WASHINGTON — As vendors sipped coffee and anticipated the arrival of Homeland Security Director Tom Ridge at the Homeland Security Tech Expo, reaction to the Bush Administration’s draft version of its National Strategy to Secure Cyberspace released Wednesday was one of enthusiasm followed by rueful smiles, winks and nods. Others simply chose to say no comment.
After all, Ridge or Commerce Secretary Donald L. Evans, the sponsor of the event being held here at Washington’s aging, hot and stuffy D.C. Armory, might be walking by at any moment as they inspected the show.
“I can’t comment because I know nothing anything about it,” said one vendor as he hastily put away a newspaper account of the draft report. “Besides, my boss would kill me if I told you what I thought. Look where we are.”
Written by a White House panel headed by Bush cyber security advisor Richard A. Clarke, the plan proposes that businesses and private citizens, not the government, become protectors of the Internet. The draft, which contains a series of suggestions to the private sector, which controls approximately 85 percent of the nation’s IT infrastructure, on how to better secure the country’s network systems from cyber attacks, calls for no government mandates.
“Anything that heightens awareness of the need for better Internet security is good,” said Robert E. Johnson III, president of Cimcor, a Merrillville, Ind.-based network security firm. “The guidelines are useful, but it’s not a law. Without a law, there’s definitely no motivation for them (the private sector) to do anything.”
Johnson said he hoped to see government mandates for “baseline security standards,” including requiring all computer users with exposure to the Internet to install firewalls and businesses to use intrusion detection devices with a method of auditing the intrusions.
Johnson cautioned, however, that neither consumers nor businesses “will see the cost benefit for something like that.”
Gene Barnett, marketing director for Vicksburg, Miss.-based security firm Seventh Knight, agreed with Johnson.
“Without a return on investment, companies are not going to invest in network security,” he said. “They are going to have to be hit and feel the pain. It’s a tradeoff, convenience versus security.”
Barnett, though, said he was glad the Bush plan contained no mandates to the private sector.
“I don’t think mandates would be effective. I’m not sure the government has much of a clue about security,” he said. “They have outdated systems and outdated software. That’s just one man’s opinion.”
David Duncan, president and CEO of Denver-based Encryptx Corp. said, after the obligatory awareness praise, he thought the weakness of the plan was the lack of specifics.
“Awareness without specificity is not that helpful,” he said. “There needs to be a better articulation of needs. As a CEO, I’m always telling my employees don’t bring me a problem without a solution. Ideas without actions are difficult to deal with. Guessing wastes time. What are the actual needs?”
