The best-laid plan?
Experts debate whether the National Strategy to Secure Cyberspace is still relevant — if it ever was
- By Jennifer McAdams
- Jun 12, 2006
Propped on the shelves of many government and industry information technology security offices is a dated, 76-page glossy document titled “The National Strategy to Secure Cyberspace,” perhaps the only tangible evidence that the Bush administration ever set out to spearhead a public/private cybersecurity strategy. Three years after the NSSC’s debut, a simple question lingers: Is federal cybersecurity leadership dead or alive?
Unlike the question, answers are not so simple. The NSSC’s relevance seems to be in the eye of the beholder. Many observers argue that the NSSC’s broad wording and distinctive policy flavor yield guidance that holds true today.
Others cite its general approach to cybersecurity policy as the NSSC’s major downfall. The document merely outlines objectives, such as the need to strengthen law enforcement’s role in combating cyberattacks and the importance of reducing commercial software vulnerabilities.
Critics add that the strategy was never more than a public relations move that was long ago forgotten and is now in need of replacement. Most call for action-oriented plans to batten down major security weaknesses and rally agencies, industry and the public around dire cybersecurity concerns.
But the Homeland Security Department has no intention of revisiting the document. “There are no plans to update the strategy,” said Andy Purdy, acting director of DHS’ National Cyber Security Division. “DHS continues to use the strategy as a guiding framework for its cybersecurity preparedness and response efforts. NCSD’s strategic plan addresses elements iterated in the strategy.”
Purdy also underscored the value of the strategy’s generalized wording. “The national strategy strikes the right balance between overarching priorities and specific implementation strategies,” he said.
Although the NSSC emerged from the Bush administration as high-level policy, the authors wanted to produce a document laden with specifics. Politically appointed officials killed those plans, said Marcus Sachs, one of the NSSC’s drafters. He was with SRI International at the time but is now director of DHS’ Cyber Security Research and Development Center, which SRI manages.
“When it was first drafted in 2002, it had a lot of detail in it, real teeth,” he said. “It included a lot of ‘thou shalts’ and ‘shalt nots,’ along with tons of regulations.”
However, industry feedback garnered through a series of town hall meetings led administration officials to back off from that strategy, Sachs said. They “felt it was too specific and that instead it should be general and not go too far into the weeds,” he said.
Specifics aside, Sachs said he thinks it is not the time to bury the NSSC. “The document is still very much alive and frequently referred to,” he said. “It is how NCSD was started. We began with the strategy, and this is still what everything is built on. It is an anchor point from which ideas begin.”
‘Living fossil’ needs implementation schedule
In contrast to Sachs, others argue that the NSSC is not a living document.
“It’s a living fossil, a survivor from a more primitive era,” said James Lewis, a senior fellow at the Center for Strategic and International Studies and director of its Technology and Public Policy Program. “It’s relevant as a historical document or as a doorstop, but not much else.”
Some say DHS needs to produce a companion implementation schedule to resurrect the strategy.
“I don’t think NSSC should be revised,” said Thom Rubel, research director for Government Insights, a research arm of IDC. “Rather, it should be used as a reference for creating a more specific framework that formalizes actionable objectives, goals and measures for many of the needs it identifies.”
Because the document lacks an implementation guide, the NSSC has missed its chance to rally industry around cybersecurity, said Dave Murphy, founder of the International Association of IT trainers and an IT professor at the University of Phoenix.
“It’s an opportunity lost,” Murphy said. “My biggest concern is that we do not have vibrant coordination.”
Murphy said he rarely hears industry executives discuss the document. “I make it required reading for my upper-division graduate students, and they are always surprised the government has published this document,” he said. “I see it as a broad-brush document for the security industry, but I cannot find one example in all of NSSC’s Priority III that has been implemented.”
Priority III calls for the creation of a National Cyberspace Security Awareness and Training Program.
Others claim the NSSC has fostered an industry awareness of the need to bolster cybersecurity. Specifically, it gave rise to Staysafeonline.org, a consumer site designed to raise the public’s attention to Internet security and safety issues.
“What’s neat about Staysafeonline.org is that it is a campaign that brings together public and private efforts and feeds them into one portal,” said Shannon Kellogg, RSA Security’s director of industry and government affairs. “It is a massive educational campaign.”
Many in the education sector recognize the NSSC as the impetus for efforts such as Staysafeonline.org and Educause — a nonprofit organization that champions IT security and other technology efforts in higher education, said Mark Bruhn, Indiana University’s associate vice president for telecommunications and executive director of the Research and Education Network Information Sharing and Analysis Center.
Yet after spurring such efforts into action, DHS has done little to follow up. “There is demonstrable progress in some NSSC areas, but most of it really isn’t coordinated by, or even with, DHS,” Bruhn said.
Benign neglect may be the best industry could have hoped for, said Paul Kocher, president and chief scientist of Cryptography Research, a security systems company. “Nothing much concrete has happened, which mostly means nothing harmful has been done,” he said. “So in that way, the plan could be considered a success.”
Rather than expand the strategy, many experts would prefer a grass-roots effort to promote security in industry and government.
Federal and industry security officials are also hungry for action, said Khalid Kark, Forrester Research’s senior analyst for information security.
“I am a big believer in high-level strategy that can be adopted and implemented based on individual circumstances,” Kark said. “But the fact is that most information security departments are strapped for resources, and they don’t want a high-level strategy. Instead, they look for specific implementation strategies.”
Rubel said the NSSC’s impact on internal agency security measures has been the strategy’s most influential byproduct, mostly because the document influenced the implementation of the Federal Information Security Management Act, enacted in 2002 as part of the E-Government Act.
The “NSSC has likely helped the federal government improve its security, and FISMA has created a fairly effective assessment and monitoring tool,” Rubel said.
Many contend, however, that the NSSC’s success is not reaching beyond federal borders. The “NSSC does not address unique private-sector economic and privacy considerations and seems to undervalue contributions that the identified partners — private, state and local governments — can contribute to an effective national cybersecurity effort,” Rubel said.
Specifically, he pointed to a recent National Association of State Chief Information Officers report in which state CIOs clamored for a closer relationship with DHS.
In addition to strengthening relationships with all stakeholders, DHS needs to loosen its grip on funding that rightly belongs to NSSC-related efforts, said Jonathan Zittrain, Oxford University professor of Internet governance and regulation.
“The best thing we could do is increase funding for new security architectures,” he said. “Particularly there should be focus on the ones that draw upon distributed resources so as not to create any new gatekeepers that might start filtering code on a basis other than the danger it poses.”
McAdams is a freelance writer based in Vienna, Va.