The IT industry last week answered the Bush administrations call for comments on its draft strategy for securing the countrys computer networks. Software and hardware vendors are looking for stronger recommendations to guide them in selling their wares to the government, but they also want assurances that the strategy wont become a vehicle for costly regulations later.
The National Strategy to Secure Cyberspace is bold in its pronouncements of the importance of voluntary action within the private sector as well as partnerships between industry and government. Not fully convinced that the plan is not a slippery slope toward mandates, however, software makers last week asked the administration to clarify that the government endorses market-based technology development and doesnt plan new regulations.
One potentially troubling recommendation to the industry calls for a federal assessment of private-sector security service providers. The Business Software Alliance asked the administration to make it clear that the assessment would apply only to individuals and not to specific systems or products. The BSA, in Washington, supports neither a seal of approval for security products nor the creation of a federal certification program.
The software alliance also opposes a recommendation calling on the National Security Telecommunications Advisory Committee and National Infrastructure Assurance Council to set up a standards-setting organization. "We can foresee only duplication of existing efforts or, of more concern, government-guided efforts at regulation from such a body, either directly or through the migration of procurement specifications," the BSA wrote in its comments.
Similarly, the alliance objects to a draft recommendation to set up a public/private fund to identify and address technology needs for the Internet. Such needs are already identified, the BSA maintained, and the fund "could become a hidden tax on industry and a mechanism for aggressive regulation."
Large enterprises raised the same concern last week about the balance between security measures and economics. The Business Roundtable, made up of CEOs of Fortune 200 companies, commended the voluntary recommendations, particularly the call for CEOs to become fully involved in security, but cautioned that the strategy must address associated costs.
The governments efforts to gather more network vulnerability information from the private sector—efforts that began well before Sept. 11, 2001, but have gained momentum since—continue to prove to be a major hurdle. Those in the industry say theyre willing to turn over more data, but only if it is guaranteed that it wont be held liable for privacy or antitrust violations in doing so.
ITs Suggestions for Cyber-Strategy
- Clarify that federal recommendations are not a back door to regulation
- Reinsert explicit support for laws protecting private companies that share data with the government
- Avoid creating bureaucracies that duplicate existing initiatives
- Include strong recommendations for private sector to voluntarily improve security