SAN FRANCISCO -- Quite intentionally, the National Strategy to Secure Cyberspace was released in February with a decided lack of mandates or plans for government regulation. It was generally received by the IT security industry as a toothless document, another manuscript filled with suggestions for best practices that merely added to the glut of similar recommendations.
The intent of the strategy was to foster dialogue and cooperation between the public and private sectors and the federal government, the feds said. On Tuesday at RSA Conference 2003, the government announced the first concerted industry action on the strategy.
TechNet's new CEO Cybersecurity Task Force joined forces with new White House cybersecurity czar Howard Schmidt to challenge American businesses to meet a minimum level of cybersecurity; specifically, they challenged businesses to adhere to a top 10 list of security practices for chief executive officers. The formal challenge will be issued soon, TechNet's Rick White said, adding that there will be a deadline issued as well.
TechNet is a network of more than 200 chief executive officers and other high-ranking technology executives. The group's mission is to promote the growth of technology industries.
The list of best practices is still being finalized, but is expected to focus largely on network security issues, like intrusion detection and ensuring that default systems are turned off.
TechNet also announced that it had partnered with the Internet Security Alliance and four major audit firms: Deloitte & Touche, Ernst & Young, KPMG and PricewaterhouseCoopers.
"It is an honor to see a piece of the strategy being moved forward," Schmidt said.
The announcement did come under some scrutiny because actual enterprise chief security officers and chief information officers were not involved in the initiative's development. TechNet said that the task force is a work in progress and that others are welcome to join.
"They need to get people in the trenches involved. That is key," said Michael Rasmussen, director of research for Giga Information Security, a division of Cambridge, Mass.-based Forrester Research. "They need to include CISOs [chief information security officers] and auditors, and not just self-serving organizations that are selling products."
Art Coviello, CEO of RSA Security Inc. and a TechNet member, said the group members' first responsibility is to take a leadership role and promote security within their own companies and develop secure products for enterprise use.
For his part, Schmidt said that the strategy is inclusive.
"As we build out the strategy, we will move forward and not at the exclusion of anyone else," Schmidt said.
Schmidt pointed to other subtle examples of the strategy at work in the private sector, including changes in the way hardware and software vendors develop products and write secure code, the trend among universities nationwide to adopt security policies that make their systems open and secure, and the greater level of cooperation among businesses and law enforcement, a trend that has led to retribution for attacks.
Schmidt also pointed out that there would be no sanctions against those companies that fail to meet the prescribed best practices.
"The sanctions will come from people not buying products and services if they are not secure," Schmidt said.
FOR MORE INFORMATION: