Cyber strategy: A starting point

National Strategy to Secure Cyberspace

The National Strategy to Secure Cyberspace that the Bush administration released today is a draft -- a roadmap that will become more detailed as comments are returned and expertise evolves within government and the private sector, according to the document.

Parts of the draft strategy, developed by the Critical Infrastructure Protection Board in cooperation with the private sector, are more detailed than others. Recommendations for the federal government sector include:

* That the CIO Council and relevant agencies consider creating a "cyberspace academy" to link federal cybersecurity and computer forensics training programs.

* That the Office of Management and Budget establish an Office of Information Security Support Services within the proposed Homeland Security Department to pool security resources from across government to support smaller and less-experienced agencies.

* That the government examine the idea of certifying private-sector security providers, based on the certifications being performed by the national security community. This could lead to limiting contract awards for security services to certified companies.

The Critical Infrastructure Protection Board executive branch Information Systems Security Committee, the Office of Federal Procurement Policy and the Federal Acquisition Regulation Council are also examining how to improve security in the systems and solutions that agencies procure from vendors. They are reviewing the National Infrastructure Assurance Program's security accreditation process -- as well as its mandated implementation at the Defense Department -- to determine the possible impact of extending the DOD requirement to civilian agencies.

"The federal government recognizes that past efforts such as this have failed, but believes that the heightened level of government and consumer concerns over significant flaws in information technology products warrants renewed efforts," the draft states.

That review will be completed by the fourth quarter of fiscal 2003.

The committee also plans to examine the viability of establishing uniform security practices for different categories of programs and services, falling into high, medium and low levels of risk.

The draft also includes recommendations developed by and for industry and academia, including:

* That Internet service providers should consider adopting a "code of conduct" governing their security practices and interactions.

* That colleges and universities should enhance their security capabilities by considering the establishment of one or more information sharing and analysis centers, empowering their chief information officers, adopting best practices, and creating model awareness and training materials.

The entire draft strategy is available online at www.securecyberspace.gov, and the board is asking for comment through that Web site by Nov. 18. The board also plans to hold eight more town hall-style meetings across the country to solicit comment and reaction. All of that information will be incorporated into the draft to create a complete strategy that will be approved by President Bush.