Experts in the field of cybersecurity find reason to applaud the Bush administration's plan for securing the US national IT infrastructure, but feel that the report falls short in offering specifics and clear incentives to improve security for companies, nonprofit organisations and individuals, according to security experts and industry analysts.
Richard Clarke, President Bush's special adviser for cyberspace security, introduced a draft of the Bush administration's plan Wednesday at Stanford University in Palo Alto, California. The unveiling opens a period of comment on the document in which experts in the field of cybersecurity, as well as representatives from state and local governments, will provide feedback to the administration on the plan's recommendations.
But already security experts from the private and public sectors are weighing in on the 65-page draft document, which was published late Tuesday.
The document addresses security issues facing all levels of the nation's IT infrastructure — from those affecting home users and small businesses, to large enterprises, educational institutions, service providers, as well as federal, state, and local governments.
According to the plan, Internet service providers (ISPs) and their customers are encouraged to deploy antivirus and firewall software, while corporations are encouraged to form and participate in industry-wide programs to develop IT security best practices and create private-public partnerships to encourage development of new cybersecurity tools.
"From the standpoint of (the plan's) recommendations, we feel the plan is not bad. It covers a lot of ground," said Sunil Misra, managing principal of worldwide enterprise security at Unisys.
"The issue we all have is the effectiveness (of the report). These recommendations are not new; the issue is, how can public-private partnerships be constructed so that they can work effectively?"
A case in point, said Misra, is the report's recommendation that ISPs develop relationships with antivirus software makers and developers to make it easier for home users to obtain and use antivirus and firewall software.
"We think that ISPs providing security packaging to home users is a good thing. The question is, how do you offer incentives to them to do that?"
Also touching on the broad brush used by Clarke and the Bush administration, IT management software maker Computer Associates International (CA) released a statement praising the "holistic approach" taken by the administration in their plan, which addresses everything from individual home computer users, to large corporate enterprises, universities, and the federal government itself.
"With the real and present threats that face our country and our world today, CA is committed to supporting this holistic approach," said Ron Moritz, a CA Senior Vice President, in a statement released by the company.
But others voiced reservations about the ambitious reach of the plan.
"I think it's a bit of a stretch to tie together such a range of disparate security concerns, from PC virus susceptibility to vulnerabilities of the electronic control systems of power grids or dams," said Jonathan Zittrain, co-director of the Berkman Center for Internet & Society at Harvard Law School.
However, he praised the efforts of Clarke and the Bush administration to raise public awareness of the threats facing the national infrastructure.
"Those things that make consumers (and utilities) more alert aren't in themselves so bad," Zittrain said. "The trick is to rouse the right people to action without fear mongering. The report gives the average PC user or CEO a lot to worry about and some recommendations to get working on security basics — backup, firewalls, etc. But there's still room for a more finely-grained assessment of where the true vulnerabilities and risks are."
And despite the absence of either sticks or carrots in the draft report to encourage change, some experts in the area of IT security argue that the report does mark a significant change in the federal government's policy on cybersecurity.
"This plan is a major shift in government policy from a threat and risk-based strategy to a vulnerability remediation strategy," said Alan Paller, director of the SANS Institute, a security education and research organisation.
"Previously (the government) said: 'If you write a plan, you get an A. What (Richard Clarke) is saying is: 'If you make sure the plan is implemented you get an A.'"
Paller also pointed to the recommendation that companies and organisations explore ways to develop standards for procurement of IT products and services, something he argued will drive advancements in cybersecurity technology in key areas of the nation's infrastructure, such as the Supervisory Control and Data Acquisition (SCADA) systems, which the major infrastructure players use to control and distribute their products.
"The oil and gas (companies) are already doing this. You use the combined buying power of all the customers to force the vendors to improve the security of the systems. It's the only way to fix the SCADA systems. As it stands, the vendors who make those (SCADA) products just play the customers off each other."
The plan is the most comprehensive report to date on the subject, said Richard Holleyman, president and chief executive officer of the public advocacy group the Business Software Alliance. He spoke from Washington during a conference call in which executives of Microsoft, Entrust and Network Associates also participated.
"This plan recognises that everyone who uses a computer has a role and a stake in securing the networks that drive nearly every aspect of our daily lives and the world's economy," Holleyman said.
Governments, private industry and end users put together a massive effort to prepare for potential computer problems related to the millennium date change, Holleyman noted. He recommended that the industry build on those "Y2K" efforts to develop a concerted and ongoing effort to defend critical infrastructures.
Chris Pick, of the nonprofit security industry consortium the Human Firewall Council, also sees the government's plan of focus on cybersecurity as a move in the right direction, even without enforcement, and predicts a gradual adoption of the government's new cybersecurity standards by the private sector with the help of independent standards organisations such as the International Organization for Standardisation (ISO).
"This is the first step in a long process of providing guidance for securing cyberspace," said Pick who is also an assistant vice president for product strategy for PentaSafe Security Technologies, a security management solutions company.
"It will take time to determine how to translate these guidelines into standards that can truly be implemented. But that will happen through the government and regulatory bodies adopting these as standards and then encouraging industry to meet those standards. I think there's going to be a convergence in about one or one and a half years of an overarching (cybersecurity) standard that encompasses both the federal government and the private sector," Pick said.
Despite the generally warm reception from the nation's technology and IT security companies, however, questions were being raised both within and outside industry about the lack of specifics in the plan, especially given that a significantly longer draft of the plan had reportedly been circulating recently.
"There was an early draft that was around 300 pages. This is much smaller than was originally proposed," said Unisys' Misra.
Lee Tien, a senior staff attorney with the advocacy group Electronic Frontier Foundation, worried about such apparent discrepancies.
"There isn't a whole lot in (the plan) that I would see as a major threat to (online) privacy, but I'm worrying about what the administration omitted from this document — what they are planning but don't want to talk about," said Tien.
As for the lack of unwillingness to put enforcement mechanisms into the plan, the SANS institute's Paller points out that such deference to industry is nothing new.
"Its not a Republican thing. The Clinton administration said the same thing when they announced their (cybersecurity initiative), so this has been the policy of the federal government for the past 6 or 8 years. They don't feel they can tell people what to do and that's their policy. I just happen to think it's wrong. "
Tien and others expect the plan to change considerably in the coming weeks, as industry, legal experts and user advocacy groups respond to Wednesday's draft.
"This is an evolving process," said Tien. "Clearly there's a lot that's not worked out yet, and we want to be involved in that process."
(Gretel Johnston in Washington, DC, and Nancy Weil in Boston contributed to this report.)