Cyber eye: Can a policy please everyone? Maybe
- By William Jackson
- Oct 16, 2002
'A camel is a horse designed by a committee.'
'Sir Alec Issigonis, late British motorcar designer
The president's Critical Infrastructure Protection Board sought the broadest possible consensus for its National Strategy to Secure Cyberspace by inviting numerous individuals and organizations to contribute. Those who were expecting to see a thoroughbred were disappointed by the draft released last month.
But a camel isn't necessarily a bad thing.
Criticism of the strategy focuses on what it is not, rather than on what it is. No one objects to raising awareness of safety issues, best practices, more cooperation or higher standards. No one disputes that the government should lead by example in securing its own systems.
What they object to is the lack of teeth. There are no hard requirements and few deadlines for securing cyberspace.
The worst shortcoming, critics say, is that the strategy ignores the root problem, which is software quality rather than firewall configuration or patch management. Some have even complained that the draft does not single out Microsoft Corp. for making software that is flawed.
Board chairman Richard Clarke said repeatedly during the 10-month drafting process that the policy would rely on market forces rather than mandates.
One of his guiding principles is, 'Avoid regulation.' That's probably wise, especially in the early stages of policy development. Government-imposed standards have a way of becoming ceilings.
Consider the automotive industry, which seems curiously reluctant to embrace safety and efficiency as selling points. Seat belts and air bags became standard equipment only when and to the extent that government required them. Fuel efficiency has been held to just what the government demands, no better.
It would be a shame if our cybersecurity strategy turned into a ceiling. It should instead be a foundation on which designers, vendors and users can build.
That will require consensus and cooperation, and the results, at least initially, might not be handsome. But the draft states that the strategy will evolve, 'as components become more detailed and refined, as consensus forms and as some of the initial ideas mature.'
It's not much of a horse, but it might turn into a pretty good camel.
William Jackson is freelance writer and the author of the CyberEye blog.