Suche innerhalb des Archivs / Search the Archive All words Any words

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[] US Cybersicherheitsstrategie voller Lücken,

U.S. Cyber Security Strategy: Still Full of Holes

Center for Defense Information, October 16, 2002,

Following publication of its National Strategy for Homeland Security,
the administration of U.S. President George W. Bush, as promised,
released on Sept. 18, 2002, a new National Strategy to Secure
Cyberspace, albeit in draft form. The new document will be subject to a
60-day comment period, after which it will be revised and submitted to
the president for final approval. It lists recommendations for
security actions by several vested parties, including home and small
business computer users, large enterprises, and government and
educational users. It provides, like its predecessors, a list of
suggested 'best practices' and proposals to improve technology security
in a
variety of venues, from homes and small business to government and large

Perhaps the most useful recommendation is in the areas of corporate
security improvements, where the strategy calls for board-level
accountability for information security, proper security administration,
and better integration and alignment of information security with
senior management and business goals. This provides innovative guidance
that can be implemented fairly easy by corporations.

However, overall, the new strategy is similar to innumerable previous
reports on cyber security, such as the Clinton administration's
"National Plan for Information Systems Protection" from 2000, and the
President's Commission on Critical Infrastructure Protection
Report from 1996. Like those documents, the draft strategy describes a
society that has grown increasingly dependent on networked
computer systems, and thus increasingly vulnerable to cyber terrorists,
hackers and destructive computer programs like viruses and worms.

The Bush draft, prepared by the President's Critical Infrastructure
Protection Board (PCIPB) an Oval Office entity that brings together
various agency and department heads to discuss critical infrastructure
protection as predicted, calls on every American who depends on
cyber space to "secure that part they own or for which they are
responsible." The White House is correct when it says, "The federal
government alone cannot secure cyber space." While the networked world
may have started many decades ago as a result of research
funded by the Defense Advanced Research Projects Agency, it long ago
passed into the realm of the private sector, which owns the vast
bulk of the servers, routers and software on which cyber space depends.
As the draft strategy notes, "approximately 85 percent of the
nation's critical infrastructure facilities are owned and operated by
the private sector, and many critical government operations depend on
these private facilities."

But given the challenges, charging users to be responsible for security
is easier said than done. And the new draft strategy is not all that
much help. The current draft is a mishmash of goals and recommendations;
24 strategic goals and 86 recommendations to be exact. And
unfortunately, it provides no guidance on priorities.

Among the negatives is the fact that while the draft strategy spends a
great deal of time talking about how various federal agencies should
work with their counterparts in the private sector, there is no mention
of coordination among the agencies themselves. Considering that the
proposed Department of Homeland Security is to include the FBI's
National Infrastructure Protection Center, Commerce's Critical
Infrastructure Assurance Office and Computer Security Division, GSA's
Federal Computer Information Response Center, the Defense
Department's National Communications System, and the Energy Department's
National Infrastructure Simulation and Analysis Center, that
is a serious omission.

Another strike is that the draft strategy makes it clear that it is to
serve not as a "federal government prescription" but as a "participatory

process" to develop America's national information security environment
with the private sector, and that the Bush administration believes
that a hands-off policy is the correct way to work with private firms
and individuals. Unfortunately, what is currently needed is a mandate
on what must be done (and by when) to improve federal information
security, not another list of things that "should" be done but most
will not be.

Indeed, the new draft strategy differs little from previous documents in
citing the need for better systems security but failing to ensure that
there is action. As a first step for obtaining the voluntary cooperation
of the private sector, government needs to police itself first.

At a minimum, the government should turn to regulation. The strategy
itself calls for it "in the face of material failure of the market to
the health, safety, or well-being of the American people."

In this regard it is worth noting that 40 percent of nearly 700
information technology (IT) professionals surveyed by CNET Networks said

they would prefer the government to take an "active and aggressive role
in defending cyber space." Respondents made recommendations
on how the government might increase its involvement in cyber security,
including passing cyber security legislation, "more vigorous
enforcement of existing laws...[new] national policies, [establishing]
new agencies to govern cyberspace and all aspects of security, [and
providing] more robust funding for R&D."

