White House cyberdefense plan gets mixed reaction

Computerworld - The White House's National Strategy to Secure Cyberspace, released today in draft form, was barely two hours old when many private-sector experts were suggesting dentures to replace the teeth that had been ripped from its pages.
"Anything that could have made a difference was removed at the last minute," said the president of a major security consulting firm who requested anonymity.
While most of those present at the unveiling ceremony today at Stanford University applauded the government's effort to raise awareness of security issues, and its willingness to take a leadership role, many were surprised by the lack of tough enforcement language in the document. In fact, many private-sector experts and a White House source acknowledged that major changes, such as the removal of "politically sensitive language," were made to the plan in the last 24 hours of preparation.
"What happened here?" asked Wyatt Starnes, CEO of Tripwire Inc., a Portland, Ore.-based global IT security company. "We thought we were going to get something concrete. They probably underestimated the politics."
For example, although the strategy calls on corporate CEOs to establish enterprise security councils to integrate cybersecurity, physical security and privacy into their daily operations -- and urges major Internet service providers to adopt a "code of good conduct" governing their cybersecurity operations -- real change in the private sector remains voluntary.
Russ Cooper, surgeon general of TruSecure Corp. in Herndon, Va., is not happy with the strategy as it currently exists. In particular, Cooper said the administration has removed language that would have offered a definition of liability and an assignment of responsibility for Internet security.
"It's time that the government mandates some action be taken," said Cooper. "I'd like to see ISPs be told that it is illegal to carry identified Internet attack traffic. But I don't see anything similar or at that level in what they're proposing."
James Lewis, director of the Council on Technology and Public Policy at the Center for Strategic and International Studies in Washington, agreed that linking real change in cybersecurity to a voluntary system can't work in the long run. "The administration hopes market-driven solutions, rather than new regulations, will be enough for security," said Lewis.
"The report has many good ideas, but cybersecurity is too tough a problem for a solely voluntary approach to fix," he said. "Companies will only change their behavior when there are both market forces and legislation that cover security failures."
Despite the disappointment voiced by some, others said they view the strategy as a critical starting point that includes examples of solid government leadership.
"You have to look at this as a good starting point," said Scott Crenshaw, vice president of business development at NTRU Cryptosystems Inc., a security firm in Burlington, Mass. "For example, the section on assessment of current gaps and weaknesses in the private sector is particularly strong. If this document raises awareness of those issues, it will have served us well."
Scott Charney, chief security strategist at Microsoft Corp., also applauded the strategy as a critical starting point. "It's really important to get the vision piece right," said Charney. "People need time to sit down with the document to debate the pros and cons." He was referring to the two-month review period before the final version is sent to the president for approval. All reasonable recommendations will have an impact on the shape and direction of the strategy, he said.
That may have been part of the plan all along, said a business executive who requested anonymity. It could very well be that releasing the strategy in draft form was a calculated move by Richard Clarke, chairman of the president's Critical Infrastructure Protection Board, to gauge the reaction of the private sector and determine if there is enough political support to put real teeth into the recommendations, the executive said.
Clarke is very skilled at dealing with both the government and private sector, said Gene Hodges, CEO of Network Associates Inc. "Richard [Clarke] is walking a fine line between patting people on the back and kicking them in the butt," he said.
Join Computerworld's discussion on the Bush administration's plan for cybersecurity.