Analysis: Cybersecurity plan too drafty

By SCOTT R. BURNELL, UPI Science News  |  Sept. 18, 2002 at 6:33 PM
share with facebook
share with twitter

WASHINGTON, Sept. 18 (UPI) -- The Bush administration's draft plan for improving the nation's cybersecurity bears little resemblance to more forceful official comments on the subject over the past year or so.

For example, almost all of the plan's recommendations employ the verb "should," instead of mandating action. This point is not lost on Rep. Lamar Smith, R-Texas, chairman of the House Crime, Terrorism and Homeland Security subcommittee.

The country needs a plan "that contains necessary preventative measures," Smith said. Resorting to a list of suggestions will mean next to no preparation for a major cyberattack, his staff told United Press International.

The administration's plan has been under development for almost a year and, as recently as last month, White House cybersecurity adviser Richard Clarke laid much of the responsibility for security improvements at the feet of software developers. But the draft only urges the software industry to consider promoting more secure programs.

Clarke also has been highly critical of the rapid expansion of wireless computer data networks that fail to include adequate security. Yet in mentioning "securing emerging systems," the draft merely suggests federal departments and agencies be "especially mindful of security risks" when using wireless technology. Agencies should consider additional security measures, the draft states, but none are mandated.

Even Clarke's support for computer security education seems to have evaporated in the draft plan. Last July, he intimated that a definitive scholarship program would be included, but the current version calls for the states to consider creating such grants themselves.

Many commentators have suggested market forces will drive companies to adopt better security naturally. Perhaps, but the draft falls short of aiding the market. It asks corporations only to consider disclosing who audits their security measures and providing general information on how the checks are done.

Because the plan makes no specific demands on computer hardware or software makers, that industry's support of the plan is understandable.

"This report is the most comprehensive to date dealing with cybersecurity," said Robert Holleyman, president of the Business Software Alliance, speaking to a news conference via telephone.

"This plan has a lot of teeth in the government section," said Bill Conner, chairman of Entrust, a software security company in Addison, Texas, during the news conference. Although that section includes the use of the verb "will," its impact could be closer to that of worn-down molars than canines.

For instance, by the third quarter of fiscal year 2003, the government will assess if private security providers should be certified, and agencies will explore the advantages of a single acquisition process for security products. By the middle of FY '03, the government will determine whether or not to promote the use of proven security tools more heavily.

There still is hope the final White House plan, to be released next March, will provide more hard-and-fast requirements for securing the nation's cyberborders.

"We must wage a long campaign in which we constantly identify risks, weigh vulnerabilities, and adopt reasonable, rational fixes to each," said Harris Miller, president of the Information Technology Association of America. "We fully expect the national strategy for cybersecurity to change over time."

Related UPI Stories
Trending Stories