[ISN] Cyber Plan Hitting Home

From: InfoSec News (isnat_private)
Date: Tue Feb 11 2003 - 07:04:06 PST

  • Next message: InfoSec News: "[ISN] Taking byte from Baghdad"

    By Dennis Fisher
    February 10, 2003 
    When the final version of President Bush's cyber-security plan is 
    released later this month, its success, in large part, will hinge on 
    the willingness of industry to buy in to the plan's recommendations.
    The National Strategy to Secure Cyberspace depends heavily on network 
    operators and industry groups sharing with the government information 
    on network attacks, security threats and widespread vulnerabilities. 
    While similar efforts in the past have failed, some industry insiders 
    say there is reason to believe that this time may be different.
    "The strategy is being accepted within the government," said Pete 
    Morrison, director of the public sector at security vendor Netegrity 
    Inc., in Waltham, Mass. "I've seen a new awareness inside the 
    government, and I think when people see that, they [will be] more 
    willing to take it seriously and help with information."
    The centerpiece of the strategy, draft copies of which were reviewed 
    by eWeek last week, is a comprehensive cyber-security response system 
    that relies on contributions from the private sector. The system would 
    utilize a broad information-sharing program both inside and outside 
    the federal government, facilitated by a separate office within the 
    Department of Homeland Security, which the plan also calls for.
    The "infrastructure protection program office," as referred to in the 
    draft, would handle the flow of data between the private sector and 
    the government. The office would also be responsible for determining 
    how to store information regarding critical infrastructure protection 
    that is voluntarily submitted by nongovernment organizations.
    The strategy also recommends that the private sector develop a 
    centralized network operations center "that could operate 24-by-7, to 
    assess Internet health [and] complement the Department [of Homeland 
    Security's] centralized capability and the overall National Cyberspace 
    Security Response System," the draft reads.
    This latest draft is very similar to the final document President Bush 
    approved and signed late last month, according to sources familiar 
    with the process. However, this final version differs greatly from the 
    preliminary draft released for comment by the President's Critical 
    Infrastructure Protection Board in September under the direction of 
    outgoing PCIPB Chairman Richard Clarke.
    That original draft was divided into five sections - covering home
    users and small businesses, large enterprises, critical sectors,
    national priorities, and global issues. The final version is organized
    along five priorities - a national cyberspace security response
    system, a national cyberspace security threat and vulnerability
    reduction program, a national cyberspace security awareness and
    training program, securing governments' cyberspace, and international
    cyberspace security cooperation.
    And where the original draft was heavy on recommendations and 
    suggestions, the final version uses much stronger language, in many 
    cases issuing directives to various government agencies.
    Still, the core of the new plan is cooperation and information 
    sharing - both sensitive subjects for the private sector. Past 
    information-sharing concepts, not sponsored by the government, have 
    centered on organizations such as the industry-specific Information 
    Sharing and Analysis Centers and the FBI's InfraGard. However, these 
    and other plans have lacked a good definition of the kind of data the 
    government needs and how it's going to be handled once it's submitted. 
    As such, security experts say this time around, the government would 
    do well to make such distinctions.
    "Sharing information [on vulnerabilities] reveals nothing that would 
    make a company look bad in front of its customers," said Stuart 
    Schechter, a security researcher at Harvard University, in Cambridge, 
    Mass., and co-author of a paper on the benefits of information 
    sharing. "Even revealing that you've seen a vulnerability exploited 
    doesn't reveal that this has resulted in a successful attack. Better 
    statistics on just how many systems are broken into because systems 
    aren't patched would be nice to know - but most of us know where these 
    systems fail. Better numbers on losses from attacks would certainly be 
    However, some security experts are pessimistic about the chances for 
    widespread cooperation.
    "History has shown that unless they're forced to, people won't reveal 
    any information, for obvious reasons," said Avi Rubin, associate 
    professor of computer science and technical director of the 
    Information Security Institute at Johns Hopkins University, in 
    Baltimore. "On the other hand, we still don't have good protective 
    measures yet. They need to allocate more funding to research. They 
    should let those of us who know what we're doing do it."
    * Establishment of an infrastructure protection office for data 
    * Recommendation that the private sector establish a central network 
      operations center to gather security data 
    * Language reserving the government's right to conduct cyber-warfare 
      operations if attacked online 
    * Recommendation that software vendors make their products more 
      secure out of the box
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Feb 11 2003 - 10:48:37 PST