[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[infowar.de] eWeek: Cyber Plan's Future Bleak
February 24, 2003
Cyber Plan's Future Bleak
By Dennis Fisher
A lack of focus and leadership within the federal government's security
community makes it unlikely that many of the initiatives in the =
released National Strategy to Secure Cyberspace will ever be =
security experts and Washington insiders say.
And, as the strategy centers on improving security inside the =
major shift from early drafts of the plan with few incentives for the
private sector=E2=80=94critics say sweeping changes in the overall =
state of network
security are also unlikely as a result.
"This looks like another great attempt by the government to say, 'We're =
to help you.' But so what," said Scott Blake, vice president of =
security at BindView Corp., based in Houston. "They have to pretend =
know what they're talking about, even though they clearly don't. What
resources they'll put behind [the strategy] is questionable."
The new Department of Homeland Security is slated to bear much of the
responsibility for carrying out the strategy, which was released with =
fanfare Feb. 14. But without a person in the top information security =
of the DHS (it has yet to be filled), and with the imminent departure =
plan's architect and chairman of the President's Critical =
Protection Board, Richard Clarke, the strategy lacks a strong, =
sponsor within the government.
Washington insiders say Clarke, who will leave his post next month, =
the strategy to remain the responsibility of the PCIPB and the White =
But others in the Bush administration saw the strategy as a perfect
opportunity to validate and test the DHS.
"It looks like Clarke kind of lost interest after that," said one =
industry source with close ties to the administration. "He wanted it =
of the White House."
Without the continued support of Clarke=E2=80=94or someone else with =
political clout and knowledge=E2=80=94the strategy may languish as just =
policy document with plenty of good ideas but few teeth.
"What it lacks is a carrot and a stick," said Mark Rasch, senior vice
president and chief security counsel at Solutionary Inc., in Omaha, =
"Why would anyone in the private sector spend money on these things if =
haven't already? Where are the specifics about funding? We've known we
needed to do these things to stay secure for 20 years. Where's the =
plan? I wish there was something even remotely controversial in here to
A large portion of the national strategy is given over to =
what federal agencies can do to shore up the security of their =
Ample space is given to implementing programs such as a governmentwide
clearinghouse for software patches, continuing the use of automated =
assessment tools, and exploring the use of stronger access control and
But the recommendations for corporations, universities and other
organizations are far less specific and are geared more toward raising =
overall awareness level about major security issues. Insiders say the
government hopes to use the recommendations to fix its problems =
and lead by example. This is a reversal for many government agencies =
have looked to industry as a source of best practices for security.
While soft-pedaling mandates on private network operators, the strategy
does, however, ask the private sector for unprecedented cooperation in
sharing information on attacks, threats and software vulnerabilities.
"I don't think that's all that inappropriate. To the extent that it =
like they're the keepers of the wisdom on the subject of security, it =
foolish because everyone knows they're not," BindView's Blake said. =
have to ask for help to get it done. But the strategy doesn't spell out =
specifics on much of this stuff, and if that doesn't happen, I think =
Others in the security industry agreed.
"Any time there's this awareness about security, it has raised the bar =
the level of the [chief financial officer], and that's important =
companies are more likely to act on it," said Pete Morrison, director =
public sector at Netegrity Inc., in Waltham, Mass. "But unless =
see how it can help financially, it's not a top priority."
Issues facing implementation of the National Strategy to Secure =
Lack of information security leadership at DHS
Few incentives or mandates for private companies to comply
Lack of clear funding sources for many proposed programs
Few clearly assigned tasks within the government=20
Mail an infowar -
- infopeace -
de mit "unsubscribe" im Text.