Strategy calls for best practices now, hints at greater changes later.
When the White House releases its plan to improve cyber-security later this month, large enterprises can expect to be prodded to implement network authentication procedures using biometrics, smart cards with PKI and/or secure tokens. The suggestion will not come as an official recommendation; instead, it will likely be buried inside the lengthy, often vague strategy.
Most of the explicit cyber-security recommendations targeted at large enterprises in the forthcoming national strategy to secure cyberspace reflect best practices that are typically already in place wherever feasible and expedient. However, the strategy, scheduled for release Sept. 18, includes detailed discussions of much more substantive changes for securing enterprise networking, lighting the way for future official positions and, possibly, mandates.
According to a draft obtained by eWeek, the Presidents Critical Infrastructure Protection Board plans to update the strategy regularly, adding recommendations as the nations understanding of cyber-security evolves. The document emphasizes that the version due out this month lays the groundwork for an incrementally expanding blueprint. The most controversial suggestionssuch as implementing biometric or smart-card authentication procedures throughout corporate Americaare framed not as recommendations but as discussion points or issues for resolution in later iterations of the document.
"That would go over like a stink bomb," Jorge Abellas-Martin, CIO at Arnold Worldwide Inc. and an eWeek Corporate Partner, said about the advanced authentication suggestion. "If I had to tell my creatives that they had to carry around little cards that read out a random strings of numbers, theyd laugh at me."
The security needs of large enterprises differ widely, and the practices appropriate for vendors to the federal government are necessarily more stringent than those at advertising companies, such as Arnold Worldwide, in Boston. "[The administration] could recommend that everyone have Pentagon-level security, but unless someone deals directly with federal procurement, its not going to have an impact," said Abellas-Martin. "I dont see how its going to change peoples behavior if its only a recommendation."
The strategys chapter devoted to large enterprises focuses on raising the level of responsibility and accountability for security to chief executives and corporate boards. The expectation is that shareholders will eventually hold boards accountable for security breaches, and, in turn, boards will hold security officials responsible.
While a separate chapter promotes the highly unpopular recommendation that corporations annually disclose the identity of their IT security audit companies and the scope of their activities, the explicit enterprise recommendations are more subdued. They suggest that CEOs should consider forming enterprisewide corporation security councils to integrate cyber-security, privacy, physical security and operations; CEOs should consider regular independent IT security audits and remediation programs; corporate boards should consider forming IT security committees and should ensure that recommendations of the CIO are regularly reviewed by the CEO; and IT continuity plans should be regularly reviewed and should involve alternate sites and alternate staffs when possible.
"A responsible company would be doing these sorts of things anyway," said Frank Calabrese, IT manager at Bose Corp., in Framingham, Mass., and an eWeek Corporate Partner. "But it depends on the business climate, and it depends on the type of industry."
The document also recommends that corporations get involved in industrywide programs to develop best practices, share information, raise awareness and work with the insurance industry to expand IT security coverage. For enterprises, the suggestion is likely to be received as a good idea in theory but one that would strain resources.
"Id love to be able to do something like that. Wouldnt it be nice if we all sat in a room and talked about security," Calabrese said. "But how many companies are going to take someone and dedicate him to sitting in a room and talking about security with his peers?"
While the language of the recommendations is mild and mostly unsurprising, the discussion of other steps enterprises should take to secure systems is stark in contrast. The document states that to facilitate network integrity, reliability, availability and confidentiality, enterprises should include PKI (public-key infrastructure) using smart cards, secure tokens, biometrics or a combination of these measures in authentication procedures. In addition, it raises questions for resolution in future releases of the strategy, such as how often large enterprises should have cyber-security audits performed by outside auditors.
When asked about the draft plans for enterprise security, Tiffany Olson, a spokeswoman for the CIPB, in Washington, said the issues raised in the text are "just kind of adding more to the recommendations."
"Recommendations will either become programs or will be discussion points that dont take place," Olson said. "Over time, things will change, needs will change and ideas will change."