Cybersecurity plan on the lite side

The long-awaited plan for protecting the nation's critical computer systems is too weak, IT experts say

National Strategy to Secure Cyberspace

The Bush administration's long-awaited plan for protecting the nation's critical computer systems from cyberattacks is too weak because it does not set specific requirements for federal agencies or the private sector to follow, and politics is mostly to blame for the watered-down plan, information technology experts say.

Richard Clarke, chairman of the Critical Infrastructure Protection Board, last week released the draft National Strategy to Secure Cyberspace for comment at a ceremony at Stanford University, which aimed to highlight the partnership between the public and private sectors in developing the strategy. The demonstration, however, showed the gaps in the draft strategy.

Most of the recommendations for securing cyberspace are couched in terms of "should" and "could," rather than providing specific requirements for what IT security equipment agencies must buy or what security processes they should follow. For example, the report says that the federal CIO Council and relevant agencies should consider creating a "cyberspace academy" that could link federal cybersecurity and computer forensics training programs. The plan also asks agencies and companies to voluntarily secure their systems.

IT experts said the draft did little to further the debate on securing government and private-sector information systems and restates much of what federal and private managers already knew. For example, according to the draft strategy, "Once one computer or element in the network is compromised, it can be used to compromise others."

The soft language is a result of pressure from industry to remove the most stringent and costly recommendations — such as requiring Internet service providers to bundle firewalls and other security products with their services, an idea that Clarke has pushed for more than a year. What is left is a list of simple recommendations that the private sector could follow.

The administration's strategy to call for voluntary cooperation from the private sector is understandable, said a top-level federal IT official, who asked not to be named, but the lack of strong language in the section of the report outlining what the federal government should do came as a surprise.

"I would think we could be a little more definitive in stating requirements for federal agencies," the official said. "I think that [the federal government section] needs to be stronger than the others because the government needs to be a model."

Still, the weak language in the industry sections of the draft could also affect federal agencies, particularly when it comes to the security of products and services procured by the government, experts say.

The report makes several recommendations for the federal sector to follow (see box), but one of the most concrete steps outlined for the government reflects the concerns about how security vulnerabilities in commercial products may affect agencies' security.

To address that concern, the Critical Infrastructure Protection Board will lead a review of the National Infrastructure Assurance Program's security accreditation process. Under this program, commercial security products and services are independently tested to determine if they will perform as vendors promise. Defense Department organizations are required to buy only those security products and services that have gone through the accreditation process, and the board's review will examine the possible impact of extending the DOD requirement to civilian agencies.

Industry executives said that because technology changes rapidly, the administration's decision to let industry determine the best products and security practices was the correct approach.

The fact that the draft strategy lays out security best practices and recommended actions means shareholders and the public will be aware of the effort, which should motivate companies to meet those security baselines, said Ron Moritz, senior vice president of eTrust security solutions at Computer Associates International Inc.

Government and industry must create a culture of security, where security measures are taken as part of good business practices, said Michael Aisenberg, director of public policy for VeriSign Inc.

But self-regulation and market pressure — which the draft highlights as the methods by which security will improve in the private sector — have not shown much success so far, said Jim Lewis, director of technology and public policy at the Center for Strategic and International Studies. Considering recent history, "this [approach] can't be completely voluntary," he said.

Many of the basic preventive measures the government wants the private sector to take can be accomplished through other means, Lewis said. Laws such as the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act require the financial and health care sectors, respectively, to ensure the privacy of personal information held in their systems. These laws, by default, led to companies enhancing security, Lewis said. Requiring companies to report their practices to the Securities and Exchange Commission has also been effective, and "little tweaks like that might be enough to move us forward," he said.

The draft is open for comment on the White House Web site until Nov. 18, and officials in government and industry predict that changes will be made. "This is not a static document.... It's definitely not going to stay where it [is]," Moritz said.

***

What it says

Federal information technology experts say the Bush administration's recommendations for how agencies should secure critical information systems from cyberattacks does not give IT managers enough direction and will do little to ensure that the systems are secured.

The National Strategy to Secure Cyberspace includes the following recommendations for the federal government:

* The CIO Council and relevant agencies should consider creating a "cyberspace academy" to link federal cybersecurity and computer forensics training programs.

* The Office of Management and Budget should consider establishing an Office of Information Security Support Services within the proposed Homeland Security Department to pool security resources from across government to support smaller agencies and those with less experience with security issues.

* The government should consider certifying private-sector security providers, based on the certifications being performed by the national security community. This could lead to limiting contracts for security services to certified companies.

In addition, the Critical Infrastructure Protection Board's Committee on Executive Branch Information Systems Security will examine the viability of establishing uniform security practices for programs and services, categorizing them by high, medium and low levels of risk.

NEXT STORY: Letter to the editor

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.