National Cybersecurity Plan Released

WASHINGTON -- The White House has released the final version of its first cybersecurity policy, which is heavy on requirements for the U.S. government but light on recommendations to private industry. Some cybersecurity companies asked, "What's next?"

President George W. Bush's National Strategy to Secure Cyberspace was released Friday morning alongside a National Strategy for the Physical Protection of Critical Infrastructures and Key Assets. The 76-page document calls cyberspace the "nervous system" of the nation's critical infrastructure and offers recommendations without force of law.

Primary Goals

The report was crafted after a government study and input from academic institutions, private businesses, and government agencies. Comments were also accepted in several town hall meetings over the past six months. Its primary recommendations include:

• A national cyberspace security response system, such as creating a public/private method of responding to national-level cyberincidents, and encouraging private-sector capabilities for monitoring the health of cyberspace.
  
  
• A national cyberspace security-threat and vulnerability reduction program, such as enhancing law enforcement's capabilities for preventing and prosecuting cyberspace attacks, and securing the Internet by improving protocols and routing.
  
  
• A national cyberspace security awareness and training program, such as creating a comprehensive national security awareness program, and increasing the efficiency of existing federal cyberspace training programs.
  
  
• Securing governments' cyberspace by, for example, authenticating and maintaining authorized users of federal systems, and securing federal wireless local networks.
  
  
• National security and international cyberspace security cooperation, such as strengthening cyber-related counterintelligence efforts, and improving coordination for responding to cyberattacks within the U.S. federal security community.
  
  

The report goes into more details in each of the five areas, but the policy focuses more on broad policy directions than on specific recommendations about how to accomplish each goal. Details on implementing the policy are still to come, said Tiffany Olson, deputy chief of staff for the President's Critical Infrastructure Protection Board.

The report intentionally made more specific recommendations about what government can do than what private industry can do, Olson added.

"The president believes that we need to 'walk the talk' before asking the private sector to do the same," she said. "We need to be a model for them, and there are a lot of improvements the federal government needs to make."

Reaction Mixed

Douglas Goodall, president and chief executive officer of Internet security company RedSiren, said he hopes the lack of specifics, and the report's length, won't doom it to gather dust. He calls it "a good start" but said the recommendations need to be followed.

"The question is...'now what?'" Goodall said. "What are you going to do, and what are you saying others should do? That's missing."

The first of the document's objectives is to "prevent cyberattacks," but that's an impossible goal, Goodall said. "If that's the mindset, we're in big trouble," he added. "We can't pass a law...we can't beg, borrow, or steal to stop people from trying to attack. This is a global network, and anybody anywhere can launch an attack."

But Mario Correa, director of Internet and network security policy for the Business Software Alliance, praised the report for being more specific than a draft released in September. The policy document gives the new Department of Homeland Security several cybersecurity responsibilities, which the September draft did not do, he noted.

Goodall did praise the federal government for taking a lead in focusing on cybersecurity and challenging private industry and citizens to think about it as well. "I hope this is not a case of, 'We've published a document, and now let's sit and see what happens,'" he added.

"The threat is real, the growth of the Internet is real, and this is something that must lead to very proactive, very immediate leadership and action, not just by the government," he said.

Wanted: IT Leadership

Dan Burton, vice president of government affairs at Entrust, said the plan is strong in recommendations for the U.S. government and public/private partnerships, but nearly silent on what private companies should do for themselves. Burton said he's not looking for government mandates, but he believes government action in the private sector is not out of the question.

"The private sector has got to voluntarily step up and demonstrate that they are improving the governance of IT security, or they're going to be faced with government mandates to do so," Burton said.

Correa called on private industry to take a leadership role in cybersecurity, and for Congress to commit resources for the federal government to take action on the report.

"We haven't, to be honest, seen enough of a commitment by the Congress yet toward making the resources necessary to make our country cybersecure," he said.