Why gov't cybersecurity plan promises to disappoint

AnchorDesk

Why gov't cybersecurity plan promises to disappoint

Robert Vamosi
Senior Editor, Reviews
Thursday, September 12, 2002

Add your opinion

Forward in

Format for

On Wednesday, Sept. 18, presidential cybersecurity adviser Richard Clarke will unveil the first draft of the long-awaited National Strategy for Securing Cyberspace (NSSC). Loosely based on feedback from computer users and vendors to 53 questions posted on the White House Web site, the final NSSC report will ultimately make recommendations for making home users, major enterprises, the national infrastructure, and the global Internet more secure.

But don't expect the plan to resolve all our cybersecurity issues. Far from it.

ALREADY THERE ARE several known omissions in the NSSC. Clarke himself has admitted that the proposal will not impose any greater responsibility on the software industry to produce more secure code. Nor will it have any representation from the healthcare industry.

Also, the White House staff went out of its way at security conferences this summer to emphasize that the NSSC will have no enforcement provisions. So we shouldn't expect any strategy for penalizing those who disobey the guidelines outlined in the report.

Another issue which, according to a recent Associated Press report, didn't make it into the proposal: requiring broadband companies to provide their users with firewalls. Clarke believes not doing so is "like selling cars without seatbelts." Currently, only EarthLink provides a firewall service.

NO ONE KNOWS for sure what exactly the report will include until next Wednesday. But to get an idea of Clarke's priorities, I reviewed my notes from his keynote speech at July's Black Hat USA security conference. There, Clarke offered his own thoughts on cybersecurity, independent of the NSSC.

Clarke drew a round of applause from the security professionals in attendance when he said that the software industry "has an obligation to provide software that works." He called upon software makers to ship products with settings for certain options turned off by default. So, for example, Windows would not have SNMP--a service recently found to be vulnerable to attack--automatically enabled.

He also warned the audience not to laugh when Bill Gates says he's working toward Trustworthy Computing. "Rather than reject it, hold him to it," he said.

When it comes to the U.S. government securing the Internet, Clarke likened the Net to the "tragedy of the commons." This is a reference to a 1968 book by Garret Hardin, in which the commons is any resource shared by a large group of people. As populations grow, such resources become strained. Clarke was implying that the Internet now benefits many people, yet no one wants to take responsibility for it--and if left neglected, it will fall into disarray. He argues that the U.S. government is best suited to develop new protocols that will be required as the Internet moves from millions to billions of users.

Furthermore, Clarke believes the entire U.S. government could "enforce" greater cybersecurity through its purchasing power. Currently, the Department of Defense can procure products only from vendors who have undergone National Intergovernmental Audit Forum (NIAF) testing. "If the entire government did this," Clarke said, "it would drive security in the software industry."

CLARKE SAVED HIS harshest words for wireless networks. Why, he asked, do vendors continue to sell products that they know aren't secure or that are so difficult to secure that most people wouldn't bother. He said the Department of Defense bans wireless LANs and makes sure nobody sets up access points anywhere near the DoD's headquarters. According to Clarke, it's pointless for companies to spend money on firewalls, IDS, and VPNs only to allow wireless devices to poke holes through all that security. "We all ought to shut off our WLANs until we know they are secure."

But these are the opinions of one man, not the entire NSSC committee. Given Clarke's tough words at the Black Hat conference, I'm really curious to see the final NSSC document--and see how much vendors influenced it. I, and others in the room at Black Hat, liked what we heard from Clarke. But, based on initial reports, the final NSSC draft already promises to fall well short of that standard.

Still, it's a first step. Already the White House is talking about a second NSSC draft, which could be published as early as January of 2003. So stay tuned.

Do you agree with Clarke's cybersecurity agenda? Is he too tough? Not tough enough? What would you like to see in the NSSC? TalkBack to me!

Special sponsor stores

Dell Home

Social Networking

Confirmed: Twitter buys Summize As was rumored, Twitter has acquired Summize, best known for its Twitter search engine... Learn more about this acquisition »
A Sneak Peek from E3 at Xbox 360's latest software upgrades Microsoft previews their next System Update featuring avatars and more social interaction through games View the ZDNet Video to lean more about the new features »
From our sponsors
Back to school

Essential for School Help get your kids A+ ready with Microsoft® Office 2007 Home and Student Edition. Get great offers »
Buying a PC? Easier formatting. Better results. Buy the latest version now »