US on the digital defensive
The Bush administration signed off on Friday the final version of the US strategy for protecting the internet and securing information systems.
The policy statement, called the National Strategy to Secure Cyberspace, largely backs off from mandating companies adopt certain measures. Instead, it calls for the government to work with private industry to create an emergency response system to cyber attacks and to reduce the nation's vulnerability to such threats.
"Securing cyberspace is an extraordinarily difficult strategic challenge that requires a coordinated and focused effort from our entire society - the federal government, state and local government, the private sector and the American people," President George W. Bush wrote in a letter introducing the document.
The strategy document still doesn't address criticism that its lack of regulations render it toothless. For example, previous, unpublished drafts had included measures that would have forced ISPs to offer firewalls to their users and would have required wireless hardware makers to improve security. The document released on Friday has been reorganised to focus on five policy initiatives and places much of the oversight with the newly established Department of Homeland Security.
The five major efforts laid out by the strategy are: to create a cyberspace security response system, to establish a threat and vulnerability reduction programme, to improve security training and awareness, to secure the government's own systems, and to work internationally to solve security issues.
The document continues to advocate government-industry cooperation rather than regulation as a solution to internet security problems. Regulation, security industry experts argue, would increase costs without guaranteeing better protections.
Among specific recommendations, the plan calls for:
• Adoption of a warning and incident information network
• A single Department of Homeland Security contact for the federal government and industry to report incidents
• Cyber attack exercises on government agencies to gauge the impact of such attacks
• The Department of Commerce to examine security issues related to IPv6
• The Department of Homeland Security to recommend that ISPs adopt a "code of good conduct"
• The Department of Energy and other concerned agencies to develop best practices for securing distributed control systems, such as SCADA
"They [the Administration] have done a good job," said Deepak Taneja, CTO for security firm Netegrity. "It's a whole lot better than where we were at the end of last year."
The Department of Homeland Security will be responsible for creating a comprehensive national plan to secure "key resources and critical infrastructure of the US", the plan said. The DHS will also be responsible for responding in the event of a crisis, for providing technical assistance to the government and private industry, for coordinating efforts between agencies, and for performing and funding research to support homeland security.
Taneja stressed that to date no serious attack has occurred that affected the internet significantly. "Just a few weeks ago, we had the Slammer worm," he said. "It was bad but it could have been a lot worse. If it had been worse, it would have been a cyber security emergency."
A response system would be critical in the future for dealing with such attacks, he said.
However, Bruce Schneier, founder and CTO of managed security service provider Counterpane Internet Security, is sceptical that the government can effectively lead the way to better security.
"Like everything else, the proof is in the funding and execution," he said.
He pointed to the fact that the government's networks are frequently attacked and breached, despite attempts to close the holes, as an indication of how effective the plan might be.
Other industry executives commended the strategy document as a good first step but they said that more is needed.
"We have a presidential strategy, and that's good, but it's only a first step," said Dan Burton, vice president of government affairs for security firm Entrust. "If you look at the report, it is fairly strong as to government action. It is fairly strong in internet management and how industry and government can work together to secure the internet. But it's virtually silent on how the industry can improve the governance of their own IT systems."
Even if the government can secure its own systems and work with industry to improve the security of the public internet infrastructure, the whole exercise is for naught if companies stumble in securing their own systems, he said.
"The internet has to be secure, and the government has to be secure, but unless those private systems are secure, then the internet is still at risk," he said.