[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[infowar.de] CSM: Grand federal plans for cybersecurity falter
Keine neuen Infos zum Cybersec-Plan in diesem Christian Science
Monitor-Bericht, aber ein Hauch von Ironie.
from the September 19, 2002 edition -
Grand federal plans for cybersecurity falter
Task force on computer terrorism drops stiff rules, asks individuals to
guard their own corners of cyberspace.
By Mark Sappenfield <mailto:sappenfieldm -!
- csps -
com> | Staff writer of The
Christian Science Monitor
SAN FRANCISCO - Nearly one year ago, Richard Clarke stood before a
gathering of Silicon Valley business leaders and told them that unless
the lessons of Sept. 11 were heeded, the terror of that day would
someday be repeated on the Internet.
In his first public address as President Bush's adviser on
cybersecurity, Mr. Clarke issued a stark warning: "We still have a
system ... that is vulnerable to sophisticated attacks," he said. "If
done at a time of national security crisis, [they] could lead to
catastrophic damage to our national defense."
Wednesday, Clarke returned to the Bay Area to announce the
administration's response to this challenge, but the mood was
dramatically different. Gone was the Jeremiad of last November, and in
its place was a plan that one industry analyst derided as "worthless."
As airports ask Congress to delay a Dec. 31 deadline for screening all
checked luggage and the TIPS program for citizen surveillance is
trimmed, the cyberplan is a parable of how grand visions of greater
security can be scaled back by practical limitations and Beltway politics.
With the tech economy already broken, Internet providers balked at added
burdens, critics say, and a Republican administration frowned on
creating a new tangle of laws.
The result is a series of well-worn guidelines that, in essence, simply
ask users to pay more attention. Any sterner attempt to impel more
accountability industry-wide, say analysts, has vanished.
"The government is telling every individual that it's up to them to
protect their portion of cyberspace," says Russ Cooper of TruSecure, a
data security company in Herndon, Va.
Among its nearly 60 suggestions, for example, the National Strategy to
Secure Cyberspace says people should devise tougher passwords. It asks
users to get antivirus software. It implores businesses to share
information about hackers. It encourages government officials to do less
of their work on wireless networks, which are less secure.
The hope is that the plan will provide the framework for businesses and
tech companies to increase security on their own. Don't count on it,
says Bruce Schneier.
"If you're the government, and you want people to do something, you pass
a law," says Mr. Schneier of Counterpane, an Internet security company
in Cupertino, Calif. "When push comes to shove, [a CEO] is not going to
do something that puts [the company] at a competitive disadvantage,"
because it costs money.
"Cajoling only does so much," he says.
Yet cajoling is what Clarke is left with. The plan presented Wednesday
is not even the final draft. Technology companies can lobby to reshape
it for another 60 days.
According to sources, the plan has been reshaped a lot already. The
Associated Press reports that an earlier draft asked Internet providers
to give customers security software. Mr. Cooper adds that the government
abandoned an outright ban on using wireless networks after wireless
companies complained that it made them look bad.
The administration denies that corporations have had any influence in
fashioning the plan, but critics say it has gradually become more
friendly to businesses than consumers.
"As time passes, the guidelines get weaker and weaker," says Cooper.
Still, some look at the Internet infrastructure and say it is in
businesses' best interests to invest.
They say hackers - be they enemy nations or terrorists - could cause
chaos. Power grids could be shut down. Internet trading on the stock
markets could be spiked. Entire sections of the e-economy could be upended.
"An attack would not be difficult to launch," says Sushil Jajodia,
director of the Center for Secure Information Systems at George Mason
University in Fairfax, Va. "Because the country is so connected to the
Internet, we now are vulnerable."
Other analysts, though, say the risk of cyberterror is overstated.
Compared with the devastation physical attacks can cause, cyberattacks
would merely be temporary inconveniences, they say.
"I don't see Al Qaeda sitting in their caves talking about how to crash
our pager network," says Cooper.
Instead, these critics would rather the government focus on what they
see as the real threat - economic damage caused by hackers out for an
Internet joy ride.
Computer security cannot be accomplished through a user's antivirus
package, they say. It's done by making Internet service providers and
software companies - either through laws or public pressure - take more
The Code Red worm, which wriggled its way across the Internet through
holes in Microsoft software, cost companies more than $2 billion last
year. Service providers could have shut down the link that fueled the
virus, some say, and Microsoft - while taking steps to patch gaps in its
software - could do more, as well.
"Any recommendation where the home user is expected to do much isn't
going to work," because they can't track all the updates, says Richard
Smith, an Internet security consultant in Cambridge, Mass. "It's a lot
easier to get Microsoft to do something."
Mail an infowar -
- infopeace -
de mit "unsubscribe" im Text.