The IT industry last week answered the Bush administrations call for comments on its draft strategy for securing the countrys computer networks. Software and hardware vendors are looking for stronger recommendations to guide them in selling their wares to the government, but at the same time they want assurances that the strategy wont become a subtle vehicle for costly regulations down the road.
The draft National Strategy to Secure Cyberspace is bold in its pronouncements on the importance of voluntary action within the private sector and partnerships between industry and government. Not fully convinced that the plan is not a slippery slope toward mandates, however, software makers last week asked the administration to clarify that the government endorses market-based technology development and doesnt plan to impose regulations.
One potentially troubling recommendation to the industry calls for a federal assessment of private sector security service providers. The Business Software Alliance asked the administration to make it clear that the assessment would apply only to individuals and not to specific systems or products. The BSA supports neither a seal of approval for security product nor the creation of a new federal pre-certification program for IT professionals.
The software alliance also opposes a recommendation calling on the National Security Telecommunications Advisory Committee and National Infrastructure Assurance Council to set up a new standards-setting organization. “We can foresee only duplication of existing efforts—or, of more concern, government-guided efforts at regulation from such a body, either directly or through the migration of procurement specifications,” the BSA wrote in its comments. “New or additional organizations will only divert and fractionate government and industry attention from more concrete efforts to improve cyber security.”
Similarly, the alliance objects to a draft recommendation to set up a public/private fund to identify and address technology needs for the Internet. Such needs are already identified, the BSA maintained, and the fund “could effectively become a hidden tax on industry and a mechanism for aggressive regulation of the information technology sector.”
Large enterprises raised the same concern last week about the balance between security measures and economics. The Business Roundtable, made up of CEOs of Fortune 200 companies, commended the voluntary recommendations, particularly the call for CEOs to become fully involved in security, but cautioned that the strategy must address the cost of implementing and deploying solutions.
The governments efforts to gather more network vulnerability information from the private sector—efforts that began well before Sept. 11, 2001, but gained momentum in light of that tragic date—continue to prove to be a major hurdle. Industry is willing to turn over more data, but only if it is guaranteed that it wont be held liable for privacy or antitrust violations in doing so. A broad consensus exists among private companies encouraging the administration to re-insert language endorsing legislation that would relieve them of Freedom of Information Act obligations and antitrust rules when turning over data.
There is disagreement within the industry about the role of home users and small businesses, which comprise one of five “levels” the draft strategy addresses. The BSA made special praise of the inclusion of individual citizens, asserting that home users and small businesses must be “a key and growing component” of the plan.
Other software and hardware vendors, represented by the Computer and Communications Industry Association, are seeking a different approach, however. “[W]e see little hope in asking the average computer user to upgrade his system, as proposed by the Draft Strategy,” said CCIA in its comments. “Given the complexities of even rudimentary security, there will always be thousands, if not millions, of PCs ready to be exploited as network `zombies.”
A more effective plan would encourage diversity in computing and recommend the use of a wide range of products and services, particularly within government. Asserting that Microsoft Corp.s Outlook and Outlook Express “have spread billions of copies of Windows worms around the globe due to poorly vetted coding and fundamental weaknesses in security design,” CCIA urged the administration to encourage open source software.