The strategy does not seem to recognize that the very way networked
computing technology is currently developed and sold is utterly
contrary to the establishment of rational computer security. Reasonable
computer security requires product stability and a good knowledge
of the vulnerabilities that already exist in a well-defined, not
completely open-ended, computing environment. Software developers, for
example must give security far greater priority when writing software.
Industry leader Microsoft acknowledged as much back in January,
when Bill Gates issued a company-wide memo, stressing that Microsoft
must now focus on security rather than features when writing

Software and hardware developers and sellers, following the Microsoft
business model, up to now have been working under the
assumption that there is little profit in marketing products that remain
stable or unchanged for years. Instead, updates are always the rule of
the day. Software updates are routine, emerging, at the longest, every
six months, at the shortest, every few weeks. This has created a
world in which it is impossible to keep track of all the security holes
in software and hardware. The situation is that the technology business
abhors real product stability because it cuts the potential for
moneymaking and selling new products. Computer security in this
has been, and largely continues to be, merely an add-on.

This is obvious from the security products that are being marketed:
after-the-fact firewalls, filters and flavors of anti-virus detection,
are add-ons and that require updating themselves as soon as the
underlying operating system or application software is amended or

As it stands, the Internet tech culture that exists, one in which
everyone is always rushing out to vendor sites to download the newest
is monumentally difficult to provide rational and measured computer
security to. When security becomes something you have to download,
instead of being there to begin with, you know you have a problem.

But better security is not just a matter of improves software, desirable
as that is. Much of what constitutes the "cyber threat" comes down
to the poor management of critical infrastructure systems. Networked
computer systems have the potential to be remotely compromised
by unauthorized persons for any number of malicious purposes. Remedying
these security problems is a job for information security
professionals, not counter-cyberterror experts, or even Chief
Information Officers (CIOs), who are often just another corporate
with no understanding of the issue.

Such a response requires a dispassionate and rational understanding of
the real threats. It requires that systems administrators and their
executive management be given the resources to properly ensure the
security of their systems. It requires that end users are educated about

the information security threats and how to protect against them.

It is worth remembering that IT security and product stability are not
mutually exclusive concepts. Better security, in the long run, will make

a product that can't be exploited and, hence, will have more appeal to
the consumer. Thus, strengthening one will fix the other.

Other cyber security measures that make sense include:

    Recognizing that network systems, like everything else, will
eventually fail. Therefore,
    they should be constructed with redundant capability.

    Educating managers and CIOs, as well as tech developers, support
staff and others, on
    computing vulnerability.

    Making sure that the security tools used are properly maintained. In
other words, it is
    not enough to merely install anti-viral software. One has to be sure
to download the
    updates when they come out.

Precisely because so much of the critical computing infrastructure is in
the private sector, there is little incentive for change. Integrating
security functions into software, hardware and networks takes time, is
expensive and cuts into profits. Only government, by virtue of its
obligation to provide for the common defense, is in a position to demand
change. But to do so, it will have to get its own house in order.

In that regard, Richard Clarke, head of the President's Critical
Infrastructure Protection Board, should be relying not on top-level
corporate officials as advisers but on true IT professionals. Similarly,
private sector firms need to appoint Chief Technology Officers from
among the IT, not the corporate, ranks.

Finally, similar to what it has done in the aviation sector, government
needs to set deadlines for improving security. As a start, Clarke's
office should mandate that each government agency must do an audit of
its IT systems within 6 months. Agencies should then be given 12
to 18 months to fix whatever problems are discovered. The fixes should
be pegged to concrete, specific, measures of effectiveness.

By taking such action, government would be leading by example, and thus
would be better positioned to demand similar measures from the
private sector.


A National Strategy to Secure Cyberspace

Partnership for Critical Infrastructure Security

Stay Safe Online

National Infrastructure Protection Center


David Isenberg
Independent Consultant
sento -!
- earthlink -

Liste verlassen: 
Mail an infowar -
 de-request -!
- infopeace -
 de mit "unsubscribe" im Text.