Computerworld - The White House's National Strategy to Secure Cyberspace, released today in draft form, was barely two hours old when many private-sector experts were suggesting dentures to replace the teeth that had been ripped from its pages.
"Anything that could have made a difference was removed at the last minute," said the president of a major security consulting firm who requested anonymity.
While most of those present at the unveiling ceremony today at Stanford University applauded the government's effort to raise awareness of security issues, and its willingness to take a leadership role, many were surprised by the lack of tough enforcement language in the document. In fact, many private-sector experts and a White House source acknowledged that major changes, such as the removal of "politically sensitive language," were made to the plan in the last 24 hours of preparation.
"What happened here?" asked Wyatt Starnes, CEO of Tripwire Inc., a Portland, Ore.-based global IT security company. "We thought we were going to get something concrete. They probably underestimated the politics."
For example, although the strategy calls on corporate CEOs to establish enterprise security councils to integrate cybersecurity, physical security and privacy into their daily operations -- and urges major Internet service providers to adopt a "code of good conduct" governing their cybersecurity operations -- real change in the private sector remains voluntary.
Russ Cooper, surgeon general of TruSecure Corp. in Herndon, Va., is not happy with the strategy as it currently exists. In particular, Cooper said the administration has removed language that would have offered a definition of liability and an assignment of responsibility for Internet security.
"It's time that the government mandates some action be taken," said Cooper. "I'd like to see ISPs be told that it is illegal to carry identified Internet attack traffic. But I don't see anything similar or at that level in what they're proposing."
James Lewis, director of the Council on Technology and Public Policy at the Center for Strategic and International Studies in Washington, agreed that linking real change in cybersecurity to a voluntary system can't work in the long run. "The administration hopes market-driven solutions, rather than new regulations, will be enough for security," said Lewis.
"The report has many good ideas, but cybersecurity is too tough a problem for a solely voluntary approach to fix," he said. "Companies will only change their behavior when there are both market forces and legislation that cover security failures."
Despite the disappointment voiced by some, others said they view the strategy as a critical starting point that includes examples of solid government leadership.
"You have to look at this as a good starting point," said Scott Crenshaw, vice president of business development at NTRU Cryptosystems Inc., a security firm in Burlington, Mass. "For example, the section on assessment of current gaps and weaknesses in the private sector is particularly strong. If this document raises awareness of those issues, it will have served us well."
Scott Charney, chief security strategist at Microsoft Corp., also applauded the strategy as a critical starting point. "It's really important to get the vision piece right," said Charney. "People need time to sit down with the document to debate the pros and cons." He was referring to the two-month review period before the final version is sent to the president for approval. All reasonable recommendations will have an impact on the shape and direction of the strategy, he said.
That may have been part of the plan all along, said a business executive who requested anonymity. It could very well be that releasing the strategy in draft form was a calculated move by Richard Clarke, chairman of the president's Critical Infrastructure Protection Board, to gauge the reaction of the private sector and determine if there is enough political support to put real teeth into the recommendations, the executive said.
Clarke is very skilled at dealing with both the government and private sector, said Gene Hodges, CEO of Network Associates Inc. "Richard [Clarke] is walking a fine line between patting people on the back and kicking them in the butt," he said.
Join Computerworld's discussion on the Bush administration's plan for cybersecurity.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
If you use ‘password,’ one the worst passwords, as your password, fail to keep antivirus protection updated and don’t bother to deploy security patches to close critical vulnerabilities, then maybe you should consider working for the cybersecurity-clueless federal government; you’d fit right in, according to Senator Tom Coburn's cybersecurity and critical infrastructure report.
- IT Certification Study Tips
- Register for this Computerworld Insider Study Tip guide and gain access to hundreds of premium content articles, cheat sheets, product reviews and more.
- Changing the Way Government Works: Four Technology Trends that Drive Down Costs and Increase Productivity
- This paper discusses four technology-based approaches to improving processes and increasing
productivity while driving down department and agency costs.
- HP HAVEn: See the big picture in Big Data
- HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard
- This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting
- This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle
- This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle. All Government IT White Papers
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,...
- Getting Ready for BlackBerry Enterprise Service 10.2 Find out how BlackBerry® Enterprise Service 10 helps organizations address the full spectrum of EMM challenges, while balancing the needs of both the...
- Containerization Options: How to Choose the Best DLP Solution for Your Organization This webcast outlines a framework for making the right choice when it comes to containerization approaches, along with the pros and cons of...
- Mobile Apps and Devices Slash Customer Cycle Time Consolidated Engineering Laboratories' field employees used to collect data on triplicate forms that were sometimes hard to read and difficult to manage. After...
- All Government IT Webcasts