A Cybersecurity Sleeping Pill, 2002-09-23
From a White House given to dramatic warnings of electronic Pearl Harbors comes an incongruously meek national strategy. Did industry lobbyists slip someone a Mickey?
“
Do you know anyone who didn't think "protecting computers" or "investigating cybercrime" weren't good things five years ago?
”
After a huge noise in the media, Clarke and the Bush administration pulled coitus interruptus on its grand September 18 roll out. What was delivered is best described as a muffled, mildly grumbling fart of toothless suggestions for industry and stupidly obvious homilies in government-ese expressing a childishly wishful desire for better national computer security practice.
The official explanation is that the
Perhaps, but as the work of Clarke -- well known during for the past few years for the relentless prediction of damnation through viruses and electronic attack and statements saying that those guilty of poor security deserved to be hacked -- it appears to be astoundingly without gravity. No one is flatly told they must do anything -- or else. No feet are held close to fire. Even aims once aggressively pursued are missing or greatly watered down.
For example, "The National Strategy to Secure Cyberspace" makes no direct mention of the proposal to add an exemption to the Freedom of Information Act in the name of increasing gov-industry information sharing. Instead, there is only a minor wishy-washy allusion to it -- a murmur about assuaging corporate "fear" of public exposure by encouraging Congress to work at removing an "impediment."
Since Clarke has hectored the nation loudly in favor of this regularly for the past four years, seeing it buried for the draft is a bit like witnessing the town prostitute filling out correspondence courses for the Church Universal and Triumphant. You can't help but be surprised by the turn of events but are left wondering whether it's a sham or the case of the Office of Cybersecurity suddenly feeling a twinge of conscience over mandating some more secrecy for government and business.
Instead, the "strategy" is to "empower" users and industry by "raising awareness," "sharing information," "fostering partnerships," "stimulating improvements in technology," "increasing the number of skilled personnel," "investigating and prosecuting cybercrime," "protecting computers," and "promoting increased security." Isn't that just special? Do you know anyone who didn't think "protecting computers" or "investigating cybercrime" weren't good things five years ago?
In other places, the cyberstrategy cleverly recommends updating anti-virus software regularly and applying patches as needed. It's fair to say that these have now reached maximum saturation as platitudes; repeating infinitely accomplishes nothing.
Other recommendations seem aimed at rendering the reader unconscious through use of acronyms and boilerplate. "The federal government, by 3Q FY03, using the e-Government model ..." and "OMB, in conjunction with the CIO counsel, will determine...whether to employ a lead agency concept..." are two standard examples.
Empty but sort-of tough-sounding declarations are present. North America will be a "Safe Cyber Zone." There is non-sequitur futurism -- "nanotechnology" could "reshape cyberspace and security." And even old, simple good ideas are waffled -- "State and local government should consider expanding training programs," "ISPs should consider adopting a code of good conduct," "states should consider creating Cyber Corps [scholarship programs]."
It is mystifying as to why it should all be so lame.
Looking for clues, one spies in the report the seemingly inescapable recommendation to use the staysafeonline.info website as a source of security learning. It is a place I've criticized previously for "education" that amounts to recommending the purchase of anti-virus software as a duty in the war on terror. On staysafeonline, even a simple Flash on-line lesson comes with an insectile licensing agreement in which the reader must promise to not hold its corporate author liable for anything should the presentation turn out to be rubbish.
Maybe that is the nut of it. In the run-up to September 18, those members of industry involved in contributing to "securing cyberspace" told Richard Clarke to get stuffed, that they wouldn't dig being made responsible for even the most elementary things. Recent media reports indicate Clarke insists this has not been the case.
"The National Strategy to Secure Cyberspace" does contain some discussion of the Code Red and Nimda viruses as well as a classic Clarke-ian scenario: "A terrorist organization [shuts down] the Pacific Northwest electrical grid..." The urgency of action suggested in these sections is totally undermined by the meat of the report.
The Nimda virus, we are informed, was a "wake-up call." The remainder of the "strategy" is a teeming handful of sleeping pills.
