[ISN] Cyber-Security Strategy Depends on Power of Suggestion

From: InfoSec News (isnat_private)
Date: Sat Feb 15 2003 - 00:47:27 PST

  • Next message: InfoSec News: "[ISN] Moderators note..."

    By Jonathan Krim
    Washington Post Staff Writer
    February 15, 2003
    The Bush administration yesterday announced its strategy for
    protecting computer systems from attacks by hackers or terrorists, but
    it backed away from proposals by several security experts for
    government requirements and funding.
    Instead, the plan suggests how individuals, businesses and governments
    can meet the growing threat of cyber-attacks on computer networks.
    "Of primary concern is the threat of organized cyber attacks capable
    of causing debilitating disruption to our nation's critical
    infrastructures, economy or national security," said the plan,
    released by the Department of Homeland Security.
    The plan encourages companies to regularly review their technology
    security plans, and individuals who use the Internet to add firewalls
    and anti-virus software to their systems. It calls for a single
    federal center to help detect, monitor and analyze attacks, and for
    expanded cyber-security research and improved government-industry
    The report is markedly different from early drafts that included
    proposals championed by Richard A. Clarke, who recently resigned as
    President Bush's adviser on cyberspace security. Among them were
    suspending wireless Internet service until security holes were
    addressed, requiring Internet service providers to include firewall
    software and recommending that government agencies use their power as
    major purchasers of computer programs to push software makers to
    improve the security of their products.
    "Leaving it to the vendors is basically the path we've been following
    . . . and the whole reason we have the problems that we have," said
    Eugene H. Spafford, a security expert and professor at Purdue
    University who frequently consults with the government.
    Clarke could not be reached for comment.
    Peter G. Neumann, chief computer scientist with SRI International, a
    nonprofit research group in Silicon Valley, said the recommendations
    were like saying, "If you put duct tape around your computer, you'll
    be secure."
    Technology and telecommunications companies lobbied hard against
    regulation, arguing that the private sector is better qualified to
    develop the most effective security.
    The report was scheduled for release last September but the government
    said more input from industry was needed.
    "It's a wonderful statement of the problem," said Allan Paller,
    director of the SANS Institute, a computer security think-tank and
    education center. "But it's missing some of the best ideas that people
    Paller said that through the various drafts the report went from
    "companies should do something, to companies should consider," and in
    some cases to no recommendations at all.
    Democrats, too, were disappointed.
    "When it comes to cyber-security, we're running at a punch-card pace
    when we need Pentium speed," said Sen. Charles E. Schumer (D-N.Y.),
    who is the Senate Democrats' point man on homeland security. "The
    administration has been working on this proposal for months and should
    have come out with a specific plan of action, not a vague set of broad
    principles that has no money backing it up."
    Of particular concern to computer specialists is pushing the
    technology industry to develop more secure products. "You need much
    stronger stuff, and you can't get it," Neumann said. "There's no
    Among the ideas that were discussed were financial incentives for
    improving security and legal liability for failing to meet basic
    security standards.
    Technology companies supported the report yesterday.
    "The national strategy challenges our traditional focus on technology
    as the 'silver bullet,' and highlights more fundamental behavioral
    matters -- like IT training and certification -- that can make
    America's computer networks safer," said Michael Wendy, policy counsel
    for CompTIA, a technology trade association.
    Sources familiar with discussions between the industry and the
    administration said some tech companies would have supported a more
    concrete plan. But White House advisers held fast to their
    philosophical reluctance to regulate free markets or to impose
    industry standards that might favor one sector over another, the
    sources said.
    Mark D. Rasch, chief security counsel for Solutionary Inc., a computer
    services firm, said the report was an important first step. But
    critical industries such as banking and utilities should be subject to
    mandatory security audits, he said.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Sat Feb 15 2003 - 03:11:05 PST