After nearly a year of work, the greatly anticipated draft National Strategy to Secure Cyberspace was released last week. It has been described as disappointing and toothless. This is far too kind. The draft National Strategy is a complete flop.
What could have been a serious, prescriptive force for national cybersecurity turned out to be a facile list of best practices. To wit: You should consider doing security audits; you should examine the security implications of emerging technologies; you should consider joining a public-private partnership. It reminds me of what my older brother said to me the night before I left for college, "Don't be stupid," advice that has the unique quality of being valid, obvious and useless all at the same time.
Worse still, the 60-page draft ends with a section called Summary of Recommendations* — emphasis on the asterisk — which leads to the following affix:
*Note: The feasibility and cost effectiveness of these recommendations will vary across entities. Individual entities should take into account their particular and changing circumstances in choosing whether to apply them.
In other words, the report can't even bear to enforce its own patently obvious advice. You should consider eating your vegetables, unless you really don't want to. The whole thing was enough to make one observer who works for the government quip: "We need to figure out a way to identify the talented leaders and keep them away from Washington."
Pity Richard Clarke and Howard Schmidt, serious, well-meaning civil servants saddled with a constituency like technology vendors. The vendors, as you've heard by now, lobbied successfully to remove real prescription from the draft—including truly officious recommendations like, “You need to hire a chief privacy officer” and “You need to bundle personal firewalls with your Internet service.”
The administration acceded. The fact that vendors stampeded to the news wires with applause for the draft was not a good sign. It was a red flag. The draft National Strategy tries to placate everyone and therefore helps no one.
The hypocrisy is stunning, and neatly summed up by Robert Holleyman, president and CEO of the Business Software Alliance, in a press release that applauded the draft Strategy. “An ongoing concern of our industry has been to ensure that whatever technologies are deployed to protect content do not impede technological progress, increase the cost of software and computers to consumers, or erode the performance of computers.”
The truth is, Holleyman is being unreasonable, and the vendors that agree with his position aren’t serious about security. Because national cybersecurity will cost. It will impede the kind of progress the software industry wants. (The kind of progress, incidentally, that got us to our current state of reckless insecurity). It will erode performance.
Vendors want to bask in the glow of the government's serious and fundamental security initiative while taking on none of the responsibility, or cost. Create a security strategy, Uncle Sam, but dammit don't cut into our fat margins, don't make us retrofit our products for security. Don't make us bundle security with our service. Don't make us do anything. Just let us get into the frame for the photo-op with the American flag.
Not all vendors are oblivious to this. Peggy Weigle is CEO of Sanctum, an application security company. She applauded the draft, but only with the greatest hesitation. Weigle was hoping the Strategy would point more toward something like HIPAA or Graham-Leach-Bliley, legislation that prescribes security and privacy without dictating, technologically, how it's carried out. Both pieces of law, she said, have had a tangible effect on security in the industries they address.
Her lines were, "It's a good first step," and, "I'm hopeful and confident," but between her lines was real, palpable disappointment.
I asked her if calling out the vendors was too harsh. "No," she said. "It needs to be said. Until we're serious about security, we will be vulnerable. It has to be a corporate mandate. A national mandate. And you don't do that through voluntary recommendations. You do it through legislation. Everything," she said, "depends on what happens next."
In 1861, the Union learned that the Confederacy had an ironclad ship called the CSS Merrimac (later renamed the Virginia). It was a threat, not unlike the information security threat today in that it was completely new and unknown in its scope and capability.
The Union, in turn, called on John Ericsson, the best and brightest engineer of the day. He happened to have a personal grudge against the government and, in truth, no reason to cooperate. But he put aside his grudge and put off his profit motive and took up the cause of countering the unknown threat. He helped design and launch the USS Monitor, the Union's own ironclad warship—replete with 45 patentable inventions. In 118 days.
It makes today's best and brightest technology leaders look pretty pathetic. They’ve had almost 400 days now to take up the cause, and they can't be bothered.
"Alarmed" is a biweekly column about security and privacy. Look for a new version every other Thursday.