The National Strategy to Secure Cyberspace, which calls for a better dialogue between the government and the private sector on computer security matters, was finally released Friday. The strategy calls for a national network operations center to monitor the health of the Internet and detect large virus and worm outbreaks.
The strategy does not, however, call for regulation or the extension of liability to software vendors who create insecure applications. The plan relies squarely on communicating and cooperating with the private sector.
President Bush signed the strategy Jan. 31, but the 76-page document wasn't released until Friday, when it was presented with little fanfare. The plan was originally slated for release Sept. 19, 2002, at a big ceremony at Stanford University. A few days before the event, however, the White House decided to postpone the release of the strategy in order to gather public comment on it.
The final version doesn't hold any surprises. Much of the meat of it was released in draft form in the fall. Some criticized it at the time for not containing enough bite to force software vendors and others to provide security. Instead, the strategy relies on market forces and private cooperation.
The strategy has five priorities:
- Creating a national cyberspace security response system
- Setting up a national cybersecurity threat and vulnerability reduction program
- Creating cyberspace security awareness and training programs
- Securing governments' systems
- Sharing information both nationally and internationally
The government's role, as outlined in the strategy, is to encourage and assist the private sector (which controls more than 75% of the country's critical infrastructure).
"The government will serve as a model for the private sector," said Tiffany Olson, deputy chief of staff for the President's Critical Infrastructure Protection Board. The government has to get its own security house in order before it can think about telling private companies what to do, she said.
The government plans to launch an advertising campaign aimed at small businesses and home users, many of whom don't realize the role they play in cybersecurity. For example, the strategy calls on home users to use properly maintained firewalls and antivirus software. "We will tell them ways they can help protect their pieces of cyberspace at home," Olson said.
In a broader sense, the strategy provides focus for different groups that are working to improve cybersecurity, said Pete Allor, manager of X-Force threat intelligence services at Internet Security Systems Inc. in Atlanta. Allor is also the director of the Information Technology Information Sharing and Analysis Center (IT-ISAC). The group stores and distributes information about security vulnerabilities and attacks pertaining to the IT sector.
"It formalizes a lot of things we are already doing," Allor said. The strategy calls for better sharing of information about security threats between the government and the private sector. Allor has already seen an uptick in the reporting of vulnerabilities and other security issues to the IT-ISAC. His group has begun to share information with ISACs from other industry segments.
Yet some question how the strategy will differ from past attempts. The government has promised some investments to set up a vulnerability and threat service, which would be good if it's properly funded, said Bruce Schneier, chief technology officer of Cupertino, Calif.-based Counterpane Internet Security.
Schneier isn't confident that the strategy's reliance on the good graces of private industry will work. Most businesses won't spend, say, $5,000 on something to improve security just because the government "asked them nicely," he said.
Schneier is not calling for the government to require a certain brand of firewall. He would like to see companies that produce insecure products to be liable for them.
"If Firestone produces a tire with [a] systemic flaw and you die, then they are responsible," Schneier said. "But if Microsoft produces an operating system with two systemic flaws a week, it's not responsible."
Microsoft is not a stupid company, Schneier said. If the company isn't liable for vulnerabilities, then it's not in the company's best business interest to make more secure products.
FOR MORE INFORMATION:
- FEEDBACK: Is the National Strategy to Secure Cyberspace still too soft for your liking?
Send your thoughts to News Writer Edward Hurley.