The forthcoming final version of the National Strategy to Secure Cyberspace will call for a comprehensive cybersecurity response system that will depend heavily on contributions from the private sector. The system, as described in the most recent draft of the document, will rely on a broad information-sharing program both inside and outside the federal government, and calls for the establishment of a separate office within the Department of Homeland Security to manage the information flow between government and industry, according to copies of the draft document reviewed by eWEEK.
To facilitate this process, the strategy also recommends that the private sector develop one centralized network operations center "that could operate 24x7 to assess Internet health [and] complement the Department [of Homeland Securitys] centralized capability and the overall National Cyberspace Security Response System."
The strategy contemplates Homeland Security creating a "single point of contact for the federal governments interaction with industry and other partners" regarding major security incidents, information sharing, analysis, warning and recovery efforts.
All of this would be coordinated by a new "infrastructure protection program office" that would handle the two-way flow of data between the private sector and the government, according to the draft plan. The office would also be responsible for determining how to store information regarding critical infrastructure protection that is voluntarily submitted by non-government organizations.
Although the strategy repeatedly emphasizes the need to handle such data carefully, it also recommends several measures that are sure to draw the attention of privacy advocates and civil-liberties organizations. Among the directives are a provision requiring the Department of Justice to work with the Census Bureau to develop "better data about the victims of cybercrime and intrusions."
While there is considerable space given to the need for reducing the number of vulnerabilities in software products and in critical protocols and systems such as BGP (border gateway protocol), the Domain Name System and IP, the strategy makes little mention of how to go about fixing these problems, a key shortcoming, security experts say.
"As we move to wireless everywhere and universal Web-control of appliances, if the government doesnt act quickly, millions of unprotected systems will by made available to any attackers who choose to use them," said Alan Paller, director of research at The SANS Institute in Bethesda, Md. "It is unlikely that more than one million are needed for a large-scale sustained DDoS attack that disables most Internet traffic."