http://www.eweek.com/article2/0,3959,541165,00.asp [While its a nice start if this was written by a group of computer science students over a six week period, but this is a draft (Several months in the works) that barely addresses the major issues faced in information security today. Honestly, I'd love to see a version of this draft not influenced & neutered by industry lobbyists. I am also disappointed not to see any requirements for cable, DSL, & ISP's to provide security software for their users, It would be interesting for the providers to make security a financial issue for their users, by forcing them to pay a premium for NOT running firewall and virus software that doesn't regularly update and scan computers for vulnerabilities. I'd be willing to bet that Joe Six-Pack would be running off to their local CompUSA for a copy of Symantec Internet Security 2002 to save $30 a month on their cable modem bill. :) Finally, the best comment I heard today about this draft was from a Chicago security professional that questioned when the Government started sending out RFC's for National Security. - WK] -=- By Caron Carlson and Dennis Fisher September 18, 2002 The White House on Wednesday released a draft of its cybersecurity plan, a document that many critics are already saying is too tepid and watered-down to have any real effect on the country's network security. Richard Clarke, chairman of the President's Critical Infrastructure Protection Board, has been planning for several months to release the National Strategy to Secure Cyberspace at a high-level event in Silicon Valley. But the board instead released a draft of the strategy and will go back to private industry and public sector experts to seek more suggestions for the final plan. The delay was necessary "so that everyone in the country can see it, so that everyone in the country can tell us what the national strategy should be," Clarke said during the announcement of the draft's release at Stanford University in Palo Alto, Calif., Wednesday. There will be a 60-day public-comment period, after which the PCIPB will wade through the suggestions and produce a final version of the strategy, likely by year's end. In addition to the release of the draft, Clarke also announced the appointment of 27 business, academic, law enforcement and government leaders to the new National Infrastructure Assurance Council. The council will advise President Bush on security matters and will have until Nov. 18 to submit input on the plan. After that input is considered and incorporated, Bush will release the plan himself. Also, the FBI and the Secret Service announced a new joint task force to improve the investigation of cybercrimes. The strategy comprises a set of recommendations for improving information security in the public and private sectors and is divided into five levels: home users, large enterprises, critical sectors, national priorities and global. Only the section on the federal government lists any required actions, which critics say reveals one of the key weaknesses of the strategy. "The hammers in the government are few [regarding the private sector]. How can they compel businesses to adopt these things?" said Ron Sabel, vice president of the public sector at Guardent Inc., a managed security company in Waltham, Mass. "On the commercial side, it's a question of budget and whether they've had a problem in the past and think they're likely to have one in the future." Howard Schmidt, vice chairman of the PCIPB, acknowledged the strategy's limitations. "This is not about government regulation to achieve cybersecurity. This is not about the government running the Internet," Schmidt said. The board's goal is to increase government support for the private sector's efforts to secure the Internet. The release of the draft marks an important milestone in the plan's development, as it is the first time the strategy is publicly available. Various people have seen small sections of the draft as it has evolved in recent months, but few have seen the entire document. The plan was developed in part from suggestions provided by security experts, CEOs and others in several sectors of the economy, including banking and finance, insurance and health care. As eWEEK first reported in a series of stories beginning last month, the strategy at one time included several controversial elements, including the establishment of a federal network operations center to gather and inspect data traffic from ISPs, a recommendation that businesses disclose their security efforts and the appointment of a national privacy czar to oversee the government's policies and compliance. Many of the proposals drew sharp criticism from security and privacy experts and industry executives. The White House has since backed away from many of the proposals, including the privacy czar. The plan was also modified regarding a recommendation that ISPs give consumers personal firewall software when they sign up for broadband Internet service. The service providers complained that supporting millions of users unfamiliar with security technology would be an expensive logistical nightmare. Security experts say delaying the plan's release is a good move in the long run, but the opportunity for public comment is something that should have come sooner. "They went and solicited information and then compiled it and were going to release it without any more input," said Scott Blake, vice president of information security at BindView Corp., in Houston, Texas. "But at the same time they wanted people to be on board and support it. Not very many people were going to get on board and support something they haven't read. This is a good thing and it should've been the plan all along." - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Sep 19 2002 - 05:25:18 PDT