The White House has released the final version of its first cybersecurity policy, which is heavy on requirements for the U.S. government but light on recommendations to private industry. Some cybersecurity companies asked, "What's next?"
President George W. Bush's National Strategy to Secure Cyberspace, released Friday morning alongside a National Strategy for the Physical Protection of Critical Infrastructures and Key Assets, is available at http://www.whitehouse.gov/pcipb/ in a 76-page PDF (Portal Document Format) document. Calling cyberspace the "nervous system" of the nation's critical infrastructure, the plan recommends the following:
-- A national cyberspace security response system, such as creating a public/private method of responding to national-level cyber incidents, and encouraging private-sector capabilities for monitoring the health of cyberspace.
-- A national cyberspace security threat and vulnerability reduction program, such as enhancing law enforcement's capabilities for preventing and prosecuting cyberspace attacks, and securing the Internet by improving protocols and routing.
-- A national cyberspace security awareness and training program, such as creating a comprehensive national security awareness program, and increasing the efficiency of existing federal cyberspace training programs.
-- Securing governments' cyberspace by, for example, authenticating and maintaining authorized users of federal systems, and securing federal wireless local networks.
-- National security and international cyberspace security cooperation, such as strengthening cyber-related counterintelligence efforts, and improving coordination for responding to cyber attacks within the U.S. federal security community.
The report goes into more details in each of the five areas, but the policy focuses more on broad policy directions than on specific recommendations about how to accomplish each goal. Details on implementing the policy are still to come, said Tiffany Olson, deputy chief of staff for the President's Critical Infrastructure Protection Board.
The report intentionally made more specific recommendations about what government can do than what private industry can do, Olson added. "The president believes that we need to 'walk the talk' before asking the private sector to do the same," she said. "We need to be a model for them, and there are a lot of improvements the federal government needs to make."
Douglas Goodall, president and chief executive officer of Internet security company RedSiren Inc., said he hopes the lack of specifics, and the report's length, won't doom the report to gather dust on the self. He called it "a good start" toward better cyberspace security, but said the recommendations need to be followed.
"Clearly, as you read the report, the question is ... 'now what?'" Goodall said. "What are you going to do, and what are you saying others should do? That's missing."
The first of the document's key objectives is to "prevent cyber attacks," but that's an impossible goal, Goodall said. "If that's the mindset, we're in big trouble," he added. "We can't pass a law ... we can't beg, borrow, or steal to stop people from trying to attack. This is a global network, and anybody anywhere can launch an attack."
But Mario Correa, director of Internet and network security policy for the Business Software Alliance, praised the report for being more specific than a draft of it released in September. The policy document gives the new Department of Homeland Security several cybersecurity responsibilities, which the September draft did not do, he noted.
Goodall did praise the federal government for taking a lead in focusing on cybersecurity and challenging private industry and citizens to think about it as well. "I hope this is not a case of, 'We've published a document, and now let's sit and see what happens,'" he added.
"The threat is real, the growth of the Internet is real, and this is something that must lead to very proactive, very immediate leadership and action, not just by the government," he said.
Dan Burton, vice president of government affairs at Entrust Inc., said the plan is strong in recommendations for the U.S. government and public/private partnerships, but nearly silent on what private companies should do for themselves. Burton said he's not looking for government mandates, but he believes government action in the private sector is not out of the question.
"The private sector has got to voluntarily step up and demonstrate that they are improving the governance of IT security, or they're going to be faced with government mandates to do so," Burton said. "It's quite clear that unless the private sector steps up and significantly improves its cybersecurity performance, we are going to be looking at mandates down the road."
Correa called on private industry to take a leadership role in cybersecurity, and for Congress to commit resources for the federal government to take action on the report. "We haven't, to be honest, seen enough of a commitment by the Congress yet toward making the resources necessary to make our country cybersecure," he said.