Home
News
E-mail Newsletters
Blogs
Tech Dispenser
Shark Bait
Knowledge Centers
Opinion
Webcasts
Video
Podcasts
White Papers
Computerworld Reports
Zones
Case Study Library
RSS Feeds
Events
Print Subscriptions

Subscribe to our e-mail newsletters
For more info on a specific newsletter, click the title. Details will be displayed in a new window.
Finance
Security
Computerworld Daily News (First Look and Wrap-Up)
Computerworld Blogs Newsletter
The Weekly Top 10
More E-Mail Newsletters 

Computerworld 2007Subscribe to Computerworld
40 years of the most authoritative source of news and information for IT leaders.

Cyberdefense Plan Gets Mixed Reviews

Raises awareness, but critics say it lacks teeth
Dan Verton   Today’s Top Stories    or  Other Security Stories  
 

Sign up to receive Security Resource Alerts

September 23, 2002 (Computerworld) -- The White House's National Strategy to Secure Cyberspace, released last week in draft form, was applauded by some IT industry executives for its vision. But the ink was barely dry before critics charged that the plan lacks the authority necessary to accomplish real change.


"Anything that could have made a difference was removed at the last minute," said the president of a major security consulting firm who requested anonymity.


While the government got high marks for its effort to raise awareness of security issues and its willingness to take on a leadership role, some private-sector security experts were surprised by the lack of tough enforcement language in the document. In fact, a White House source acknowledged that major changes, such as the removal of "politically sensitive language," were made to the plan in the last 24 hours of preparation.


"What happened here?" asked Wyatt Starnes, CEO of Tripwire Inc., a Portland, Ore.-based global IT security company. "We thought we were going to get something concrete. They probably underestimated the politics."


For example, although the strategy calls on corporate CEOs to establish enterprise security councils to integrate cybersecurity, physical security and privacy into their daily operations, compliance remains voluntary.


Russ Cooper, a security consultant at TruSecure Corp. in Herndon, Va., said he's dissatisfied with the strategy in its current form. Specifically, Cooper said the administration has removed language that would have offered a definition of liability and an assignment of responsibility for Internet security. "It's time the government mandates some action be taken," said Cooper. "I'd like to see ISPs be told that it is illegal to carry identified Internet attack traffic. But I don't see anything similar or at that level in what they're proposing."


James Lewis, director of the Council on Technology and Public Policy at the Center for Strategic & International Studies in Washington, agreed that having cybersecurity dependent on voluntary compliance can't bring real change in the long run. "The report has many good ideas, but cybersecurity is too tough a problem for a solely voluntary approach to fix," he said. "Companies will only change their behavior when there are both market forces and legislation that cover security failures."


Despite the disappointment voiced by some, others said the strategy is a key development that demonstrates solid government leadership.


A Good Place to Start


"You have to look at this as a good starting point," said Scott Crenshaw, a vice president at NTRU Cryptosystems Inc., a security firm in Burlington, Mass. "For example, the section on assessment of current gaps and weaknesses in the private sector is particularly strong. If this document raises awareness of those issues, it will have served us well."


Scott Charney, chief security strategist at Microsoft Corp., also applauded the strategy as a critical first step. "It's really important to get the vision piece right. People need time to sit down with the document to debate the pros and cons," he said, referring to the two-month review period before the final version is sent to the president for approval. All reasonable recommendations will have an impact on the shape and direction of the strategy, Charney said.


That may have been part of the plan all along, said a business executive who requested anonymity. It could be that releasing the strategy in draft form was a calculated move by Richard Clarke, chairman of the president's Critical Infrastructure Protection Board, to gauge the reaction of the private sector and determine if there is enough political support to put teeth into the recommendations, the executive said.


Clarke is very skilled at dealing with both the government and private sector, said Gene Hodges, CEO of Network Associates Inc. in Santa Clara, Calif. "Richard [Clarke] is walking a fine line between patting people on the back and kicking them in the butt," he said.















