Top U.S. IT officials said consensus standards likely will be enforced for federal agencies, but will industry follow suit?
All the while maintaining that the government will not set IT security requirements for the private sector, top federal IT officials today said they expect such mandates will be imposed on federal agencies and that the same standards will also be used by industry.
Heralding a private/public sector consensus on standard settings for Windows 2000 this afternoon, national cyber-security advisor Richard Clarke said that he expects the same standards eventually will be used inside and outside the government.
"When the Department of Homeland Security is created, this is how it will create standards," Clarke said about the joint effort of President Bushs Critical Infrastructure Protection Board, the Center for Internet Security, the National Security Agency, the General Services Administration, the National Institute of Standards and Technology, and the SANS Institute
Although the standards today are voluntary, U.S. Air Force CIO John Gilligan said that there have been discussions in Congress and within the executive branch about making them mandatory.
"I think CIOs within government are expected to implement these baselines," Gilligan said at the unveiling of the standards at the U.S. General Services Administration in Washington. "As we begin to establish these benchmarks, they would become effectively mandatory across the federal government."
Clarke, however, emphasized that the U.S. government today does not have the legal authority to impose technology requirements on the private sector. "Were not going to have federal requirements as the solution to the private sectors problems," he said.
The proponents of the consensus standard conceded that implementing them could degrade applications functions. "You will begin to possibly experience interference with applications," said Clint Kreitner, president and CEO of CIS, adding that the standards are not likely to break applications.
Kreitner said that the standard unveiled today goes beyond the level one requirements of previous security standards for Windows 2000 advocated by CIS.
The collaborating organizations emphasized that todays announcement is only the beginning; they intend to develop standards for a wide range of software products, including Windows IIS and firewalls. "Were forming an Oracle database team, and we have yet to get into printers, faxes and scanners," Kreitner said.
The Administration plans to release a much-touted national strategy for cyber-security Sept. 19 in Silicon Valley, Clarke said. The strategy, a companion to the physical critical infrastructure protection plan unveiled yesterday in the Administrations Homeland Security strategy, will establish that every American has to participate in protecting data networks, Clarke said.
The group also released a small vulnerability scanner that will verify that a given network is using the approved settings.
Many security industry insiders for years have feared that the government would tire of the private sectors failure to adequately secure its networks and step in with some form of regulation or legislation. And, while private businesses will not be required to follow the new standards, the move will likely do little to ease fears of government intervention, insiders say.
But, even if enterprise administrators follow suit and adopt the standard settings, that still leaves unaffected the millions of home-based PCs, most of which dont run Windows 2000.
Settings Aim to Secure Windows 2000
Homeland Security Plan Draws Criticism
National Security is an IT Concern
IT Pros Predict Major Cyber-Attack
More Security Coverage