Interesting People mailing list archives
2 on National security
From: Dave Farber <dave () farber net>
Date: Fri, 20 Sep 2002 21:34:15 -0400
------ Forwarded Message From: Declan McCullagh <declan () well com> Reply-To: declan () well com Date: Fri, 20 Sep 2002 07:33:14 -0700 To: politech () politechbot com Cc: JALewis () csis org Subject: FC: CSIS' James Lewis replies to Politech on WH cybersecurity report Previous Politech message: "Defense hawks bash White House report, want new laws, regulations" http://www.politechbot.com/p-03999.html James Lewis was one of the two CSISers I quoted in that article as wanting more laws. He had said: "Cybersecurity is too tough a problem for a solely voluntary approach to fix. Companies will only change their behavior when there are both market forces and legislation that cover security failures. Until the U.S. has more than just voluntary solutions, we'll continue to see slow progress in improving cybersecurity." -Declan --- Date: Fri, 20 Sep 2002 10:16:33 -0400 From: "James Lewis" <JALewis () csis org> To: <declan () well com> Subject: Defense Hawks bash, etc Declan: I actually think the National Strategy is very strong, but I question the heavy reliance on voluntary action and self-regulation. Politech readers might want to look at the section (460 words) from a draft report that I pasted below. It outlines ideas on regulation as an incentive for cybersecurity. Thanks, Jim Lewis *** In a perfect market, the private sector would purchase adequate security and firms would offer the products needed for it. This has not been the case. While some industry sectors (such as financial services) have moved to increase security, other sectors may not improve absent increased incentives. Despite arguments that market forces and the evolution of the IT industry will improve security voluntarily, we must ask if cybersecurity, as with health, environmental, or safety issues, requires further government intervention. Government intervention could include direct or indirect subsidies for cybersecurity spending, i.e. tax relief, R&D funding, or the use of Federal purchases to promote more secure products. It could also include reinsurance subsidies (the U.S. provides reinsurance for natural catastrophes) in exchange for insurers' adherence to cybersecurity standard such as ISO 17799. Continued exhortation by government officials for the private sector to voluntarily take action is a form of intervention that occasionally is effective. Governments can also use law and regulation as incentives to encourage certain behaviors. Legislation and regulation (or even the threat of legislation and regulation) will energize the private sector to move faster in cybersecurity. Regulation should avoid a heavy-handed, prescriptive approach and instead aim to increase transparency and assign responsibility, leaving it up to individuals as to how best to meet requirements. The Health Insurance Portability and Accountability Act of 1996 and the Gramm-Leach-Bliley Financial Reform Act, by creating responsibility for privacy (and consequently security), worked to increase awareness and demand for security products and are useful (but not perfect) models of this. While security is an ongoing problem and Y2K was a single event, Y2K may also be a model on how regulation can energize private sector behavior for cybersecurity. The primary function of government in Y2K was as an organizer and educator. The Y2K effort gathered and disseminated information, organized multinational networks, shared information on best practices and worked through public-private partnerships to raise awareness. However, regulatory action by the Securities and Exchange Commission and by banking regulators also played a galvanizing role in Y2K preparations. Companies had to show publicly and to their regulators that they had taken adequate steps to protect against Y2K disruption. Similar SEC requirements for companies to report the steps they are taking to protect themselves from cyber attack would improve network security. Internet policy problems challenge governments' ability to carry out their functions. Traditional governmental responses, such as prescriptive regulation, will not create cybersecurity, but neither will a reliance on self-regulation and voluntary action. One solution may be a new style of governance built on explicit public-private partnerships. Defining the scope of these partnerships and the responsibilities of each partner requires that we identifying places where the market response is weak as candidates for government action, and which government actions (if any) would be an appropriate response. And ------ Forwarded Message From: Declan McCullagh <declan () well com> Reply-To: declan () well com Date: Fri, 20 Sep 2002 10:45:32 -0700 To: politech () politechbot com Subject: FC: Bush releases "National Security Strategy" -- no Internet mention Is it just me or does this document seem a little strange: http://www.whitehouse.gov/nsc/nss.pdf There's no mention of the Internet, cybersecurity, or even "information warfare." Coming just two days after the highly-touted "cybersecurity strategy" (http://www.whitehouse.gov/pcipb/cyberstrategy-draft.pdf), this could be seen as a rebuke to Clarke's handling of it. Or perhaps Wednesday's report was seen as simply irrelevant. Remember how the Clarke draft report talked up the topic: "Cyberspace is essential to both homeland security and national security; its security and reliability support the economy, critical infrastructures, and national defense." If it's so essential, then why isn't it part of the official National Security Strategy? That document talks about agricultural aid, public health threats like AIDS, and improving third world literacy rates -- you'd think "cybersecurity" might rate a mention. -Declan --- THE WHITE HOUSE Office of the Press Secretary FOR IMMEDIATE RELEASE September 20, 2002 STATEMENT BY THE PRESS SECRETARY Today President Bush submitted to Congress the National Security Strategy of the United States as required by the Goldwater-Nichols Defense Department Re-Organization Act of 1986. The president's national security strategy reflects the union of our values and our national interest. This strategy states that the safety and security of America is the first and fundamental commitment of the our government. America must always stand for and protect the universal values on which it was founded. To this end, President Bush makes clear that the United States will use its position of strength and influence in the world to defend, preserve, and extend the peace. The full text of the National Security Strategy can be accessed at www.whitehouse.gov. ### ------------------------------------- You are subscribed as interesting-people () lists elistx com Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- 2 on National security Dave Farber (Sep 20)