The White House on Wednesday released a draft of its cybersecurity plan, a document that many critics are already saying is too tepid and watered-down to have any real effect on the countrys network security.
Richard Clarke, chairman of the Presidents Critical Infrastructure Protection Board, has been planning for several months to release the National Strategy to Secure Cyberspace at a high-level event in Silicon Valley. But the board instead released a draft of the strategy and will go back to private industry and public sector experts to seek more suggestions for the final plan.
The delay was necessary “so that everyone in the country can see it, so that everyone in the country can tell us what the national strategy should be,” Clarke said during the announcement of the drafts release at Stanford University in Palo Alto, Calif., Wednesday. There will be a 60-day public-comment period, after which the PCIPB will wade through the suggestions and produce a final version of the strategy, likely by years end.
In addition to the release of the draft, Clarke also announced the appointment of 27 business, academic, law enforcement and government leaders to the new National Infrastructure Assurance Council. The council will advise President Bush on security matters and will have until Nov. 18 to submit input on the plan. After that input is considered and incorporated, Bush will release the plan himself.
Also, the FBI and the Secret Service announced a new joint task force to improve the investigation of cybercrimes.
The strategy comprises a set of recommendations for improving information security in the public and private sectors and is divided into five levels: home users, large enterprises, critical sectors, national priorities and global. Only the section on the federal government lists any required actions, which critics say reveals one of the key weaknesses of the strategy.
“The hammers in the government are few [regarding the private sector]. How can they compel businesses to adopt these things?” said Ron Sable, vice president of the public sector at Guardent Inc., a managed security company in Waltham, Mass. “On the commercial side, its a question of budget and whether theyve had a problem in the past and think theyre likely to have one in the future.”
: Critics Rap Bush Cyber-Security Plan “>
Howard Schmidt, vice chairman of the PCIPB, acknowledged the strategys limitations.
“This is not about government regulation to achieve cybersecurity. This is not about the government running the Internet,” Schmidt said. The boards goal is to increase government support for the private sectors efforts to secure the Internet.
The release of the draft marks an important milestone in the plans development, as it is the first time the strategy is publicly available. Various people have seen small sections of the draft as it has evolved in recent months, but few have seen the entire document.
The plan was developed in part from suggestions provided by security experts, CEOs and others in several sectors of the economy, including banking and finance, insurance and health care.
As eWEEK first reported in a series of stories beginning last month, the strategy at one time included several controversial elements, including the establishment of a federal network operations center to gather and inspect data traffic from ISPs, a recommendation that businesses disclose their security efforts and the appointment of a national privacy czar to oversee the governments policies and compliance. Many of the proposals drew sharp criticism from security and privacy experts and industry executives.
The White House has since backed away from many of the proposals, including the privacy czar. The plan was also modified regarding a recommendation that ISPs give consumers personal firewall software when they sign up for broadband Internet service. The service providers complained that supporting millions of users unfamiliar with security technology would be an expensive logistical nightmare.
Security experts say delaying the plans release is a good move in the long run, but the opportunity for public comment is something that should have come sooner.
“They went and solicited information and then compiled it and were going to release it without any more input,” said Scott Blake, vice president of information security at BindView Corp., in Houston, Texas. “But at the same time they wanted people to be on board and support it. Not very many people were going to get on board and support something they havent read. This is a good thing and it shouldve been the plan all along.”
- Commentary: Cyber Plan Delay Invites Much-Needed Public Comment
- Special Report: Bushs Cyber-Security Plan