The U.S. government's new cybersecurity strategy acknowledges that it can't improve cybersecurity all by itself. Everyone from the federal government to Fortune 500 companies to Fred the home DSL user has a part to play.
The administration was supposed to release the final version of "The National Strategy to Secure Cyberspace," a prescription for addressing the issue of cybersecurity, on Thursday. Instead, it released the report as a draft with a 60-day comment period.
Some charge that the government bowed to lobbying efforts to soften provisions. Others see the 60-day comment period as a way to build a consensus around a complex issue that impacts multiple strata of society.
The strategy is definitely not a panacea, security experts said this week. But it does prescribe actions for everyone from the federal government workers to home users of computers that address the communal issue of cybersecurity.
For example, the strategy says the federal government should look more closely at its own information security. Target areas include stronger access authentication, encryption and vulnerability assessment.
"I think those are things the government should already have done by now," said Robert Lonadier, president of RCL Associates, a Boston-based analyst firm.
Yet the administration asserts in the report that it can't fully address the issue of cybersecurity by itself.
"The government realized it doesn't own all the systems," said Guy Copeland, an advisor on the strategy who is also vice president of information infrastructure advisory programs at El Segundo, Calif.-based Computer Sciences Corporation. "The only way to improve security is working together with the private sector."
As such, the strategy doesn't rely on regulations to enforce its suggestions. Such an approach would be misguided, Copeland said, as the government doesn't have the expertise or manpower to enforce such regulations.
Instead, the government would allow market forces to improve security by allowing fertile ground for innovation, Copeland said.
The federal government is also a very large consumer of IT products. It can demand more secure products from vendors, which could give other large consumers the confidence to make similar demands. "This could really encourage innovation," Copeland said.
Lonadier, however, said he is disappointed that the strategy doesn't include holding vendors liable for providing vulnerable software and hardware.
"They need to stop releasing buggy code that allows exploits to be developed," he said.
From the government to the guy next door
The strategy does address an often-overlooked sector that needs to address security better, namely home users and small businesses. Such a group has often been "under the radar" during security discussions, but the group can't be ignored, Lonadier said.
The fact is that home users with always-on, high-speed Internet connections pose a security threat, agreed Douglas Sabo, director for government relations at Santa Clara, Calif.-based Network Associates. Home broadband users may not update their antivirus software frequently enough or employ personal firewalls.
The government can use its bully pulpit to get home users to pay closer attention to security, Sabo said.
"It will carry more weight coming out of the White House rather than from a group of security professionals," he said.
During the 60-day comment period, a wide cross section of technology users will have the ability to offer suggestions to improve the strategy. "I like the idea of calling it a draft," Lonadier said. "There will be a lot of grass roots selling of it in the coming months."
The draft process and comment period allows the government to draw on a much wider field of expertise to improve the strategy, Copeland said. Only a few hundred people helped develop it but literally millions could suggest improvements, he said.
"Someone could have a bright idea that we haven't thought of," he added.