Public comment on a newly released draft of the National Strategy to Secure Cyberspace began swiftly last week, with mixed reviews ranging from toothless to thoughtful. But most IT executives and Washington insiders agree the final version of the plan will contain stronger, more specific language.
On the eve of what should have been the unveiling of the official strategy last week, the Presidents Critical Infrastructure Protection Board opted instead to issue the "working draft" amid calls for more input from industry executives and government officials.
"The reason is were not going to get the level of commitment and buy-in we need if we dont get comments," CIPB Chairman Richard Clarke said of the delay. "As important as the substance of the strategy is ... the process is almost as important."
The softened language in the draft can be attributed to critical feedback from a range of interests, including the high-tech, power and utility sectors, as well as public interest groups, Washington insiders say.
"I think there were going to be stronger things, but [Clarke] began to see that it might be [too] prescriptive. I give [Clarke] credit. This was not what they intended to do," said Ron Sable, vice president of the public-sector unit at Guardent Inc., a managed security company in Waltham, Mass., and a former National Security Council official. "They heard from people who said [it] was too strong."
The strategy released last week represents a toned-down version of draft language that was considered over the summer and that was obtained by eWeek. "Some industries may have been hoping for a more specific, detailed approach, but thats not what youre going to get," said Kevin Nixon, senior director of security business strategy for the Exodus division at Cable & Wireless plc., in Dallas. "Common sense and good judgment prevailed, and the [CIPB] said, Wait a minute; were violating our own precepts here."
Clarke denied his office was unduly pressured by lobbyists. "Its a vast exaggeration that private industry lobbied for things to be taken out," he said during the preliminary unveiling of the draft last week. "We have not been changing things up to now under pressure from anybody outside of government."
Exodus was involved in an ISP working group that submitted proposals for the strategy, including the establishment of a federal NOC (network operations center). "The spirit is that a NOC would monitor the Internet from a national security perspective," Nixon said. In the August draft, it was suggested that the government partner with the private sector to set up the NOC and that lawmakers should consider partially funding it. In the latest version, federal funding is not recommended, and the government is not named as a partner.
ISPs will also advocate stronger recommendations for legislative changes to reduce the liabilities of sharing customer data, Nixon said. In fact, specific language supporting greater exemptions to the FOIA (Freedom of Information Act) and expanded antitrust liability protections for companies turning data over to the government were included in an earlier draft. That language was likely taken out to avoid setting up a prescriptive methodology, Nixon said.
In the post-comment version of the strategy, such specifics are likely to be included in appendixes, he added. For now, the absence of a recommendation advocating specific expanded FOIA legislation is consistent with the privacy communitys concerns, according to David Sobel, general counsel at the Electronic Privacy Information Cen- ter, in Washington. EPIC participated in some meetings with Clarkes staff but was never shown preliminary drafts of the strategy, Sobel said.
"One of the first things I said to the White House staff is that to the extent the strategy involves FOIA suggestions or other secrecy initiatives, were strongly opposed," Sobel said. "They certainly got that message from the privacy and civil liberties communities."
Those in the security community are concerned that the strategy concentrates too much on the government and is too soft on the private sector.
"Id like to see them make software companies take responsibility for the reliability of their products," said Wyatt Starnes, CEO and co-founder of security vendor Tripwire Inc., based in Portland, Ore., who consulted with the CIPB on the strategy. "This industry has had a bye for a long time."
The issue of more reliable and secure software is a favorite of CIPBs Clarke, and sources say it is likely that the final version of the strategy will contain language laying out steps vendors should take to develop more secure products. Currently, the draft includes a recommendation that "a national public/ private partnership should promulgate best practices and methodologies that promote integrity, security and reliability in software."
The strategy also discusses the possibility of requiring all government agencies to buy only those products that meet certain minimum security standards. The draft fails to elaborate on what those standards might be, however.
Only the section on the federal government lists any required actions, which critics say reveals one of the key weaknesses of the strategy.
"The hammers in the government are few [regarding the private sector]. How can they compel businesses to adopt these things?" asked Guardents Sable. "On the commercial side, its a question of budget and whether theyve had a problem in the past and think theyre likely to have one in the future."
A key theme of the draft is the need for the sharing of incident and remediation data in vertical industries as well as across sectors. However, a number of hurdles must be cleared before that becomes a reality, experts said.
"One of the biggest obstacles is the general counsel will advise CEOs not to share that information," said Ty Sagalow, chief operating officer at American International Group Inc.s eBusiness Risk Solutions, based in New York, and the insurance-sector coordinator for the national strategy. "We also need a FOIA exemption, antitrust exemption and a legal safe harbor like they had for Y2K. How are they going to do all this?" Sagalow asked.
President Bush named 27 members to the National Infrastructure Assurance Council last week; they will have until Nov. 18 to comment on the plan. After that input is considered and incorporated, Bush will release the plan before years end, officials said.