What will the government's approach to cybersecurity be if Sen. John F. Kerry wins the White House or President George W. Bush gets a second term? Based on what's come from both campaigns so far, it's hard to tell.
That's the view of most IT practitioners who were asked about the role they think government should play and which candidate best shares their philosophy. Opinions were mixed on the government's proper role. But most agreed the candidates have spent little time on the issue.
"Does either have a plan? I don't recall either candidate discussing a plan," said Paul Schmehl, adjunct information security officer for the University of Texas at Dallas and a founding member of the Anti-Virus Information Exchange Network. Asked if cybersecurity had been adequately addressed in the campaign, he said, "Not at all, but it's not the hot-button issue, is it?"
"I haven't heard any of the candidates say one word about cybersecurity," said Leslie Peckham, information security advisor for Madison, Wisc.-based American Family Insurance. "Perhaps I missed it. It appears to be perceived as an uninteresting or perhaps misunderstood vulnerability."
Where the candidates stand
Bush's plan, outlined on the White House
That perception was bolstered when former Symantec executive Amit Yoran resigned as director of the Department of Homeland Security's National Cybersecurity Division this month. Yoran was frustrated by the lack of authority he'd been given to implement administration policy, according to media reports.
In a questionnaire sent to both candidates, Washington D.C.-based IT trade association CompTIA asked how the federal government should address cybersecurity.
"Given the enormous importance of e-commerce, Internet-based communications, and the use of cyberspace to control portions of our physical infrastructure, cybersecurity is critical," Bush answered. "The investments being made today in securing our nation's cyber infrastructure and in cybersecurity R&D are working to ensure that future generations of network software and hardware are less vulnerable to an attack and can maintain critical operations even when compromised."
"We need a president who will devote the energy of the White House to making our networks -- our 21st century infrastructure -- stronger and more secure," Kerry answered. "That means supporting a cybersecurity intelligence system ready to detect these threats. I will implement global standards and best practices so that weak links are strengthened. And we need a real partnership between the public and private sectors."
The homeland security plan outlined on Kerry's Web site briefly mentions the need to secure cyberspace, saying Kerry "will launch a major effort to harden our most vulnerable critical infrastructure targets, including chemical and nuclear plants, tunnels and key cyber networks, and railroads and subways."
While most find the candidates' views ambiguous, Peter Wells, vice president and chief information security officer for Maryland-based Sytex Inc., said Bush has the better plan.
"He may not have done enough to date, but he has a firm grasp on the threat and his administration is moving in the right direction," Wells said. "Sen. Kerry, with his history of opposing most national defense and intelligence efforts and his focus on social justice -- at least today -- does not appear to have much of a clue. He would certainly be amenable to some sort of bureaucratic top-down government program which would likely bury much of our IT in a bureaucratic morass."
The role of government
Half of those asked said government has a large role to play in IT security. The other half believes it's mainly a job for the private sector.
Arguing for a smaller government role, Wells said, "Frankly, I don't think the president can do much beyond setting a tone and emphasizing the issue. Most of our infrastructure is in private hands, not subject to federal mandate -- nor should it be."
Peckham said the White House should champion the idea of cybersecurity, but let the private sector work out the details and implementation.
Arguing for a larger government role, Gonzalo Talamantes, technical services manager of information systems for Chicago-based Oil-Dri Corp., said, "The government should always play a role in my opinion by providing research funding. The private sector does not always have the public's best interests in mind."
Tony Beaird, network infrastructure administrator for Lombard, Ill.-based Cinch Connectors Inc., agreed. "I believe security should be something that is regulated. Sarbanes-Oxley is a good start because it requires the systems that are used for [public companies'] financials to be secured. The private sector will only do the absolute minimum required to get by. Injecting some form of regulation helps set a minimum standard."
Schmehl believes government's proper role is somewhere in between. "I think the government can play an educational role as well as a coordination role," he said. "I do not think the government should dictate security to private industry with the exception of industries that are vital to the national security, i.e. power generation, healthcare, banking and finance, nuclear [and] possibly industries such as chemical and bioengineering."
Those who shared their views were sent an e-mail asking what role government should play, whether cybersecurity had been adequately addressed in the campaign, and which of the presidential candidates has the better plan. All responded by e-mail.