[ISN] Critics Rap Bush Cyber-Security Plan

From: InfoSec News (isnat_private)
Date: Thu Sep 19 2002 - 02:41:30 PDT

  • Next message: InfoSec News: "[ISN] State hackers spying on us, say Chinese dissidents"

    [While its a nice start if this was written by a group of computer
    science students over a six week period, but this is a draft (Several
    months in the works) that barely addresses the major issues faced in
    information security today. Honestly, I'd love to see a version of
    this draft not influenced & neutered by industry lobbyists.
    I am also disappointed not to see any requirements for cable, DSL, &
    ISP's to provide security software for their users, It would be
    interesting for the providers to make security a financial issue for
    their users, by forcing them to pay a premium for NOT running
    firewall and virus software that doesn't regularly update and scan
    computers for vulnerabilities. I'd be willing to bet that Joe Six-Pack
    would be running off to their local CompUSA for a copy of Symantec
    Internet Security 2002 to save $30 a month on their cable modem bill. :)
    Finally, the best comment I heard today about this draft was from a
    Chicago security professional that questioned when the Government
    started sending out RFC's for National Security.  - WK]
    By Caron Carlson and Dennis Fisher 
    September 18, 2002 
    The White House on Wednesday released a draft of its cybersecurity 
    plan, a document that many critics are already saying is too tepid and 
    watered-down to have any real effect on the country's network 
    Richard Clarke, chairman of the President's Critical Infrastructure 
    Protection Board, has been planning for several months to release the 
    National Strategy to Secure Cyberspace at a high-level event in 
    Silicon Valley. But the board instead released a draft of the strategy 
    and will go back to private industry and public sector experts to seek 
    more suggestions for the final plan. 
    The delay was necessary "so that everyone in the country can see it, 
    so that everyone in the country can tell us what the national strategy 
    should be," Clarke said during the announcement of the draft's release 
    at Stanford University in Palo Alto, Calif., Wednesday. There will be 
    a 60-day public-comment period, after which the PCIPB will wade 
    through the suggestions and produce a final version of the strategy, 
    likely by year's end. 
    In addition to the release of the draft, Clarke also announced the 
    appointment of 27 business, academic, law enforcement and government 
    leaders to the new National Infrastructure Assurance Council. The 
    council will advise President Bush on security matters and will have 
    until Nov. 18 to submit input on the plan. After that input is 
    considered and incorporated, Bush will release the plan himself. 
    Also, the FBI and the Secret Service announced a new joint task force 
    to improve the investigation of cybercrimes. 
    The strategy comprises a set of recommendations for improving 
    information security in the public and private sectors and is divided 
    into five levels: home users, large enterprises, critical sectors, 
    national priorities and global. Only the section on the federal 
    government lists any required actions, which critics say reveals one 
    of the key weaknesses of the strategy. 
    "The hammers in the government are few [regarding the private sector]. 
    How can they compel businesses to adopt these things?" said Ron Sabel, 
    vice president of the public sector at Guardent Inc., a managed 
    security company in Waltham, Mass. "On the commercial side, it's a 
    question of budget and whether they've had a problem in the past and 
    think they're likely to have one in the future." 
    Howard Schmidt, vice chairman of the PCIPB, acknowledged the 
    strategy's limitations. 
    "This is not about government regulation to achieve cybersecurity. 
    This is not about the government running the Internet," Schmidt said. 
    The board's goal is to increase government support for the private 
    sector's efforts to secure the Internet. 
    The release of the draft marks an important milestone in the plan's 
    development, as it is the first time the strategy is publicly 
    available. Various people have seen small sections of the draft as it 
    has evolved in recent months, but few have seen the entire document. 
    The plan was developed in part from suggestions provided by security 
    experts, CEOs and others in several sectors of the economy, including 
    banking and finance, insurance and health care. 
    As eWEEK first reported in a series of stories beginning last month, 
    the strategy at one time included several controversial elements, 
    including the establishment of a federal network operations center to 
    gather and inspect data traffic from ISPs, a recommendation that 
    businesses disclose their security efforts and the appointment of a 
    national privacy czar to oversee the government's policies and 
    compliance. Many of the proposals drew sharp criticism from security 
    and privacy experts and industry executives. 
    The White House has since backed away from many of the proposals, 
    including the privacy czar. The plan was also modified regarding a 
    recommendation that ISPs give consumers personal firewall software 
    when they sign up for broadband Internet service. The service 
    providers complained that supporting millions of users unfamiliar with 
    security technology would be an expensive logistical nightmare. 
    Security experts say delaying the plan's release is a good move in the 
    long run, but the opportunity for public comment is something that 
    should have come sooner. 
    "They went and solicited information and then compiled it and were 
    going to release it without any more input," said Scott Blake, vice 
    president of information security at BindView Corp., in Houston, 
    Texas. "But at the same time they wanted people to be on board and 
    support it. Not very many people were going to get on board and 
    support something they haven't read. This is a good thing and it 
    should've been the plan all along." 
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Sep 19 2002 - 05:25:18 PDT