Cybersecurity plan on the lite side

[InfoSec News <isn () c4i org>]

http://www.fcw.com/fcw/articles/2002/0923/news-cyber-09-23-02.asp

By Diane Frank 
Sept. 23, 2002

The Bush administration's long-awaited plan for protecting the
nation's critical computer systems from cyberattacks is too weak
because it does not set specific requirements for federal agencies or
the private sector to follow, and politics is mostly to blame for the
watered-down plan, information technology experts say.

Richard Clarke, chairman of the Critical Infrastructure Protection
Board, last week released the draft National Strategy to Secure
Cyberspace for comment at a ceremony at Stanford University, which
aimed to highlight the partnership between the public and private
sectors in developing the strategy. The demonstration, however, showed
the gaps in the draft strategy.

Most of the recommendations for securing cyberspace are couched in
terms of "should" and "could," rather than providing specific
requirements for what IT security equipment agencies must buy or what
security processes they should follow. For example, the report says
that the federal CIO Council and relevant agencies should consider
creating a "cyberspace academy" that could link federal cybersecurity
and computer forensics training programs. The plan also asks agencies
and companies to voluntarily secure their systems.

IT experts said the draft did little to further the debate on securing
government and private-sector information systems and restates much of
what federal and private managers already knew. For example, according
to the draft strategy, "Once one computer or element in the network is
compromised, it can be used to compromise others."

The soft language is a result of pressure from industry to remove the
most stringent and costly recommendations — such as requiring Internet
service providers to bundle firewalls and other security products with
their services, an idea that Clarke has pushed for more than a year.  
What is left is a list of simple recommendations that the private
sector could follow.

The administration's strategy to call for voluntary cooperation from
the private sector is understandable, said a top-level federal IT
official, who asked not to be named, but the lack of strong language
in the section of the report outlining what the federal government
should do came as a surprise.

"I would think we could be a little more definitive in stating
requirements for federal agencies," the official said. "I think that
[the federal government section] needs to be stronger than the others
because the government needs to be a model."

Still, the weak language in the industry sections of the draft could
also affect federal agencies, particularly when it comes to the
security of products and services procured by the government, experts
say.

The report makes several recommendations for the federal sector to
follow (see box), but one of the most concrete steps outlined for the
government reflects the concerns about how security vulnerabilities in
commercial products may affect agencies' security.

To address that concern, the Critical Infrastructure Protection Board
will lead a review of the National Infrastructure Assurance Program's
security accreditation process. Under this program, commercial
security products and services are independently tested to determine
if they will perform as vendors promise. Defense Department
organizations are required to buy only those security products and
services that have gone through the accreditation process, and the
board's review will examine the possible impact of extending the DOD
requirement to civilian agencies.

Industry executives said that because technology changes rapidly, the
administration's decision to let industry determine the best products
and security practices was the correct approach.

The fact that the draft strategy lays out security best practices and
recommended actions means shareholders and the public will be aware of
the effort, which should motivate companies to meet those security
baselines, said Ron Moritz, senior vice president of eTrust security
solutions at Computer Associates International Inc.

Government and industry must create a culture of security, where
security measures are taken as part of good business practices, said
Michael Aisenberg, director of public policy for VeriSign Inc.

But self-regulation and market pressure — which the draft highlights
as the methods by which security will improve in the private sector —
have not shown much success so far, said Jim Lewis, director of
technology and public policy at the Center for Strategic and
International Studies. Considering recent history, "this [approach]
can't be completely voluntary," he said.

Many of the basic preventive measures the government wants the private
sector to take can be accomplished through other means, Lewis said.  
Laws such as the Gramm-Leach-Bliley Act and the Health Insurance
Portability and Accountability Act require the financial and health
care sectors, respectively, to ensure the privacy of personal
information held in their systems. These laws, by default, led to
companies enhancing security, Lewis said. Requiring companies to
report their practices to the Securities and Exchange Commission has
also been effective, and "little tweaks like that might be enough to
move us forward," he said.

The draft is open for comment on the White House Web site until Nov.  
18, and officials in government and industry predict that changes will
be made. "This is not a static document.... It's definitely not going
to stay where it [is]," Moritz said.

***

What it says

Federal information technology experts say the Bush administration's
recommendations for how agencies should secure critical information
systems from cyberattacks does not give IT managers enough direction
and will do little to ensure that the systems are secured.

The National Strategy to Secure Cyberspace includes the following
recommendations for the federal government:

* The CIO Council and relevant agencies should consider creating a
  "cyberspace academy" to link federal cybersecurity and computer
  forensics training programs.

* The Office of Management and Budget should consider establishing an
  Office of Information Security Support Services within the proposed
  Homeland Security Department to pool security resources from across
  government to support smaller agencies and those with less
  experience with security issues.

* The government should consider certifying private-sector security
  providers, based on the certifications being performed by the
  national security community. This could lead to limiting contracts
  for security services to certified companies.

In addition, the Critical Infrastructure Protection Board's Committee
on Executive Branch Information Systems Security will examine the
viability of establishing uniform security practices for programs and
services, categorizing them by high, medium and low levels of risk.




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.