An independent advisory panel appointed by Congress issued a report on Monday that is sharply critical of the Bush administrations cyber-security policy, saying it is tepid and relies too much on the cooperation of the private sector.
The report is the fourth annual study delivered by the Advisory Panel to Assess Domestic Response Capabilities for Terrorism Involving Weapons of Mass Destruction, headed by former Virginia Gov. James Gilmore. The document takes the government to task for failing to adopt the panels earlier recommendations to improve security and concludes that "national coordination of cyber security policy has not significantly improved."
The panel recommended that Congress establish an independent commission to suggest strategies for critical infrastructure protection and that the White House merge its physical and information security staffs to increase efficiency and reduce confusion over responsibility.
The panel, also known as the Gilmore Commission, says in its report that the National Strategy to Secure Cyberspace, released in draft form in September, "poses what we view as voluntary, tactical responses to an inherently strategic problem of national importance. If it is adopted, it will be a step in the right direction, but a small step indeed." The commission also says that the strategy, prepared by the Presidents Critical Infrastructure Protection Board, "apparently has not been cleared by the full board despite appearances to the contrary in the introductory letter."
The PCIPB wasted a prime opportunity to improve the cyber-security policies and procedures of the government as well as the private sector by issuing such a weakly worded document full of voluntary recommendations, the commissions report says.
"In focusing on the need for public-private partnership so intensely, the government has failed to recognize the fundamental importance of market factors and largely failed to exercise any of its powers besides persuasion," the report says. "There has been no change in the significant market disincentives to the adoption of cyber security measures necessary for ensuring the viability of critical functions performed by the information infrastructure.
"Applying this same standard to the public sector has produced the result that no one is clearly responsible for the security of information infrastructure commons or held accountable for cyber security lapses. There are essentially little or no consequences for federal government agencies and officials who do not take prudent steps to improve cyber security."
Officials at the PCIPB in Washington did not return a call seeking comment.
The commissions remarks echo the sentiments of security personnel and CIOs, many of whom said the national strategy is too weak and watered-down to be of much use. But, Bush administration security officials have said consistently that they want to avoid any new legislation or regulations regarding information security.
The next version of the national strategy is due for release by the end of this year.