Establishing Digital Trust: Don't Sacrifice Security for Convenience
Off the top, a few gut reactions:
The main problem with the National Strategy to Secure Cyberspace is it tries to do too much. The paper lays out five national priorities: A national security response system, a national threat and vulnerability reduction program, security awareness and training, securing government agencies, and fostering international cooperation on cyber security. Under each priority, naturally, comes a number of additional priorities.There's just no way government can do a credible job at each of these levels, and it readily admits it doesn't have the teeth to in many cases, since much of the critical infrastructure that needs protecting is in private hands. For all its talk of partnering with industry, the paper provides precious little incentive as to why industry should partner with government.
There are exceptions. One of the many "Actions and Recommendations" in the paper calls for the new Department of Homeland Security to work with the General Services Administration to create a patch clearinghouse for federal government use. This makes infinite sense, given that keeping patches up to date is at the root of lots of security woes. The plan also calls for DHS to share the lessons it learns in that effort and to "encourage" the development of a similar clearinghouse for the private sector. That is a valid role for government, to act as a proving ground for technology and to share its lessons with the masses.
Another action item calls for government to "accelerate procurement" of "programs for highly secure and trustworthy operating systems," should the private sector develop such operating systems, as government says it is "encouraged" to do. Such procurements are, of course, "subject to budget considerations." But still, this is another valid role for government -- to use its considerable buying power to encourage the private sector to invest its research and development dollars.
Education is another area where government should play a role. Here DHS pledges to work with the Department of Education to "encourage and support where appropriate, subject to budget considerations, state, local and private organizations in the development of programs and guidelines for primary and secondary school students in security." This is a wonderful idea, but the "subject to budget considerations" could well scuttle it right out of the gate. In my area (Massachusetts), school departments are doing all they can to keep from laying off teachers in the face of dwindling budgets, thanks to budget cuts that start at the federal level. Given that climate, it strikes me as doubtful that we'll find the dollars to address cyber security education in primary and secondary schools.
But there are far too many "Actions and Recommendations" that fall too far to the "recommendation" side and are so simplistic as to be useless. "Corporations are encouraged to regularly review and exercise IT continuity plans and to consider diversity in IT service providers as a way of mitigating risk." Do we really need government to tell us that?
Another gem: "Large enterprises are encouraged to evaluate the security of their networks that impact the security of the Nation's critical infrastructures." I'll go that one better: Be crazy and evaluate the security of your infrastructure even if it doesn't impact the nation's critical infrastructures. Oh, and colleges and universities are also "encouraged" to secure their cyber systems, too, OK? Good.
I'm hoping that the National Strategy to Secure Cyberspace document is just the start of this discussion. It raises lots of valid points and issues, from the idea that security does require a public-private partnership, to the need to educate consumers and small business owners about their part in keeping their systems from falling prey to those who would use them to do harm. But government needs to take a more targeted approach, one that spells out more clearly what each sector involved in the struggle can and should do.
You'll find the full document here. If you simply must read it, do yourself a favor and start with the appendix that lists the summary of actions and recommendations. I wish I had.
Paul Desmond is president of Paul Desmond Editorial Services (www.pdedit.com), an IT publishing firm in Framingham, Mass. He also serves as editor of eSecurityPlanet.com.