Council offers vision for infosec standards

National Strategy to Secure Cyberspace

President Bush's private-sector infrastructure protection advisory council agreed Jan. 8 that the federal government should use industry-developed security standards, but should also be willing to use its heft to drive those standards toward interoperability.

The National Infrastructure Advisory Council's recommendations will go to the president later this month along with a revised National Strategy to Secure Cyberspace, said Richard Clarke, chairman of the President's Critical Infrastructure Protection Board.

Most of the council's recommendations had been finalized before the Jan. 8 meeting, but it took members — including the president and chief executive officers of Cisco Systems Inc. and Internet Security Systems Inc. — time to find the right language to state their vision of the government's role in setting information security standards.

Their final recommendation is that the federal government should encourage the development and use of open standards in the market instead of dictating specific standards. But federal officials should also use the government's significant buying power to push for interoperability in those market standards and solutions that will raise the baseline of security across all sectors.

This recommendation falls in line with the approach taken by the Bush administration in its draft cybersecurity strategy, which the White House released for comment in September 2002. Many criticized the draft as being too soft on industry and lacking significant milestones. Revisions that Clarke's office proposed include setting specific priorities, such as taking a closer look at the Common Criteria security product certification program.

Later this month, the council plans to meet again to look at other infrastructure protection issues, including the international migration to Version 6 of the Internet Protocol and developing a systematic vulnerability assessment program for private-sector infrastructure.

If the government exerted its buying clout, it would benefit both the private sector and federal agencies, according to industry analysts. "Government security spending is going up, and [its buying power] can be a dramatic stimulus" to push the development of better security solutions, said John Pescatore, a vice president at Gartner Inc.

For example, after denial-of-service attacks, which brought down leading e-commerce sites run by Yahoo Inc., eBay Inc. and others three years ago, Internet service providers tested new technologies to thwart such attacks but didn't see tremendous demand to justify the cost of incorporating the products into their services.

However, if the government mandated that all federal agencies with Internet connections should use ISPs with built-in denial-of-service protection, then ISPs would work together to make those links more secure.

Likewise, if the government said all agencies using personal computers should have personal firewalls to protect them from attacks, desktop computers would be more secure, Pescatore said.

Rutrell Yasin contributed to this article.