When the final version of President Bushs cyber-security plan is released later this month, its success, in large part, will hinge on the willingness of industry to buy in to the plans recommendations.
The National Strategy to Secure Cyberspace depends heavily on network operators and industry groups sharing with the government information on network attacks, security threats and widespread vulnerabilities. While similar efforts in the past have failed, some industry insiders say there is reason to believe that this time may be different.
“The strategy is being accepted within the government,” said Pete Morrison, director of the public sector at security vendor Netegrity Inc., in Waltham, Mass. “Ive seen a new awareness inside the government, and I think when people see that, they [will be] more willing to take it seriously and help with information.”
The centerpiece of the strategy, draft copies of which were reviewed by eWeek last week, is a comprehensive cyber-security response system that relies on contributions from the private sector. The system would utilize a broad information-sharing program both inside and outside the federal government, facilitated by a separate office within the Department of Homeland Security, which the plan also calls for.
The “infrastructure protection program office,” as referred to in the draft, would handle the flow of data between the private sector and the government. The office would also be responsible for determining how to store information regarding critical infrastructure protection that is voluntarily submitted by nongovernment organizations.
The strategy also recommends that the private sector develop a centralized network operations center “that could operate 24-by-7, to assess Internet health [and] complement the Department [of Homeland Securitys] centralized capability and the overall National Cyberspace Security Response System,” the draft reads.
This latest draft is very similar to the final document President Bush approved and signed late last month, according to sources familiar with the process. However, this final version differs greatly from the preliminary draft released for comment by the Presidents Critical Infrastructure Protection Board in September under the direction of outgoing PCIPB Chairman Richard Clarke.
That original draft was divided into five sections—covering home users and small businesses, large enterprises, critical sectors, national priorities, and global issues. The final version is organized along five priorities—a national cyberspace security response system, a national cyberspace security threat and vulnerability reduction program, a national cyberspace security awareness and training program, securing governments cyberspace, and international cyberspace security cooperation.
And where the original draft was heavy on recommendations and suggestions, the final version uses much stronger language, in many cases issuing directives to various government agencies.
Still, the core of the new plan is cooperation and information sharing—both sensitive subjects for the private sector. Past information-sharing concepts, not sponsored by the government, have centered on organizations such as the industry-specific Information Sharing and Analysis Centers and the FBIs InfraGard. However, these and other plans have lacked a good definition of the kind of data the government needs and how its going to be handled once its submitted. As such, security experts say this time around, the government would do well to make such distinctions.
“Sharing information [on vulnerabilities] reveals nothing that would make a company look bad in front of its customers,” said Stuart Schechter, a security researcher at Harvard University, in Cambridge, Mass., and co-author of a paper on the benefits of information sharing. “Even revealing that youve seen a vulnerability exploited doesnt reveal that this has resulted in a successful attack. Better statistics on just how many systems are broken into because systems arent patched would be nice to know—but most of us know where these systems fail. Better numbers on losses from attacks would certainly be useful.”
However, some security experts are pessimistic about the chances for widespread cooperation.
“History has shown that unless theyre forced to, people wont reveal any information, for obvious reasons,” said Avi Rubin, associate professor of computer science and technical director of the Information Security Institute at Johns Hopkins University, in Baltimore. “On the other hand, we still dont have good protective measures yet. They need to allocate more funding to research. They should let those of us who know what were doing do it.”
- Special Report: Bushs Cyber-Security Plan
- More Security Coverage