Cyber strategy slow in arriving

National Strategy to Secure Cyberspace

While public- and private-sector officials are praising the release of the National Strategy to Secure Cyberspace, some also say that the strategy has been a long time coming.

The President's Critical Infrastructure Protection Board developed the strategy in cooperation with state and local governments and the private sector, and released a draft version Sept. 18 for comment.

A team led by Richard Clarke, special adviser to the president for cyberspace security and chairman of the Critical Infrastructure Protection Board, has been working with the private sector on this document since the Clinton administration released its National Plan for Information Systems Security in January 2000.

Experts attributed the long development cycle to matters ranging from the complexity of the task to the politics involved in any national strategy.

"Yes, three years is a long time, and in the scheme of things, it is not Internet time," said Ron Moritz, senior vice president of eTrust Security Solutions at Computer Associates International Inc.

Despite the critical nature of the cybersecurity threat, this strategy could not have been developed more quickly because of the concerns within the private sector, Moritz said. The government, too, must be mindful of the needs of the international community and not move too fast on policy issues that could cause problems when it comes to bringing this strategy to other governments, he said.

Politics — in the form of the change of administration, the debate over creating a homeland security department, lobbying from the private sector and an upcoming election — seem to have contributed to the slow timing on the strategy's release, according to a former federal official who asked not to be named.

The question of whether the strategy can help improve cybersecurity may not be answered until the final version is approved later this year, he said.

The strategy includes the following recommendations for the federal government:

* The CIO Council and relevant agencies should consider creating a "cyberspace academy" to link federal cybersecurity and computer forensics training programs.

* The Office of Management and Budget should establish an Office of Information Security Support Services within the proposed Homeland Security Department to pool security resources from across government to support smaller agencies and those with less experience with security issues.

* The government should consider certifying private-sector security providers, based on the certifications being performed by the national security community. This could lead to limiting contracts for security services to certified companies.

The draft strategy is available online at www.securecyberspace.gov. The board is accepting comments via that Web site until Nov. 18.

The board also plans to hold eight town hall-style meetings across the country to solicit comments and reactions. All of that information will be incorporated into a complete strategy for approval by President Bush.