Computerworld - The White House's National Strategy to Secure Cyberspace, released today in draft form, was barely two hours old when many private-sector experts were suggesting dentures to replace the teeth that had been ripped from its pages.
"Anything that could have made a difference was removed at the last minute," said the president of a major security consulting firm who requested anonymity.
While most of those present at the unveiling ceremony today at Stanford University applauded the government's effort to raise awareness of security issues, and its willingness to take a leadership role, many were surprised by the lack of tough enforcement language in the document. In fact, many private-sector experts and a White House source acknowledged that major changes, such as the removal of "politically sensitive language," were made to the plan in the last 24 hours of preparation.
"What happened here?" asked Wyatt Starnes, CEO of Tripwire Inc., a Portland, Ore.-based global IT security company. "We thought we were going to get something concrete. They probably underestimated the politics."
For example, although the strategy calls on corporate CEOs to establish enterprise security councils to integrate cybersecurity, physical security and privacy into their daily operations -- and urges major Internet service providers to adopt a "code of good conduct" governing their cybersecurity operations -- real change in the private sector remains voluntary.
Russ Cooper, surgeon general of TruSecure Corp. in Herndon, Va., is not happy with the strategy as it currently exists. In particular, Cooper said the administration has removed language that would have offered a definition of liability and an assignment of responsibility for Internet security.
"It's time that the government mandates some action be taken," said Cooper. "I'd like to see ISPs be told that it is illegal to carry identified Internet attack traffic. But I don't see anything similar or at that level in what they're proposing."
James Lewis, director of the Council on Technology and Public Policy at the Center for Strategic and International Studies in Washington, agreed that linking real change in cybersecurity to a voluntary system can't work in the long run. "The administration hopes market-driven solutions, rather than new regulations, will be enough for security," said Lewis.
"The report has many good ideas, but cybersecurity is too tough a problem for a solely voluntary approach to fix," he said. "Companies will only change their behavior when there are both market forces and legislation that cover security failures."
Despite the disappointment voiced by some, others said they view the strategy as a critical starting point that includes examples of solid government leadership.
"You have to look at this as a good starting point," said Scott Crenshaw, vice president of business development at NTRU Cryptosystems Inc., a security firm in Burlington, Mass. "For example, the section on assessment of current gaps and weaknesses in the private sector is particularly strong. If this document raises awareness of those issues, it will have served us well."
Scott Charney, chief security strategist at Microsoft Corp., also applauded the strategy as a critical starting point. "It's really important to get the vision piece right," said Charney. "People need time to sit down with the document to debate the pros and cons." He was referring to the two-month review period before the final version is sent to the president for approval. All reasonable recommendations will have an impact on the shape and direction of the strategy, he said.
That may have been part of the plan all along, said a business executive who requested anonymity. It could very well be that releasing the strategy in draft form was a calculated move by Richard Clarke, chairman of the president's Critical Infrastructure Protection Board, to gauge the reaction of the private sector and determine if there is enough political support to put real teeth into the recommendations, the executive said.
Clarke is very skilled at dealing with both the government and private sector, said Gene Hodges, CEO of Network Associates Inc. "Richard [Clarke] is walking a fine line between patting people on the back and kicking them in the butt," he said.
Join Computerworld's discussion on the Bush administration's plan for cybersecurity.
Read more about Security in Computerworld's Security Topic Center.
- 18 Hot IT Certifications for 2014
- CIOs Opting for IT Contractors Over Hiring Full-Time Staff
- 12 Best Free iOS 7 Holiday Shopping Apps
- For CMOs Big Data Can Lead to Big Profits
- Slideshow: 5 ways to lock down your mobile device
- Slideshow: 10 mistakes companies make after a data breach
- How to rob a bank: A social engineering walk through
- Which smartphone is the most secure?
If you think getting it right from day one is always what matters, you probably haven't been following technology too closely.
- IT Certification Study Tips
- Register for this Computerworld Insider Study Tip guide and gain access to hundreds of premium content articles, cheat sheets, product reviews and more.
- Mitigating DDoS Attacks with F5 Technology
- This document examines various DDoS attack methods and the application of specific ADC technologies to block attacks in the DDoS threat spectrum while...
- The DDoS Threat Spectrum
- Bolstered by favorable economics, today's global botnets are using distributed denial-of-service (DDoS) attacks to target firewalls, web services, and applications, often simultaneously.
- Defending Against Denial of Service Attacks
- By utilizing end-user interviews, this whitepaper explores a deeper understanding of DDoS defense plans and reveals the knowledge gaps around the Denial of...
- Strategic Solutions for Government IT
- This paper outlines why F5 is the optimum partner to help achieve the levels of security, performance and availability that are vital to...
- The Six Main Steps To Structured Analogy
- The role of structured analogy software is to automate the data extraction and processing work, provide visualization of the historical context forjudgments and... All Government IT White Papers
- Modernizing SAP environments with minimum risk - a path to Big Data Hear from top IDC analyst, Richard Villars, about the path you can start taking now to enable your organization to get the benefits...
- The Power of the Citrix Mobility Solution, XenMobile Does everything become a smartphone? Or does the smartphone begin to do everything? How can we afford to support BYOD? Rather, how can...
- BYOD Happens: How to Secure Mobility How to navigate the journey of securing mobility, including the BYOD corruption of IT, the top ten mobility strategies, and the mobility management...
- Fighting Fraud Videos: IBM Intelligent Investigation Manager Short videos about IBM Intelligent Investigation Manager (IIM) for Fraud. IIM optimizes the investigation of fraud for customers across many industries in both...
- IBM Intelligent Investigation Manager: Online Product Demo Intelligent Investigation Manager optimizes fraud investigation and analysis and it dynamically coordinates and reports on cases, provides analysis and visualization, and enables more...
- All Government IT Webcasts
Does your organization offer extensive benefits, cool perks, competitive salaries, opportunities for training and advancement? Then get it recognized!
Nominate your company or another deserving organization for Computerworld's 2014 Best Places to Work in IT list now through Dec. 12, 2013.