The Bush administration released a draft copy of the plan this week, calling for critiques and comments from the IT industry, as well as from consumers, over the next two months. After that an official version of the security strategy will be finalized.
But the much-ballyhooed, and long-awaited plan showed up as a list of recommendations -- suggestions for companies, IT vendors, consumers and government agencies to tighten their own security. Richard Clarke, the administration's senior advisor on cybersecurity and Howard Schmidt, the next in line, put the emphasis on voluntary improvements in IT security, saying every American should secure the part of cyberspace that he or she is responsible for.
"There's no teeth in this thing," says Dan Woolley, a vice president at Reston, Va.-based SilentRunner Inc., a network security company. "It's going to be very difficult to get people to move behind it. People are focused on the bottom line...and they'll look at this and say, 'That's nice but who's going to pay for it?' This has been heralded as a list of security priorities and how they were going to get done. I don't see any of that here."
"The government is telling us that industry and the private sector need to work together," says Jeff Leeds, director of product marketing at Gilian Technologies Inc., a Web site security firm based in Redwood City, Calif. "Every company out there needs to be thinking about their own cyberspace. They can't expect the government to do this for them."
While Woolley isn't pining for a long string of government regulations that would sap his IT budget dry, he does wish the final version of the plan would have some backbone to it.
"There is a specific role that some branch of government should have responsibility for," says Woolley. "Nobody is taking ownership. Shouldn't Congress and government be taking a role in coming up with rules-of-the-road for action and protection? Nobody is putting a stake in the ground and saying that they have the five most important things to be done, we're going to get them through Congress and here's where we're getting the funding for them."
What the draft does say is that the federal government's role is that of liaison -- facilitating partnerships between the private and public sector, facilitating knowledge sharing between security professionals and fostering awareness and security education.
Government is calling on the IT sector to step up to the plate and take of its own networks, produce more secure products and share information about vulnerabilities, viruses and worms and new tools. Here's what the cybersecurity plan is asking of IT:
The draft is a good starting point, according to Bob Cohen, senior vice president of the Information Technology Association of America (ITAA), a Virginia-based U.S. IT trade association.
"We think recommendations are the way to go," says Cohen. "When you think about information security and the threats out there, it's a moving target. It's difficult to regulate in that kind of environment. It's about being aware. Practicing cyber hygiene."
Cohen says he's not completely happy with the strategy but declined to say which part he is unhappy with.
Michael Rasmussen, an analyst with Giga Information Group and vice president of marketing for the Information Systems Security Association (ISSA), says this draft will aid network security if it proves to be the first step down a long road. If this strategic plan doesn't grow into something else, then there will be little to show for the time and money that went into drafting it.
"It's a strategy. It's not a plan," says Rasmussen, who worked with the ISSA to make contributions to the draft. "The weight is on our government to make a plan out of it. Strategy is nice, but if you have no plan to accomplish the things you're strategizing, we're not going to get anywhere."
Rasmussen says he expects to see cybersecurity legislation. He also expects that regulator agencies, which oversee economic sectors such as utilities and health care, probably will adopt regulations and mandates of their own.
"They're not going to say, 'Here are regulations for everybody.' We won't see broad, sweeping regulations but different regulatory agencies can perhaps take it upon themselves to implement these things in the industries they regulate."
Comments can be made about the draft via www.securecyberspace.gov.