Cybersecurity strategy only a first step
- By Diane Frank
- Sep 30, 2002
National Strategy to Secure Cyberspace
The Bush administration's draft of the National Strategy to Secure Cyberspace is a necessary first step toward making the country more secure, but experts said the final version of the document needs more details and clearer priorities.
The draft includes more than 80 recommendations, and even more suggestions or "discussions" for ideas that could be turned into recommendations. The document is open for comment until Nov. 18 through the White House Web site (www.whitehouse.gov).
The draft pulled together numerous ideas, but the next step must include making sense of all the information and putting together a clear plan of action, said Scott Charney, chief security strategist at Microsoft Corp.
"For all the talking, it is important to have a document," said Charney, who served as chief of the computer crime unit at the Justice Department until earlier this year. "But you also need a process for...how to put that document into practice."
Information sharing is one area that supporters and critics of the draft agree deserves more attention. Yet for the government, sharing information is the tip of the iceberg. Agencies must develop ways to analyze the data being shared, said Andrew Purdy, senior adviser for IT security and privacy on the President's Critical Infrastructure Protection Board, which led the development of the cybersecurity strategy. Purdy made his comments at a Sept. 24 forum on cybersecurity sponsored by the Cato Institute, a Washington, D.C., think tank.
Analysis cannot happen without information, said Ken Silva, director of networks and security at VeriSign Inc. Despite creating processes for sharing critical data, such as the Information Sharing and Analysis Centers.
Action must be taken to get government and industry to improving that poor record, he said. "There is simply not enough sharing of information going on."
The effort to enhance cybersecurity has been discussed for years, but there is no objective way to determine how much the situation has improved because there are no good ways to measure those efforts.
"It'd be difficult to write performance measures, but it's a good idea," said Jim Lewis, director of technology and public policy at the Center for Strategic and International Studies.
"It's not like nothing is going on" in the security world, Charney said. "But it's a much more evolutionary process than a watershed."
If the draft becomes more action-oriented after the comment period, it could be just that a watershed, he said.
The Bush administration's National Strategy to Secure Cyberspace includes 80 recommendations for users in the following categories:
* Home computers and small businesses.
* Large businesses.
* Groups such as government, private industry and academia.
It also includes recommendations for:
* National issues and efforts.
* Global initiatives and issues.