Recommendations

According to the plan, large corporations should:


FORM
enterprisewide corporate security councils.

PERFORM
regular independent IT security audits, remediation programs and reviews of “best practices” implementation.

FORM
board committees on IT security and ensure that the recommendations of the chief information security official in the corporation are regularly reviewed by the CEO.

ENSURE
that corporate IT continuity plans are regularly reviewed and exercised, and consider site and staff alternatives. Consideration should be given to diversity in IT service providers as a way of mitigating risks.

TAKE PART IN
public/private partnership programs to establish an awards program for those in the industry who are making significant contributions to cybersecurity.





Print this Story Send Us Feedback E-mail this Story Digg! Digg this Story Slashdot this Story

Blogs

"It's IT Blogwatch: in which Grisoft, maker of the AVG anti-virus package, backs down in its attempt to DDoS the..." Read more...
Read more Security posts or See all Blogs

Google gives away home-cooked Web application security scanner
HP eyes move of support facilities out of Colorado Springs
Microsoft trumpets security additions in upcoming IE8
More top stories...
How much is too much? Upgrade your notebook without going over the line
French ruling on counterfeit goods could have far-reaching effects for eBay
Apple cuts price of high-end SSD MacBook Air by $500

This old laptop: Revitalizing an aging notebook on the cheap
All it takes is a couple hours and about $125 to breathe new life into an old laptop. Here's how.
Bill Gates moves on
Is Microsoft's Golden Age over? What are Gates' most memorable quotes? Find out in Computerworld's complete coverage of the end of the Bill Gates era at Microsoft.
Five things you should never tell your boss
There are some things your CIO definitely doesn't want to hear. Also don't miss the flipside, Five things you should always tell your boss.
Hands-On: Firefox 3 fixes what's broke and keeps what's right
With its latest version, Mozilla's browser continues to raise the bar for what Web browsers should be.

FROM THE BLOGOSPHERE

Windows Vista A to Z
Reviews, analyses, how-tos, visual tours, hot issues and predictions about Microsoft's new OS.
IT Careers 2010
Four years from now, the IT field will be a vastly different place. Will you be ready?
All Zones
Application Performance Zone
Business Continuity Zone
Data Center Management Zone
Enterprise-Class Security Zone
The File Data Management Zone
Grid Computing on Windows Zone
Security Management Zone
ITIL Best Practices Zone
The SAS Zone
Storage Virtualization Zone
Business Intelligence and Analytics Zone


Ads by TechWords

See your link here
Why SaaS is Vital to Email and Web Security
Why SaaS is Vital to Email and Web Security
Download this webcast, free, compilments of Webroot Software
Go to the webcast 
Computerworld Executive Bulletin: Building a Robust Antivirus Defense
Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs.
(Source: MessageLabs) Antivirus software alone isn't enough to prevent today's speedy, sophisticated virus attacks. Security managers should consider multitiered approaches that include behavior scanning, appliances that check e-mail for worms, and restricting user access to dangerous Web sites. Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs, to learn more.
Download this executive briefing download
Eliminate SPAM, Gain Productivity
Get this white paper now!
(Source: MessageLabs) Learn all about the dangers and the costs of spam in all its forms - from stock-touting to spreadsheet. Also, understand the drawbacks of traditional hardware- and software-based defenses - and the unique benefits of MessageLabs multi-layered, managed Anti-Spam solution; as illustrated by a real-world case study where MessageLabs stopped spam cold.
Download this white paper go
White Papers
Read up on the latest ideas and technologies from companies that sell hardware, software and services.
Deploying Virtualized NetWare on Linux Whitepaper
Toward More Flexible, Next-Generation Collaboration Solutions
Driving Business Success Through Workgroup Choice and Flexibility
View more whitepapers 

About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map
CIO Computerworld CSO DEMO GamePro Games.net IDG Connect IDG World Expo Infoworld
The Industry Standard ITworld JavaWorld LinuxWorld MacUser Macworld Network World PC World Playlist
Copyright © 2008 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.