Clarke unveils security strategy
Administration plans to issue final version after 60-day comment period
The White House's cybersecurity czar, Richard Clarke, says improving security requires cooperation because the government cannot dictate behavior.
Henrik G. DeGyor
There were no surprises in last week's release of the government's National Strategy to Secure Cyberspace, which emphasizes awareness, best practices and commonsense precautions.
The White House released its final draft of the strategy for a 60-day public comment period. The 65-page document can be found online at www.securecyberspace.gov
The President's Critical Infrastructure Protection Board relied heavily on private-sector input over the past 10 months in putting the strategy together. As expected, it relies on market forces and voluntary cooperation rather than government mandates.
'The government cannot dictate' security practices, board chairman Richard Clarke said during announcement ceremonies at Stanford University in Palo Alto, Calif.
Vice chairman Howard Schmidt said the strategy is characterized by what it is not. 'It is not about government regulation,' he said. 'It is not about government running the Internet.'
The strategy targets five basic areas: home and small business users, large enterprises, industrial sectors and government, national issues and global issues.
The strategy seeks the broadest possible support from the public as well as the business community, Clarke said. The themes of partnership and cooperation were dominant throughout the presentations.Uncle Sam's role
The government job in improving the security of the nation's information infrastructure will be partly as role model and partly as catalyst, the strategy said. It recommends increased accountability for securing systems, expanded use of automated security tools, adoption of technologies such as smart cards and improved security for wireless networks.
The strategy calls for a decision within the federal government by early next year on whether standards should be set for enterprisewide security assessments throughout the government, and the extent to which agencies can share physical and logical access control systems.
In the area of homeland security, the strategy envisions closer working ties between federal agencies and state and local government, use of leading-edge technologies as weapons in the war on terrorism and development of standards for information sharing.
Although the strategy avoids calls for regulation, some recommendations could require legislation. Increased funding for basic R&D would require a government commitment. The document also calls for improved reporting of cybercrime, which could require some exemptions from the Freedom of Information Act.
Different industries approached development of the strategy differently.
'Power and water companies generally are very interested in cybersecurity,' a Justice Department official said. 'You are going to have more problems with financial companies and companies whose share price depends on every flicker of the newspaper.'
Sallie McDonald, assistant commissioner in the Computer Incident Response Center at the General Services Administration's Federal Technology Service, said, 'I have heard rumblings that there are two camps: One says that industry was involved [in forming the strategy], and the other says they did it without consulting.'
She said that some in industry had criticized early drafts of the plan as too restrictive.
'I think it is a narrow view to say that that the plans are too restrictive. We developed the technology without much thought to security,' she said. 'Now, we need to take a step back and strengthen security. I don't think cheerleading is going to get it done, but the first step is to stop the nastiness.'
Brian Finan, director of strategic programs and homeland security for Symantec Corp. of Cupertino, Calif., disagreed with the notion that the strategy was controversial.
'We don't share that view,' he said. He said the strategy puts forth sound proposals that stress commonly accepted best practices.