Cybersecurity: No Mandates, Only Ideas

PALO ALTO, Calif. — After nearly a year of testing the waters, the Bush Administration Wednesday released its first draft of its long awaited “National Strategy for Securing Cyber Security.”

Written by a White House panel headed by Bush cyber security advisor Richard A. Clarke, this early version of the plan proposes that businesses and private citizens, not the government, become protectors of the Internet.

“The worst case has not happened,” Clarke said before a gathering of business leaders and press at Stanford University. “We’re not creating regulation, not creating mandates. We want to do this through market forces.”

The “recommendations, strategic goals, programs, discussion items and guidance” are aimed at five levels: the home user and small business; large enterprise; sectors of the economy; national issues and; global issues.

The 65-page PDF file formatted plan incorporates more than 60 separate things that people can do to better protect themselves against online attack, such as changing your password periodically and using firewalls and virus security software. The items will be discussed for the next two months through town hall meetings and online debates. Clarke and his team will then present the public comments to the President.

“If we just come up with a government strategy and announce it without participation from the people who have to implement it, we aren’t going to get the level of cooperation and buy-in we need,” said Clark.

Meantime, companies like AOL , VeriSign and Symantec Corp. have thrown their arms around the proposal.

“There is no perfect plan to assure absolute information security, just as there is no strategy short of grounding the nation’s air fleet to assure absolute airport security,” said Information Technology Association of America president Harris Miller.

Notably absent was Microsoft , whose software continues to be at the center of the majority of cyber attacks. Clarke said his office was relieved that the company admitted it had a problem and seemed to be taking steps to correct itself.

“I’ve been tough on Microsoft,” said Clarke. “Recently, they issued a 30-day stand down and went back and looked back at their code. Mr. Gates has said point blank that security is job one at his company. They’ve also been advocating their Palladium initiative as a better solution. While I can’t say that I’ve seen it, it strikes us as something that is helping solve the problem.”

As recently as last week, the media event aimed to be the culmination of almost a year of work by the President’s Critical Infrastructure Protection Board, but it was announced earlier this week the panel had decided to issue its recommendations for a 60-day public comment period.

It’s certainly not the first time the panel has changed its mind. Throughout the summer, the White House has leaked various trial balloons of the plan and then floated new versions of its proposals in response to the feedback. and other media outlets have variously reported the plan would call for an exemption to the Freedom of Information Act that would allow private corporations to share certain vital information with the government, a privacy czar would be appointed, an Internet fund financed by the private sector and by tax dollars would be established to improve national computer security and restrictions would be imposed on government use of emerging wireless networks.

A broad preview of the plan was released in July during a keynote address by Clarke at the annual Black Hat Conference of Information Technology Professionals in Las Vegas, saying the White House would urge more rigorous software development practices including input from users to disclose vulnerabilities. He said the government is already urging “white hat” hackers to search for security flaws in software, but also wants them to only pass information about those flaws on to software vendors and the government, not to the rest of the security community as is common practice today.

Clarke also said the White House would call upon wireless LAN developers to assume a greater responsibility to create more easily securable systems for the notoriously unsecure networks. In addition, the administration hopes to apply economic pressure on the wireless LAN industry by urging users to boycott systems that have known security vulnerabilities.

For its part in assuming a leadership role in developing a more secure Internet, Clarke said the White House will mandate that federal agencies use the security products it is encouraging the IT industry to develop, claiming he will recommend massive replacements or upgrades of government systems if developers produce demonstratively more secure products.

Since the Homeland Security legislation has been almost a year in the making and is still being debated in Congress, no new legislation is an important consideration in light of the fact that approximately 85 percent of the nation’s IT infrastructure is in private hands.

Paramount to the White House is for the plan to rally both the private sector and consumers to voluntary compliance. Since the Homeland Security legislation has been almost a year in the making and is still being debated in Congress, no new legislation is an important consideration in light of the fact that approximately 85 percent of the nation’s IT infrastructure is in private hands.

Even more sobering, a recent Business Software Alliance (BSA) survey of more than 600 IT professionals found that 60 percent of those surveyed who are directly responsible for their company’s network security believe U.S. businesses are at risk for a major cyber attack in the next 12 months.

The BSA survey concluded that U.S. businesses remain ill-prepared to defend themselves despite increased attention to network security.

News Around the Web