WASHINGTON -- Business and government representatives teamed up in March to recommend steps to reduce the nation's vulnerability to cyberattacks. But they say they have yet to receive a response from the Department of Homeland Security, and wonder what is causing the delay.
"There has been a 'pregnant pause' waiting for a response," says Rick White, CEO of TechNet, a technology industry trade group and cosponsor of a December 2003 summit to develop an action plan.
In its most significant attempt to reach out to private business, the Homeland Security agency assembled leaders from academia, government, and the software industry to formulate ways to address the nation's cybersecurity shortcomings.
The summit created five task forces, collectively known as the National Cyber Security Partnership Task Force on Technical Standards and Common Criteria. They made recommendations in March to the Department of Homeland Security on how to implement the suggestions made in the Bush administration's National Strategy to Secure Cyberspace, published in February 2003.
The Bush administration's strategy cast the federal government in a consulting role, and established no mandates. Rather, it directed the Department of Homeland Security to collaborate with businesses and universities, which it said control at least 80 percent of the nation's computer infrastructure. The document noted ways that individual users, businesses, schools, and government could practice better cybersecurity.
The task forces have recommended cybersecurity standards and best practices, common software security configurations, and "code scanning" tools to identify software defects. They have also suggested investing in federal research to develop better vulnerability analysis for computers and networks.
When's the Next Step?
"Of course, it would be nice if they would get back to us with their top two or three tasks from each area of the recommendations," says Mary Ann Davidson, chief security officer for Oracle, and cochair of the Task Force on Technical Standards and Common Criteria. "That would be a good next step."
Without that, Davidson says, "it is a little bit difficult for vendors to set deadlines and milestones."
But software vendors should--and are beginning to--implement the recommendations themselves, without governmental guidance, Davidson adds. "This is a partnership, and we don't have to wait for them to give their blessing in order to move forward."
TechNet's White says that the Department of Homeland Security should "review the task forces' recommendations and decide which ones it thought were most important and which ones should be thrown out."
"The task forces put in an enormous amount of work, and it has been three months since it submitted its report," White says. "We need for the DHS to show a little bit of leadership now."
Officials at the Department of Homeland Security did not answer requests for comment on the lack of response to the task forces' report.
The National Strategy to Secure Cyberspace encourages cooperation and collaboration between the government, law enforcement, private companies, and education to accomplish cybersecurity goals. The ongoing effort, which is intended to develop over time, has no firm timeline or milestones.
The document recommends developing new technologies to reduce vulnerability to cyberattacks and to minimize damage and recovery time in case of attack. Among the 47 specific objectives, organized under five major cybersecurity goals, are these:
- Create a national cyberspace security response system.
- Develop a national cyberspace security threat and vulnerability reduction program.
- Establish a national cyberspace security awareness and training program.
- Secure governments' cyberspace.
- Foster national security and international cyberspace security cooperation.
When the strategy came out in February 2003, some critics said that powerful software industry lobby groups had persuaded the administration to remove any legal directives before the white paper was released.
"The administration has addressed cybersecurity with vague generalities, without clear assignment of responsibilities and without time frames or deadlines or benchmarks for measuring performance," Senator Joseph Lieberman (D-Connecticut) said in a letter to DHS secretary Tom Ridge at the time.
But supporters said that the strategy's soft-sell approach was deliberate, an acknowledgement that private industry may be able to develop and implement new security measures more effectively than government.
"The Bush administration's white paper took the right approach." TechNet's White said. "It's difficult for government to keep up with changing technology. Their basic premise to do it with private participation is the right approach."
Either way, both sides say, only recently have businesses and individuals become more aware of cybersecurity measures and more willing to invest in technology and practices.
"I think we are making some progress, and some of it does involve government," says Harris Miller, president of the Information Technology Association of America. The federal government is building information-sharing models to help protect networks and respond to attacks, and new networks have been built so that the private sector and government can communicate in the event of an attack, Miller says.
Miller notes that it is difficult to measure progress toward the goals set forth in the Bush administration's cybersecurity strategy.
"We don't have very good metrics for measuring; there is only anecdotal information," he says. "The FBI recently released a report saying the number of attacks actually went down last year, but their data sample was very small."
The amount of money that people and businesses invest in cybersecurity is not necessarily an accurate measure of progress, several others note.
"It isn't necessarily just more investment in security software. It is little things that don't cost anything--like updating patches and installing antivirus software and firewalls," says Andrew Howell, vice president of homeland security for the U.S. Chamber of Commerce.
"What we do know is that the bad guys are doing better--causing much more damage much more quickly," Miller says.
In August 2003 alone, the impact on the economy from the Nachi, SoBig, and Blaster viruses was $3.5 billion in real dollars and lost productivity, according to VeriSign.
But, Miller says, the federal government has an important role to play in bumping cybersecurity higher on public and private priority lists.
Which is why the current three-month wait for a response to the task force recommendations is ill-timed, White says.
Adds Miller: "There clearly has to be a partnership between business and government to make it all work."