QUESTION & ANSWER

Expert: Cybersecurity strategy an action plan

By Michael S. Mimoso, News Editor 19 Feb 2003 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

SearchSecurity.com is currently polling its members on whether the final version of the National Strategy to Secure Cyberspace hits the mark. What is your initial reaction to the 76-page document?
Goodall: My gut-level reaction, I believe that it's good. When there is nothing in the marketplace, or little at least in terms of national security, this is an excellent document to bring awareness to the issue.

Understanding that the Internet is used not just for business, but by home users, it's become a ubiquitous vehicle for communication and commerce. Add to that the fact that it has no boundaries -- it's a global medium -- people will take advantage of it to not only disrupt business, but life.

[It's unfortunate] it was released as quietly as it was. It got no play in the media; I didn't see it on the television news. One fear is that it will get pulled out and left on a shelf.

So, it's a good first step?
Goodall: It says, 'here's an action plan.' It has plenty of suggestions and ideas, but it stops at that point. It's an excellent first step, and I hope it's the first of many the government and the Department of Homeland Security can act on and weave into public and private industry. It offers hope and concern in that it doesn't take many bold steps and declares you should do x-y-z.

As you dig into the document, there are some other areas of concern. It stresses that it's not just about technology. It talks about education and training as a fundamental step that has to take place. But the document stops with ideas and recommendations. It does not move to action.

For example, at the start of the document, there's a message from President Bush that identifies three fundamental objectives of the strategy. One states we must prevent attacks. You can't do that. We need to build defenses and solutions against attacks. The mindset the document sends out is that you can prevent attacks -- and you cannot. Once you understand the risks, you put the steps in place to protect yourself.

Should the document have made specific mandates, rather than a series of recommendations?
Goodall: I believe that at this moment, it would be ineffective to have regulation and legislation in cyberspace. This is [true] in large part because we have not identified what needs to be secure. I really think this would backfire.

I go back to the auto industry for an example. Since the seat belt laws were enacted in several states, it has had a tremendous impact on making driving safer. But if the law had been passed on Day 1, no one would understand the need for it and it would have been ineffective. Drivers would avoid it, rather than embrace it.

Government needs to invest in the public and private sector and assess where investments need to be made and, in time, add regulatory status to it.

It has been called toothless. But government can put some teeth in it by taking action for itself, by itself... If the private sector sees government taking steps to get its own house in order, it will react. Douglas J. Goodall, Red Siren

Initial drafts of this document were criticized for the lack of regulation and mandates, and the document was labeled 'toothless.' But in other instances, enterprises have made it clear they don't want government involved in regulating business. It seems there's a contradiction there.
Goodall: It has been called toothless. But government can put some teeth in it by taking action for itself, by itself. Government is such a huge consumer of technology from the private sector, which is very competitive. If the private sector sees government taking steps to get its own house in order, it will react.

Now that document is in its final form, what should enterprises do with it?
Goodall: I don't mean to sound Pollyanna-ish, but the first thing they ought to do is read it. That's a concern that I and others have. I highly doubt that many enterprises know it has been published. It was released on Friday, one day ahead of a holiday weekend that was followed up by a major blizzard on the East Coast. I didn't see it on … CBS, for example.

It very silently came into the market. I don't know if it was a blunder or if it was intentional, but its release was clearly unfortunate.

The document needs to be made visible so people can react to it. The question then begs: will industry react to it, or will it take a cyber-version of September 11 to happen for people to react?

FOR MORE INFORMATION:

SearchSecurity.com news exclusive: "Cybersecurity plan heavy on private-public cooperation"

SearchSecurity.com news exclusive: "Bush cybersecurity plan draws mixed reactions"

Download the National Strategy to Secure Cyberspace here (in PDF format)

• FEEDBACK: Does the final version of the National Strategy to Secure Cyberspace have enough teeth for you?
  Send your thoughts to News Editor Michael S. Mimoso.

Digg This!     StumbleUpon     Del.icio.us

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary