Suche innerhalb des Archivs / Search the Archive All words Any words

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[] WP: Kritik am Cybersecurity Draft Plan,

Cybersecurity Draft Plan Soft on Business, Observers Say

By Brian Krebs Staff Writer
Thursday, September 19, 2002; 12:00 AM

The Bush administration's draft cybersecurity plan offers plenty of 
recommendations for how home users should protect their systems, but 
critics say intense lobbying from the high-tech industry has pulled 
nearly all the teeth from the plan when it comes to steps the technology 
industry should take.

The White House strategy, unveiled Wednesday at a Stanford University 
gathering attended by government and industry leaders, omits several 
recommendations contained in earlier drafts that prompt industry to take 
more responsibility for Internet security. For example, cut from the 
plan were proposals to ask technology companies to contribute to a 
security research fund and for Internet service providers to bundle 
firewall and other security technology with their service.

White House cybersecurity adviser Richard Clarke said the changes were 
made in the hopes that the IT industry would adopt the recommendations 
voluntarily, instead of being forced to adapt to more government 
regulation. The administration is giving technology firms and the public 
60 days to offer further input on the plan.

But critics say that the changes already made to the plan ask consumers 
to shoulder too much responsibility for improving the nation's 
cybersecurity posture.

"Consumers aren't likely to pay attention to Clarke or this effort, and 
to rely on them is flawed," said Russ Cooper, an executive with 
Reston-based TruSecure Corp. "Most consumers didn't buy a computer to 
become geeks. The majority of them are still trying to learn how to buy 
things from eBay."

Alan Paller, research director of the SANS Institute, said industry has 
not stepped up to do its part.

"They're whining, and that resonates with an administration that is 
business-oriented," he said. "As long as this can be done in 
smoke-filled rooms, then industrial pressure can continue affect 
national policy."

But Paller said he believes the 60-day public comment period will help 
to show who has worked hardest to weaken the plan.

"The whiners will now have a spotlight shone on them," he said.

The Bush administration's approach to winning cooperation from the 
private sector is loosely based on the model put in place during the 
Clinton administration to prepare critical computers systems for the Y2K 

In that effort, the federal government took the lead in fixing its own 
systems, built an effective information-sharing network with the private 
sector, and gave companies an incentive to ready their own systems for 
the date turnover.

But in a departure from the Y2K approach, people involved in assembling 
early drafts of the Bush administration's cybersecurity plan say 
Clarke's team failed to circulate their recommendations among the 
industry officials who were originally solicited for input. When 
industry insiders saw what was to be a final strategy, many balked, 
prompting the administration to cut key recommendations.

The only concrete proposals left in Wednesday's version of the report 
appear to be for the government, said Bill Conner, president and CEO of 
Entrust Inc.

"It looks as though a PhD wrote the government items, but it reads like 
someone a year out of grade school wrote the rest of the plan," he said.

Conner added that the Y2K model fails in today's environment because 
companies no longer have money to throw at security risks as they did 
before 2000.

"It's not enough to just upgrade their infrastructure, because we're in 
different economic times today," he said. "Now more than ever the 
administration needs to prove why this makes good business sense for 

The administration may need to do more than just worry about how its 
recommendations could affect bottom lines in the business world. As 
officials have discovered, corporations don't want to approve anything 
that might put them on the legal hot seat as well.

Since last year's terrorist attacks, the White House has stepped up an 
aggressive outreach effort to the companies that control 90 percent of 
the nation's critical infrastructures in an attempt to convince them to 
share information on vulnerabilities and attacks with the federal 
government. The majority of more than 80 recommendations in the latest 
cybersecurity draft are aimed at improving communication between the two 
sectors in order to prevent and respond to major cyberattacks.

Yet, many companies remain reluctant to share such information for fear 
of being sued by shareholders or customers when they report flaws.

"Industry does not want to head down the road of tort liability," said 
Jim Dempsey, deputy director of the Center for Democracy and Technology. 
"This has produced for the administration a sort of policy paralysis."

Bruce Schneier, chief technology officer and co-founder of Counterpane 
Internet Security, said that without liability and disclosure 
requirements, the administration's plan will have "absolutely zero effect."

"You really have to ask why CEOs would bother to follow any of these 
recommendations, particularly at a time when most companies' earnings 
are down 20 percent," Schneier said. "The fact is, companies aren't 
rewarded for altruism; they're rewarded by the strength of their stock 

TruSecure's Cooper said Internet service providers and technology 
manufacturers will improve their security practices and the integrity of 
their products only when they are held liable for failing to do so.

"From the looks of what's happening, what we'll get in 60 days will be 
even more watered down and with less teeth," he said.

Phil Lacombe, senior vice president for cyberassurance at 
Arlington-based systems integrator Veridian Inc., said that sharing 
threat information between the private sector and government raises "a 
number of very tricky issues ... and in that regard it is a wise idea to 
get industry's input on the actual wording."

But many business groups - particularly security outfits that cater to 
large entities like the federal government - hailed the latest draft as 
a step in the right direction.

"The more aggressive the federal government is in deploying these 
recommendations the greater likelihood there will be a bleed-through to 
the larger Internet and e-commerce community," said Michael Aisenberg, 
director of public policy for VeriSign, a company that sells digital 
authentication technology.

Christopher G. Caine, vice president of governmental affairs for IBM, 
praised the administration for putting the strategy out for further 
scrutiny, but said those expecting a quick fix from the White House 
should not hold their breath.

"I think the administration is trying to find a balance, one that allows 
for progress to be made in a complex area that involves private and 
public sector organizations that are at very different stages of IT use 
and implementation," Caine said. "It's like Y2K without the clock, and I 
think we all have to understand that cybersecurity is a continuing 
process, not a thing you do and get done with."

© 2002

Liste verlassen: 
Mail an infowar -
 de-request -!
- infopeace -
 de mit "unsubscribe" im Text.