Council offers vision for infosec standards

National Strategy to Secure Cyberspace

President Bush's private-sector infrastructure protection advisory council agreed Jan. 8 that the federal government should use industry-developed security standards, but should also be willing to use its heft to drive those standards toward interoperability.

The National Infrastructure Advisory Council's recommendations will go to the president later this month along with a revised National Strategy to Secure Cyberspace, said Richard Clarke, chairman of the President's Critical Infrastructure Protection Board.

Most of the council's recommendations had been finalized prior to the Jan. 8 meeting, but it took members — including the president and chief executive officers of Cisco Systems Inc. and Information Security Systems Inc. — some time to find just the right language to state their vision of the government's role in setting information security standards.

Their final recommendation is that the federal government should encourage the development and use of open standards in the market instead of dictating specific standards. But federal officials should also use the government's significant buying power to push for interoperability in those market standards and solutions that will raise the baseline of security across all sectors.

This falls in line with the approach taken by the Bush administration in its draft cybersecurity strategy, which the White House released in September 2002 for comment. Many criticized the draft as being too soft on industry and lacking significant milestones. Revisions proposed by Clarke's office include setting specific priorities, such as taking a closer look at the Common Criteria security product certification program.

Later this month, the council plans to meet again to look at other infrastructure protection issues, including the international migration to Version 6 of the Internet Protocol and developing a systematic vulnerability assessment program for private-sector infrastructure.