[ISN] Cybersecurity plan on the lite side

From: InfoSec News (isnat_private)
Date: Mon Sep 23 2002 - 01:05:03 PDT

  • Next message: InfoSec News: "[ISN] Linux Advisory Watch - September 20th 2002"

    By Diane Frank 
    Sept. 23, 2002
    The Bush administration's long-awaited plan for protecting the
    nation's critical computer systems from cyberattacks is too weak
    because it does not set specific requirements for federal agencies or
    the private sector to follow, and politics is mostly to blame for the
    watered-down plan, information technology experts say.
    Richard Clarke, chairman of the Critical Infrastructure Protection
    Board, last week released the draft National Strategy to Secure
    Cyberspace for comment at a ceremony at Stanford University, which
    aimed to highlight the partnership between the public and private
    sectors in developing the strategy. The demonstration, however, showed
    the gaps in the draft strategy.
    Most of the recommendations for securing cyberspace are couched in
    terms of "should" and "could," rather than providing specific
    requirements for what IT security equipment agencies must buy or what
    security processes they should follow. For example, the report says
    that the federal CIO Council and relevant agencies should consider
    creating a "cyberspace academy" that could link federal cybersecurity
    and computer forensics training programs. The plan also asks agencies
    and companies to voluntarily secure their systems.
    IT experts said the draft did little to further the debate on securing
    government and private-sector information systems and restates much of
    what federal and private managers already knew. For example, according
    to the draft strategy, "Once one computer or element in the network is
    compromised, it can be used to compromise others."
    The soft language is a result of pressure from industry to remove the
    most stringent and costly recommendations  such as requiring Internet
    service providers to bundle firewalls and other security products with
    their services, an idea that Clarke has pushed for more than a year.  
    What is left is a list of simple recommendations that the private
    sector could follow.
    The administration's strategy to call for voluntary cooperation from
    the private sector is understandable, said a top-level federal IT
    official, who asked not to be named, but the lack of strong language
    in the section of the report outlining what the federal government
    should do came as a surprise.
    "I would think we could be a little more definitive in stating
    requirements for federal agencies," the official said. "I think that
    [the federal government section] needs to be stronger than the others
    because the government needs to be a model."
    Still, the weak language in the industry sections of the draft could
    also affect federal agencies, particularly when it comes to the
    security of products and services procured by the government, experts
    The report makes several recommendations for the federal sector to
    follow (see box), but one of the most concrete steps outlined for the
    government reflects the concerns about how security vulnerabilities in
    commercial products may affect agencies' security.
    To address that concern, the Critical Infrastructure Protection Board
    will lead a review of the National Infrastructure Assurance Program's
    security accreditation process. Under this program, commercial
    security products and services are independently tested to determine
    if they will perform as vendors promise. Defense Department
    organizations are required to buy only those security products and
    services that have gone through the accreditation process, and the
    board's review will examine the possible impact of extending the DOD
    requirement to civilian agencies.
    Industry executives said that because technology changes rapidly, the
    administration's decision to let industry determine the best products
    and security practices was the correct approach.
    The fact that the draft strategy lays out security best practices and
    recommended actions means shareholders and the public will be aware of
    the effort, which should motivate companies to meet those security
    baselines, said Ron Moritz, senior vice president of eTrust security
    solutions at Computer Associates International Inc.
    Government and industry must create a culture of security, where
    security measures are taken as part of good business practices, said
    Michael Aisenberg, director of public policy for VeriSign Inc.
    But self-regulation and market pressure  which the draft highlights
    as the methods by which security will improve in the private sector 
    have not shown much success so far, said Jim Lewis, director of
    technology and public policy at the Center for Strategic and
    International Studies. Considering recent history, "this [approach]
    can't be completely voluntary," he said.
    Many of the basic preventive measures the government wants the private
    sector to take can be accomplished through other means, Lewis said.  
    Laws such as the Gramm-Leach-Bliley Act and the Health Insurance
    Portability and Accountability Act require the financial and health
    care sectors, respectively, to ensure the privacy of personal
    information held in their systems. These laws, by default, led to
    companies enhancing security, Lewis said. Requiring companies to
    report their practices to the Securities and Exchange Commission has
    also been effective, and "little tweaks like that might be enough to
    move us forward," he said.
    The draft is open for comment on the White House Web site until Nov.  
    18, and officials in government and industry predict that changes will
    be made. "This is not a static document.... It's definitely not going
    to stay where it [is]," Moritz said.
    What it says
    Federal information technology experts say the Bush administration's
    recommendations for how agencies should secure critical information
    systems from cyberattacks does not give IT managers enough direction
    and will do little to ensure that the systems are secured.
    The National Strategy to Secure Cyberspace includes the following
    recommendations for the federal government:
    * The CIO Council and relevant agencies should consider creating a
      "cyberspace academy" to link federal cybersecurity and computer
      forensics training programs.
    * The Office of Management and Budget should consider establishing an
      Office of Information Security Support Services within the proposed
      Homeland Security Department to pool security resources from across
      government to support smaller agencies and those with less
      experience with security issues.
    * The government should consider certifying private-sector security
      providers, based on the certifications being performed by the
      national security community. This could lead to limiting contracts
      for security services to certified companies.
    In addition, the Critical Infrastructure Protection Board's Committee
    on Executive Branch Information Systems Security will examine the
    viability of establishing uniform security practices for programs and
    services, categorizing them by high, medium and low levels of risk.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Mon Sep 23 2002 - 03:37:30 PDT