[ISN] Cyber-Security Plan Counts on Private Sector's Input

From: InfoSec News (isnat_private)
Date: Tue Feb 04 2003 - 23:16:37 PST

  • Next message: InfoSec News: "[ISN] Official SummerCon 2003 Announcement"

    http://www.eweek.com/article2/0,3959,861870,00.asp
    
    By Dennis Fisher
    February 4, 2003 
    
    The forthcoming final version of the National Strategy to Secure
    Cyberspace will call for a comprehensive cybersecurity response system
    that will depend heavily on contributions from the private sector. The
    system, as described in the most recent draft of the document, will
    rely on a broad information-sharing program both inside and outside
    the federal government, and calls for the establishment of a separate
    office within the Department of Homeland Security to manage the
    information flow between government and industry, according to copies
    of the draft document reviewed by eWEEK.
    
    To facilitate this process, the strategy also recommends that the
    private sector develop one centralized network operations center "that
    could operate 24x7 to assess Internet health [and] complement the
    Department [of Homeland Security's] centralized capability and the
    overall National Cyberspace Security Response System."
    
    The strategy contemplates Homeland Security creating a "single point
    of contact for the federal government's interaction with industry and
    other partners" regarding major security incidents, information
    sharing, analysis, warning and recovery efforts.
    
    All of this would be coordinated by a new "infrastructure protection
    program office" that would handle the two-way flow of data between the
    private sector and the government, according to the draft plan. The
    office would also be responsible for determining how to store
    information regarding critical infrastructure protection that is
    voluntarily submitted by non-government organizations.
    
    Although the strategy repeatedly emphasizes the need to handle such
    data carefully, it also recommends several measures that are sure to
    draw the attention of privacy advocates and civil-liberties
    organizations. Among the directives are a provision requiring the
    Department of Justice to work with the Census Bureau to develop
    "better data about the victims of cybercrime and intrusions."
    
    While there is considerable space given to the need for reducing the
    number of vulnerabilities in software products and in critical
    protocols and systems such as BGP (border gateway protocol), the
    Domain Name System and IP, the strategy makes little mention of how to
    go about fixing these problems, a key shortcoming, security experts
    say.
    
    "As we move to wireless everywhere and universal Web-control of
    appliances, if the government doesn't act quickly, millions of
    unprotected systems will by made available to any attackers who choose
    to use them," said Alan Paller, director of research at The SANS
    Institute in Bethesda, Md. "It is unlikely that more than one million
    are needed for a large-scale sustained DDoS attack that disables most
    Internet traffic."
    
    This most recent draft of the national strategy is considered to be
    very similar to the final document that President Bush approved and
    signed recently, according to sources familiar with the process. The
    strategy is due for release within the next couple of weeks, although
    no exact date has been announced.
    
    The final version of the plan differs greatly from the preliminary
    draft released for comment by the President's Critical Infrastructure
    Protection Board in September under the direction of out-going PCIPB
    director Richard Clarke.
    
    The original draft was divided into five sections covering home users
    and small businesses, large enterprises, critical sectors, national
    priorities and global issues. The final version is organized along
    five cyberspace security priorities: a national cyberspace security
    response system, a national cyberspace security threat and
    vulnerability reduction program, a national cyberspace security
    awareness and training program, securing governments' cyberspace, and
    international cyberspace security cooperation. Where the original
    draft was heavy on recommendations and suggestions, the final version
    uses much stronger language, in many cases issuing directives to
    various government agencies.
    
    The new document also removes much of the language in the original
    draft that advocated using so-called market forces to pressure
    software vendors to make their products more secure. Instead, it
    recommends that "the software industry should consider promoting more
    secure 'out-of-the-box' installation and implementations of their
    products, including increasing user awareness of the security features
    in products, ease-of-use for security functions and where feasible,
    promotion of industry guidelines and best practices that support such
    efforts."
    
    Interestingly, the new version also includes a section discussing the
    need for the United States to be able to respond to cybersecurity
    events in kind.
    
    "When a nation, terrorist group or other adversary attacks the United
    States through cyberspace, the U.S. response need not be limited to
    criminal prosecution," the strategy says. "The United States reserves
    the right to respond in an appropriate manner, including through cyber
    warfare. The United States will be prepared for such contingencies."
    
    Officials of the PCIPB did not return calls seeking comment.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Feb 05 2003 - 02:22:58 PST