mostly means nothing harmful has been done,” he said. “So in that way, the plan could be considered a success.”

Details, details
Rather than expand the strategy, many experts would prefer a grass-roots effort to promote security in industry and government.

Federal and industry security officials are also hungry for action, said Khalid Kark, Forrester Research’s senior analyst for information security.

“I am a big believer in high-level strategy that can be adopted and implemented based on individual circumstances,” Kark said. “But the fact is that most information security departments are strapped for resources, and they don’t want a high-level strategy. Instead, they look for specific implementation strategies.”

Rubel said the NSSC’s impact on internal agency security measures has been the strategy’s most influential byproduct, mostly because the document influenced the implementation of the Federal Information Security Management Act, enacted in 2002 as part of the E-Government Act.

The “NSSC has likely helped the federal government improve its security, and FISMA has created a fairly effective assessment and monitoring tool,” Rubel said.

Many contend, however, that the NSSC’s success is not reaching beyond federal borders. The “NSSC does not address unique private-sector economic and privacy considerations and seems to undervalue contributions that the identified partners — private, state and local governments — can contribute to an effective national cybersecurity effort,” Rubel said.

Specifically, he pointed to a recent National Association of State Chief Information Officers report in which state CIOs clamored for a closer relationship with DHS.

In addition to strengthening relationships with all stakeholders, DHS needs to loosen its grip on funding that rightly belongs to NSSC-related efforts, said Jonathan Zittrain, Oxford University professor of Internet governance and regulation.

“The best thing we could do is increase funding for new security architectures,” he said. “Particularly there should be focus on the ones that draw upon distributed resources so as not to create any new gatekeepers that might start filtering code on a basis other than the danger it poses.”

McAdams is a freelance writer based in Vienna, Va.

At a glance: National Strategy to Secure CyberspaceIssued: February 2003.

Mission: “Engage and empower Americans to secure the portions of cyberspace that they own, operate, control or with which they interact.”

Eight major actions:

  • Establish public/private partnerships to respond to incidents.

  • Develop tactical and strategic analyses of attacks and provide vulnerability assessments.

  • Foster the private sector’s ability to generate a multi-angled view of the health of cyberspace.

  • Expand the Cyber Warning and Information Network to reflect the Homeland Security Department’s role in coordinating crisis response.

  • Improve the management of national incidents.

  • Coordinate voluntary national continuity and contingency plans.

  • Test federal systems’ cybersecurity continuity plans.

  • Improve public/private information sharing on attacks, threats and vulnerabilities.

Source: National Strategy to Secure Cyberspace
More product testing, vetting urged

Critics of the National Strategy to Secure Cyberspace (NSSC) want more specific, action-oriented guidance from the plan, and they also want the federal government to improve established certification programs to evaluate security vendors’ products.

“The security industry has a big problem in that some vendors advertise lofty claims around products that do nothing, while others advertise modestly but produce products that prove extremely effective,” said Paul Kocher, president and chief scientist at Cryptography Research.

Kocher called on the Homeland Security Department to create an organization that would be to security products what the Food and Drug Administration is to the pharmaceutical industry.

However, others who advocate an increased federal role in verifying the effectiveness of security products want DHS to tread lightly.

For instance, a move to broaden the National Information Assurance Program (NIAP) — an initiative designed to meet the testing needs of information technology products and consumers — could prove onerous for industry, said Shannon Kellogg, RSA Security’s director of industry and government affairs.

“In private conversations with industry and government officials, I have not heard a lot of people speak positively about NIAP,” Kellogg said. “The program can prove costly, and by the time a vendor goes through it, they are off to a new edition of an approved product.”

Common Criteria — an international effort to develop standard evaluation criteria for security products — garners high marks. “It provides a baseline to evaluate products,” said Marcus Sachs, director of DHS’ Cyber Security Research and Development Center.

Although Common Criteria and many other federal security product-testing efforts predate the NSSC, the strategy should expand the reach and elevate awareness of such programs, Sachs and others said.

More visible leadership needed

The Bush administration’s failure to appoint a top Homeland Security Department official to oversee important cybersecurity issues is hobbling the National Strategy to Secure Cyberspace’s effectiveness, some industry experts say.

“There is absolutely no high-level, vocal and visible champion for cybersecurity anywhere in the government,” said Mark Bruhn, Indiana University’s associate vice president for telecommunications and executive director of the Research and Education Network Information Sharing and Analysis Center.

That void starts at the top, said Marcus Sachs, director of DHS’ Cyber Security Research and Development Center. “The executive staff of the White House has two people in charge of cybersecurity,” Sachs said. “One of those people only deals with these issues part-time, and the other looks at cybersecurity from a military perspective.”

Most agree that Andy Purdy, acting director of DHS’ National Cyber Security Division, deserves credit for moving forward on several fronts. But the agency still needs a politically appointed official to underscore the importance of cyberthreats, Sachs said.

Purdy doesn’t agree with Sachs on the importance of cybersecurity to the Bush administration. “Cybersecurity is a priority issue for the president, his administration and DHS,” Purdy said.

Meanwhile, many observers continue to blame politics for rendering the strategy ineffective. “I think as long as there is politics involved in the implementation, there will be a lot of frustration and very little action,” said Khalid Kark, Forrester Research’s senior analyst for information security.

Counting the strategy’s successesAndy Purdy, acting director of the National Cyber Security Division at the Homeland Security Department, credits the National Strategy to Secure Cyberspace for playing a role in:

  • Launching the U.S. Computer Emergency Readiness Team, which analyzes and distributes cyberthreat information.

  • Forming the National Cyber Response Coordination Group, whose 13 member agencies coordinate public/private preparedness for response and recovery efforts.

  • Creating the Government Forum of Incident Response and Security Teams, 40 government response teams responsible for securing government information technology systems.

  • Advising on the development of the National Infrastructure Protection Plan by providing cybersecurity risk management guidance for all sectors.

  • Staging Cyber Storm, the first international cybersecurity drill run by the government. It drew the participation of 115 public, private and government organizations.

Who's Fed 100-worthy?

Nominations are now open for the 2015 Federal 100 awards. Get the details and submit your picks!

Featured

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above