[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[infowar.de] eWeek: Cyber Plan's Future Bleak
Infowar.de, http://userpage.fu-berlin.de/~bendrath/liste.html
-------------------------------------------------------------
http://www.eweek.com/article2/0,3959,901382,00.asp
February 24, 2003
Cyber Plan's Future Bleak
By Dennis Fisher
A lack of focus and leadership within the federal government's security
community makes it unlikely that many of the initiatives in the =
recently
released National Strategy to Secure Cyberspace will ever be =
implemented,
security experts and Washington insiders say.
And, as the strategy centers on improving security inside the =
Beltway=E2=80=94a
major shift from early drafts of the plan with few incentives for the
private sector=E2=80=94critics say sweeping changes in the overall =
state of network
security are also unlikely as a result.
"This looks like another great attempt by the government to say, 'We're =
here
to help you.' But so what," said Scott Blake, vice president of =
information
security at BindView Corp., based in Houston. "They have to pretend =
they
know what they're talking about, even though they clearly don't. What
resources they'll put behind [the strategy] is questionable."
The new Department of Homeland Security is slated to bear much of the
responsibility for carrying out the strategy, which was released with =
little
fanfare Feb. 14. But without a person in the top information security =
post
of the DHS (it has yet to be filled), and with the imminent departure =
of the
plan's architect and chairman of the President's Critical =
Infrastructure
Protection Board, Richard Clarke, the strategy lacks a strong, =
high-profile
sponsor within the government.
Washington insiders say Clarke, who will leave his post next month, =
wanted
the strategy to remain the responsibility of the PCIPB and the White =
House.
But others in the Bush administration saw the strategy as a perfect
opportunity to validate and test the DHS.
"It looks like Clarke kind of lost interest after that," said one =
security
industry source with close ties to the administration. "He wanted it =
run out
of the White House."
Without the continued support of Clarke=E2=80=94or someone else with =
equivalent
political clout and knowledge=E2=80=94the strategy may languish as just =
another
policy document with plenty of good ideas but few teeth.
"What it lacks is a carrot and a stick," said Mark Rasch, senior vice
president and chief security counsel at Solutionary Inc., in Omaha, =
Neb.
"Why would anyone in the private sector spend money on these things if =
they
haven't already? Where are the specifics about funding? We've known we
needed to do these things to stay secure for 20 years. Where's the =
action
plan? I wish there was something even remotely controversial in here to
debate."
A large portion of the national strategy is given over to =
recommendations on
what federal agencies can do to shore up the security of their =
networks.
Ample space is given to implementing programs such as a governmentwide
clearinghouse for software patches, continuing the use of automated =
security
assessment tools, and exploring the use of stronger access control and
authentication technologies.
But the recommendations for corporations, universities and other
organizations are far less specific and are geared more toward raising =
the
overall awareness level about major security issues. Insiders say the
government hopes to use the recommendations to fix its problems =
internally
and lead by example. This is a reversal for many government agencies =
that
have looked to industry as a source of best practices for security.
While soft-pedaling mandates on private network operators, the strategy
does, however, ask the private sector for unprecedented cooperation in
sharing information on attacks, threats and software vulnerabilities.
"I don't think that's all that inappropriate. To the extent that it =
sounds
like they're the keepers of the wisdom on the subject of security, it =
sounds
foolish because everyone knows they're not," BindView's Blake said. =
"They
have to ask for help to get it done. But the strategy doesn't spell out =
the
specifics on much of this stuff, and if that doesn't happen, I think =
it's
DOA."
Others in the security industry agreed.
"Any time there's this awareness about security, it has raised the bar =
to
the level of the [chief financial officer], and that's important =
because
companies are more likely to act on it," said Pete Morrison, director =
of the
public sector at Netegrity Inc., in Waltham, Mass. "But unless =
organizations
see how it can help financially, it's not a top priority."
Strategic Obstacles
Issues facing implementation of the National Strategy to Secure =
Cyberspace:
Lack of information security leadership at DHS
Few incentives or mandates for private companies to comply
Lack of clear funding sources for many proposed programs
Few clearly assigned tasks within the government=20
---------------------------------------------------------------
Liste verlassen:
Mail an infowar -
de-request -!
- infopeace -
de mit "unsubscribe" im Text.