Computerworld - The White House's National Strategy to Secure Cyberspace, released today in draft form, was barely two hours old when many private-sector experts were suggesting dentures to replace the teeth that had been ripped from its pages.
"Anything that could have made a difference was removed at the last minute," said the president of a major security consulting firm who requested anonymity.
While most of those present at the unveiling ceremony today at Stanford University applauded the government's effort to raise awareness of security issues, and its willingness to take a leadership role, many were surprised by the lack of tough enforcement language in the document. In fact, many private-sector experts and a White House source acknowledged that major changes, such as the removal of "politically sensitive language," were made to the plan in the last 24 hours of preparation.
"What happened here?" asked Wyatt Starnes, CEO of Tripwire Inc., a Portland, Ore.-based global IT security company. "We thought we were going to get something concrete. They probably underestimated the politics."
For example, although the strategy calls on corporate CEOs to establish enterprise security councils to integrate cybersecurity, physical security and privacy into their daily operations -- and urges major Internet service providers to adopt a "code of good conduct" governing their cybersecurity operations -- real change in the private sector remains voluntary.
Russ Cooper, surgeon general of TruSecure Corp. in Herndon, Va., is not happy with the strategy as it currently exists. In particular, Cooper said the administration has removed language that would have offered a definition of liability and an assignment of responsibility for Internet security.
"It's time that the government mandates some action be taken," said Cooper. "I'd like to see ISPs be told that it is illegal to carry identified Internet attack traffic. But I don't see anything similar or at that level in what they're proposing."
James Lewis, director of the Council on Technology and Public Policy at the Center for Strategic and International Studies in Washington, agreed that linking real change in cybersecurity to a voluntary system can't work in the long run. "The administration hopes market-driven solutions, rather than new regulations, will be enough for security," said Lewis.
"The report has many good ideas, but cybersecurity is too tough a problem for a solely voluntary approach to fix," he said. "Companies will only change their behavior when there are both market forces and legislation that cover security failures."
Despite the disappointment voiced by some, others said they view the strategy as a critical starting point that includes examples of solid government leadership.
"You have to look at this as a good starting point," said Scott Crenshaw, vice president of business development at NTRU Cryptosystems Inc., a security firm in Burlington, Mass. "For example, the section on assessment of current gaps and weaknesses in the private sector is particularly strong. If this document raises awareness of those issues, it will have served us well."
Scott Charney, chief security strategist at Microsoft Corp., also applauded the strategy as a critical starting point. "It's really important to get the vision piece right," said Charney. "People need time to sit down with the document to debate the pros and cons." He was referring to the two-month review period before the final version is sent to the president for approval. All reasonable recommendations will have an impact on the shape and direction of the strategy, he said.
That may have been part of the plan all along, said a business executive who requested anonymity. It could very well be that releasing the strategy in draft form was a calculated move by Richard Clarke, chairman of the president's Critical Infrastructure Protection Board, to gauge the reaction of the private sector and determine if there is enough political support to put real teeth into the recommendations, the executive said.
Clarke is very skilled at dealing with both the government and private sector, said Gene Hodges, CEO of Network Associates Inc. "Richard [Clarke] is walking a fine line between patting people on the back and kicking them in the butt," he said.
Join Computerworld's discussion on the Bush administration's plan for cybersecurity.
Read more about Security in Computerworld's Security Topic Center.
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
This state transportation department uses computer science students from a local university as programming interns, and everyone is happy with the arrangement -- until one intern learns how to bring down the mainframe.
- IT Certification Study Tips
- Register for this Computerworld Insider Study Tip guide and gain access to hundreds of premium content articles, cheat sheets, product reviews and more.
- Changing the Way Government Works: Four Technology Trends that Drive Down Costs and Increase Productivity
- This paper discusses four technology-based approaches to improving processes and increasing
productivity while driving down department and agency costs.
- Infographic: Converged Infrastructure Benefits
- This Infographic quantifies the savings organizations are realizing from increased deployment speed, higher availability, and lower annual costs.
- CIOs Deliver Productivity Breakthroughs with Intelligent Digital Signage
- Retailers have long recognized the influence that digital signage provides over a shopper's point-of-purchase decision making process.
- Going Paperless? Here's What You Need to Think About
- As makers of some of the world's most popular PDF solutions, we often consult with businesses & governmental agencies that have the goal...
- The Big Data Opportunity for HR and Finance
- If CEOs, CFOs, CIOs, and CHROs want to drive their businesses forward, they will need to quickly recognize the enormous value of big... All Government IT White Papers
- Top 4 Digital Signage Fails Join RMG Networks for a look at four of the most common reasons digital signage fails in corporate businesses. Learn about strategies to...
- Building Tomorrow's Infrastructure Listen to this podcast to discover how Crider Foods worked with PC Connection to update their IT infrastructure, while maintaining compliance and control.
Enhance Your Virtualization Infrastructure With IBM and Vmware
Date: Wednesday, May 14, 2014, 1:00 PM EDT
Virtualization technology is now expanding beyond the server compute elements to encompass networking and storage...
Transforming Finance, Procurement and Supply Chain Effectiveness with Cross-Functional Analytics
Date: May 6th, 2014
Time: 1 PM EDT
Attend this Webcast to find out how Oracle's packaged analytic applications enable line-of-business managers to examine all...
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources...
- All Government IT Webcasts