Cyberspace protection plan gets mixed reviews. (Tech Talk).President Bush's Draft National Strategy to Secure Cyberspace In the United States government, the National Strategy to Secure Cyberspace, is a component of the larger National Strategy for Homeland Security. The National Strategy to Secure Cyberspace was drafted by the Department of Homeland Security in reaction to the September 11, 2001 , which remains open for comment until November 18, has drawn a strong response both from those who feel it is a necessary first step toward national cybersecurity and those who believe the plan's effectiveness has been diluted by industry forces who did not want specific solutions imposed on the market. One of the plan's strongest points is that it addresses issues of cybersecurity "not through government regulation or government mandates, but through industry-led solutions," says Harris Miller, president of the high-tech lobby Information Technology Association of America See ITAA. . That approach is important, he says, because industry owns 85 to 90 percent of the infrastructure that the government and industry are concerned about. But perhaps more important than the details of the proposal is the mere fact that the government is now acting on this issue, says Scott Blake, CISSP (Certified Information Systems Security Professional) The award for successful completion of an examination in computer security administered by the International Information Systems Security Certification Consortium (ISC)2. , vice president of information security for BindView, which provides IT-security solutions. "The power of the plan is to bring a level of attention to these issues that we've never had before, and that's great," he says. Blake and Miller both contributed ideas and suggestions to the strategy. Professor Eugene H. Spafford, director of Purdue University's CERIAS CERIAS Center for Education and Research in Information Assurance and Security (Center for Education and Research in Information Assurance and Security, an information security R&D center), disagrees. He says the plan lacks teeth and, therefore, won't have any major impact on the security of systems. If the final version of the strategy is to remedy the weakness in this draft, Spafford says, it must address two major issues. "One would be to explicitly remove some of the liability shield from vendors for producing obviously flawed software and selling it to the public," he says. Currently, the strategy only states that the software industry 'should consider promoting more secure tout of the box' installation and implementation of their products." Spafford continues: "The second would be to actually pass some restrictions on the kind of software that the government can buy and deploy, with penalties against those who do a poor job of it." He says that military officers, as well as civilians, who buy off-the-shelf systems with known vulnerabilities to save money should be disciplined for using systems that are open to attack. But software vulnerabilities are not the only issue, and the strategy rightly recognizes that, says Kevin Nixon, CISSP, senior director of security business strategy with Internet service provider Internet service provider (ISP) Company that provides Internet connections and services to individuals and organizations. For a monthly fee, ISPs provide computer users with a connection to their site (see data transmission), as well as a log-in name and password. Exodus. "Corporations can't shop in a vacuum," he says. "They need to take some corporate responsibility as well. Do due diligence Research; analysis; your homework. This term has caught on in all industries, because it sounds so "wired." Who would want to do analysis or research when they can do due diligence. See wired. and due care, just like you would in purchasing a new business or when you hire a third-party vendor." The strategy does raise some new ideas that are certain to generate controversy. One recommendation urges the creation of a Cyberspace Network Operations Center See NOC. Network Operations Center - (NOC) A location from which the operation of a network or internet is monitored. Additionally, this center usually serves as a clearinghouse for connectivity problems and efforts to resolve those problems. (NOC (Network Operations Center) A central or regional location for monitoring a large network. Also called a "network management center" (NMC), "service management center" (SMC) or "network control center" (NCC), a NOC may be used to manage a large enterprise network, ) "to share information and ensure coordination to support the health and reliability of Internet operations in the United States." This government entity would include organizations such as ISPs, hardware/software vendors, IT security companies, and computer emergency response teams. Nixon and his company are submitting comments on the scope and definition of this NOC. He says the NOC would be helpful in aggregating information and putting out timely warnings, and would also give the public a central place to learn about new cybersecurity risks. "That's the type of early warning system the country needs in order to develop a more comprehensive national strategic plan," be says. The plan does not mandate actions that must be taken by private enterprises, but it does offer specific suggestions regarding bow organizations could ensure better cybersecurity on their private networks. For example, the policy suggests that companies raise responsibility for cybersecurity to the level of the board of directors. The document also recommends that companies form corporate security councils composed of the chief operating officer Chief Operating Officer (COO) The officer of a firm responsible for day-to-day management, usually the president or an executive vice-president. , chief information officer, chief technology officer, chief security officer, the privacy officer, and the official responsible for physical security. Other suggestions include IT awareness training for all employees, incident response preparations, and regular independent security audits. The largest set of recommendations in the draft plan is aimed at the federal governments cybersecurity. That's not surprising, Blake says, because the drafters expect the government to become an example of best practices for industry. Richard A. Clarke
Richard Alan Clarke[1] (born 1951) was a U.S. government employee for 30 years, 1973 - 2003. , who chairs the President's Critical Infrastructure Protection Department of Defense (DOD) program to identify and protect assets critical to the Defense Transportation System. Loss of a critical asset would result in failure to support the mission of a combatant commander. Board (PCIPB PCIPB President's Critical Infrastructure Protection Board (USA) ), which developed the proposed strategy, "is banking on transforming the federal government's infosec program into the envy of the private sector," says Blake. "If he's successful, it's reasonable to think that the private sector will emulate the public. But he's got a very tough row to hoe hoe, usually a flat blade, variously shaped, set in a long wooden handle and used primarily for weeding and for loosening the soil. It was the first distinctly agricultural implement. The earliest hoes were forked sticks. ." * To read the complete draft plan and submit comments to the government, go to www.securitymanagement.com, click on "Beyond Print," and scroll to this item in "Tech Talk." |
|
||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion