[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[infowar.de] WP: Kritik am Cybersecurity Draft Plan
Infowar.de, http://userpage.fu-berlin.de/~bendrath/liste.html
-------------------------------------------------------------
http://www.washingtonpost.com/ac2/wp-dyn/A35812-2002Sep18?language=printer
Cybersecurity Draft Plan Soft on Business, Observers Say
By Brian Krebs
washingtonpost.com Staff Writer
Thursday, September 19, 2002; 12:00 AM
The Bush administration's draft cybersecurity plan offers plenty of
recommendations for how home users should protect their systems, but
critics say intense lobbying from the high-tech industry has pulled
nearly all the teeth from the plan when it comes to steps the technology
industry should take.
The White House strategy, unveiled Wednesday at a Stanford University
gathering attended by government and industry leaders, omits several
recommendations contained in earlier drafts that prompt industry to take
more responsibility for Internet security. For example, cut from the
plan were proposals to ask technology companies to contribute to a
security research fund and for Internet service providers to bundle
firewall and other security technology with their service.
White House cybersecurity adviser Richard Clarke said the changes were
made in the hopes that the IT industry would adopt the recommendations
voluntarily, instead of being forced to adapt to more government
regulation. The administration is giving technology firms and the public
60 days to offer further input on the plan.
But critics say that the changes already made to the plan ask consumers
to shoulder too much responsibility for improving the nation's
cybersecurity posture.
"Consumers aren't likely to pay attention to Clarke or this effort, and
to rely on them is flawed," said Russ Cooper, an executive with
Reston-based TruSecure Corp. "Most consumers didn't buy a computer to
become geeks. The majority of them are still trying to learn how to buy
things from eBay."
Alan Paller, research director of the SANS Institute, said industry has
not stepped up to do its part.
"They're whining, and that resonates with an administration that is
business-oriented," he said. "As long as this can be done in
smoke-filled rooms, then industrial pressure can continue affect
national policy."
But Paller said he believes the 60-day public comment period will help
to show who has worked hardest to weaken the plan.
"The whiners will now have a spotlight shone on them," he said.
The Bush administration's approach to winning cooperation from the
private sector is loosely based on the model put in place during the
Clinton administration to prepare critical computers systems for the Y2K
rollover.
In that effort, the federal government took the lead in fixing its own
systems, built an effective information-sharing network with the private
sector, and gave companies an incentive to ready their own systems for
the date turnover.
But in a departure from the Y2K approach, people involved in assembling
early drafts of the Bush administration's cybersecurity plan say
Clarke's team failed to circulate their recommendations among the
industry officials who were originally solicited for input. When
industry insiders saw what was to be a final strategy, many balked,
prompting the administration to cut key recommendations.
The only concrete proposals left in Wednesday's version of the report
appear to be for the government, said Bill Conner, president and CEO of
Entrust Inc.
"It looks as though a PhD wrote the government items, but it reads like
someone a year out of grade school wrote the rest of the plan," he said.
Conner added that the Y2K model fails in today's environment because
companies no longer have money to throw at security risks as they did
before 2000.
"It's not enough to just upgrade their infrastructure, because we're in
different economic times today," he said. "Now more than ever the
administration needs to prove why this makes good business sense for
companies."
The administration may need to do more than just worry about how its
recommendations could affect bottom lines in the business world. As
officials have discovered, corporations don't want to approve anything
that might put them on the legal hot seat as well.
Since last year's terrorist attacks, the White House has stepped up an
aggressive outreach effort to the companies that control 90 percent of
the nation's critical infrastructures in an attempt to convince them to
share information on vulnerabilities and attacks with the federal
government. The majority of more than 80 recommendations in the latest
cybersecurity draft are aimed at improving communication between the two
sectors in order to prevent and respond to major cyberattacks.
Yet, many companies remain reluctant to share such information for fear
of being sued by shareholders or customers when they report flaws.
"Industry does not want to head down the road of tort liability," said
Jim Dempsey, deputy director of the Center for Democracy and Technology.
"This has produced for the administration a sort of policy paralysis."
Bruce Schneier, chief technology officer and co-founder of Counterpane
Internet Security, said that without liability and disclosure
requirements, the administration's plan will have "absolutely zero effect."
"You really have to ask why CEOs would bother to follow any of these
recommendations, particularly at a time when most companies' earnings
are down 20 percent," Schneier said. "The fact is, companies aren't
rewarded for altruism; they're rewarded by the strength of their stock
price."
TruSecure's Cooper said Internet service providers and technology
manufacturers will improve their security practices and the integrity of
their products only when they are held liable for failing to do so.
"From the looks of what's happening, what we'll get in 60 days will be
even more watered down and with less teeth," he said.
Phil Lacombe, senior vice president for cyberassurance at
Arlington-based systems integrator Veridian Inc., said that sharing
threat information between the private sector and government raises "a
number of very tricky issues ... and in that regard it is a wise idea to
get industry's input on the actual wording."
But many business groups - particularly security outfits that cater to
large entities like the federal government - hailed the latest draft as
a step in the right direction.
"The more aggressive the federal government is in deploying these
recommendations the greater likelihood there will be a bleed-through to
the larger Internet and e-commerce community," said Michael Aisenberg,
director of public policy for VeriSign, a company that sells digital
authentication technology.
Christopher G. Caine, vice president of governmental affairs for IBM,
praised the administration for putting the strategy out for further
scrutiny, but said those expecting a quick fix from the White House
should not hold their breath.
"I think the administration is trying to find a balance, one that allows
for progress to be made in a complex area that involves private and
public sector organizations that are at very different stages of IT use
and implementation," Caine said. "It's like Y2K without the clock, and I
think we all have to understand that cybersecurity is a continuing
process, not a thing you do and get done with."
© 2002 TechNews.com
---------------------------------------------------------------
Liste verlassen:
Mail an infowar -
de-request -!
- infopeace -
de mit "unsubscribe" im Text.