Richard Clarke, chairman of the Presidents Critical Infrastructure Protection Board, has been teasing us with snippets of a long-awaited federal cyber-security plan, due Sept. 18. Based on what weve heard so far, the plan shows promise. Here are some things wed like to see when the ink is dry.
Since few things are so insecure as a new PC, the PCIPB plan should push manufacturers to include safeguards. New machines should arrive with security updates applied, all optional network services turned off and a simple firewall enabled.
Clarke has said he wants to require certification by the National Institute of Standards and Technologys National Information Assurance Plan for all government technology purchases. That makes sense, but the lengthy and expensive NIAP certification process must be streamlined so that all vendors can comply.
The PCIPB plan also needs to address ways to automatically update the machines already populating our networks. We like automatic update agents as long as they dont change systems without an OK from central IT first.
The sharing of vulnerability information, always a source of great angst among security insiders, needs to be coordinated, and the PCIPB initiative is the perfect mechanism for bringing divergent groups together. Clarkes preliminary pitch strikes a reasonable middle ground between free-for-all disclosure and the close-to-the-vest approach favored by software vendors. We urge him to hold that ground.
Clarke has saved his sharpest criticism for ISPs that sell broadband connections without giving users proper protection. We agree. The federal cyber-security plan must require service providers to give users tools such as firewalls if they dont have them. ISPs should also be required to sniff out spoofed IP addresses in their own traffic.
The PCIPB has shown it can make worthwhile progress in IT security, playing a key role in the creation of the Consensus Baseline Security Settings for Windows 2000 machines (available at www.cisecurity.org).
The PCIPB is now poised to build on that work, using the big stick of the federal governments purchasing power to enhance IT security for all.