, SecurityFocus 2002-09-18
The White House's strategy to secure cyberspace adopts a hands-off approach. Critics say that's not enough.
Introducing it as the product of an "unprecedented partnership" between the private sector and government, Richard Clarke, chairman of the President's Critical Infrastructure Protection Board (PCIPB), said the National Strategy to Secure Cyberspace is a step towards preventing serious cyber attacks in the future. "On this issue, when we know there are vulnerabilities, and we know some of the solutions, let us work together as a country... to solve these vulnerabilities before there's a major disaster."
Ten months in the making, the 64-page strategy urges home computer users to take responsibility for their own security by purchasing anti-virus software and personal firewalls, and includes scores of other recommendations for businesses, law enforcement and academia. At the same time it carefully avoids any hint of possible regulation, even of critical infrastructure providers like electric utilities and telephone companies. Proposals to establish best practices in cybersecurity, or to create new private sector information sharing organizations are introduced as ideas that industry "should consider," a phrase that's repeated 74 times in the strategy.
"It is not about government regulation to achieve cybersecurity, rather let the market forces make the changes for us," said Howard Schmidt, vice chair of the PCIPB, and former security chief at Microsoft.
Harris Miller, president of the Information Technology Association of America called the White House plan "the most comprehensive and serious attempt to date" to address cybersecurity, and praised its hands-off approach. "Industry owns and operates most of these infrastructures and is the natural steward for their safety, working in conjunction with the government."
Public Comments Sought
But other experts call the plan toothless. "There's nothing in it, it's sixty pages of nothing," says Mark Rasch, an independent cybersecurity consultant, and one-time head of the Justice Department's computer crime division. "They were so anxious to keep a consensus that they took out anything that anyone would object to... There isn't a proposal in here that would call for any legislation to enact it, that would require anybody to do anything affirmatively, or punish them for failing to do it."
The draft strategy can be
The two-hour forum introducing the strategy at times had the feel of a slightly-overlong awards show, with high-ranking representatives of a variety of government agencies and industries taking turns on the stage to praise the document and the process that produced it, sometimes making their own announcements tied to the event.
FBI director Robert Mueller and U.S. Secret Service director Brian Stafford -- heads of agencies with some historic rivalry -- took podiums on either wing of the stage to deliver a joint talk on the need for better cybersecurity. Handing-off to one another like dual presenters at the Oscars, the directors announced the formation of a pilot program to create joint task forces in several cities, with Secret Service and FBI agents working side-by-side to crack cybercrimes.
The Department of Energy released a guide to securing SCADA systems -- remotely operated equipment that the strategy identifies as a weakness in power and water systems. And the Federal Trade Commission put in a plug for "Dewie the e-Turtle," a Smokey the Bear-like cartoon
