Cybersecurity plan on the lite side

National Strategy to Secure Cyberspace

The Bush administration's long-awaited plan for protecting the nation's critical computer systems from cyberattacks is too weak because it does not set specific requirements for federal agencies or the private sector to follow, and politics is mostly to blame for the watered-down plan, information technology experts say.

Richard Clarke, chairman of the Critical Infrastructure Protection Board, last week released the draft National Strategy to Secure Cyberspace for comment at a ceremony at Stanford University, which aimed to highlight the partnership between the public and private sectors in developing the strategy. The demonstration, however, showed the gaps in the draft strategy.

Most of the recommendations for securing cyberspace are couched in terms of "should" and "could," rather than providing specific requirements for what IT security equipment agencies must buy or what security processes they should follow. For example, the report says that the federal CIO Council and relevant agencies should consider creating a "cyberspace academy" that could link federal cybersecurity and computer forensics training programs. The plan also asks agencies and companies to voluntarily secure their systems.

IT experts said the draft did little to further the debate on securing government and private-sector information systems and restates much of what federal and private managers already knew. For example, according to the draft strategy, "Once one computer or element in the network is compromised, it can be used to compromise others."

The soft language is a result of pressure from industry to remove the most stringent and costly recommendations — such as requiring Internet service providers to bundle firewalls and other security products with their services, an idea that Clarke has pushed for more than a year. What is left is a list of simple recommendations that the private sector could follow.

The administration's strategy to call for voluntary cooperation from the private sector is understandable, said a top-level federal IT official, who asked not to be named, but the lack of strong language in the section of the report outlining what the federal government should do came as a surprise.

"I would think we could be a little more definitive in stating requirements for federal agencies," the official said. "I think that [the federal government section] needs to be stronger than the others because the government needs to be a model."

Still, the weak language in the industry sections of the draft could also affect federal agencies, particularly when it comes to the security of products and services procured by the government, experts say.

The report makes several recommendations for the federal sector to follow (see box), but one of the most concrete steps outlined for the government reflects the concerns about how security vulnerabilities in commercial products may affect agencies' security.

To address that concern, the Critical Infrastructure Protection Board will lead a review of the National Infrastructure Assurance Program's security accreditation process. Under this program, commercial security products and services are independently tested to determine if they will perform as vendors promise. Defense Department organizations are required to buy only those security products and services that have gone through the accreditation process, and the board's review will examine the possible impact of extending the DOD requirement to civilian agencies.

Industry executives said that because technology changes rapidly, the administration's decision to let industry determine the best products and security practices was the correct approach.

The fact that the draft strategy lays out security best practices and recommended actions means shareholders and the public will be aware of the effort, which should motivate companies to meet those security baselines, said Ron Moritz, senior vice president of eTrust security solutions at Computer Associates International Inc.

Government and industry must create a culture of security, where security measures are taken as part of good business practices, said Michael Aisenberg, director of public policy for VeriSign Inc.

But self-regulation and market pressure — which the draft highlights as the methods by which security will improve in the private sector — have not shown much success so far, said Jim Lewis, director of technology and public policy at the Center for Strategic and International Studies. Considering recent history, "this [approach] can't be completely voluntary," he said.

Many of the basic preventive measures the government wants the private sector to take can be accomplished through other means, Lewis said. Laws such as the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act require the financial and health care sectors, respectively, to ensure the privacy of personal information held in their systems. These laws, by default, led to companies enhancing security, Lewis said. Requiring companies to report their practices to the Securities and Exchange Commission has also been effective, and "little tweaks like that might be enough to move us forward," he said.

The draft is open for comment on the White House Web site until Nov. 18, and officials in government and industry predict that changes will be made. "This is not a static document.... It's definitely not going to stay where it [is]," Moritz said.

***

What it says

Federal information technology experts say the Bush administration's recommendations for how agencies should secure critical information systems from cyberattacks does not give IT managers enough direction and will do little to ensure that the systems are secured.

The National Strategy to Secure Cyberspace includes the following recommendations for the federal government:

* The CIO Council and relevant agencies should consider creating a "cyberspace academy" to link federal cybersecurity and computer forensics training programs.

* The Office of Management and Budget should consider establishing an Office of Information Security Support Services within the proposed Homeland Security Department to pool security resources from across government to support smaller agencies and those with less experience with security issues.

* The government should consider certifying private-sector security providers, based on the certifications being performed by the national security community. This could lead to limiting contracts for security services to certified companies.

In addition, the Critical Infrastructure Protection Board's Committee on Executive Branch Information Systems Security will examine the viability of establishing uniform security practices for programs and services, categorizing them by high, medium and low levels of risk.