A lack of focus and leadership within the federal governments security community makes it unlikely that many of the initiatives in the recently released National Strategy to Secure Cyberspace will ever be implemented, security experts and Washington insiders say.
And, as the strategy centers on improving security inside the Beltway—a major shift from early drafts of the plan with few incentives for the private sector—critics say sweeping changes in the overall state of network security are also unlikely as a result.
"This looks like another great attempt by the government to say, Were here to help you. But so what," said Scott Blake, vice president of information security at BindView Corp., based in Houston. "They have to pretend they know what theyre talking about, even though they clearly dont. What resources theyll put behind [the strategy] is questionable."
The new Department of Homeland Security is slated to bear much of the responsibility for carrying out the strategy, which was released with little fanfare Feb. 14. But without a person in the top information security post of the DHS (it has yet to be filled), and with the imminent departure of the plans architect and chairman of the Presidents Critical Infrastructure Protection Board, Richard Clarke, the strategy lacks a strong, high-profile sponsor within the government.
Washington insiders say Clarke, who will leave his post next month, wanted the strategy to remain the responsibility of the PCIPB and the White House. But others in the Bush administration saw the strategy as a perfect opportunity to validate and test the DHS.
"It looks like Clarke kind of lost interest after that," said one security industry source with close ties to the administration. "He wanted it run out of the White House."
Without the continued support of Clarke—or someone else with equivalent political clout and knowledge—the strategy may languish as just another policy document with plenty of good ideas but few teeth.
"What it lacks is a carrot and a stick," said Mark Rasch, senior vice president and chief security counsel at Solutionary Inc., in Omaha, Neb. "Why would anyone in the private sector spend money on these things if they havent already? Where are the specifics about funding? Weve known we needed to do these things to stay secure for 20 years. Wheres the action plan? I wish there was something even remotely controversial in here to debate."
A large portion of the national strategy is given over to recommendations on what federal agencies can do to shore up the security of their networks. Ample space is given to implementing programs such as a governmentwide clearinghouse for software patches, continuing the use of automated security assessment tools, and exploring the use of stronger access control and authentication technologies.
But the recommendations for corporations, universities and other organizations are far less specific and are geared more toward raising the overall awareness level about major security issues. Insiders say the government hopes to use the recommendations to fix its problems internally and lead by example. This is a reversal for many government agencies that have looked to industry as a source of best practices for security.
While soft-pedaling mandates on private network operators, the strategy does, however, ask the private sector for unprecedented cooperation in sharing information on attacks, threats and software vulnerabilities.
"I dont think thats all that inappropriate. To the extent that it sounds like theyre the keepers of the wisdom on the subject of security, it sounds foolish because everyone knows theyre not," BindViews Blake said. "They have to ask for help to get it done. But the strategy doesnt spell out the specifics on much of this stuff, and if that doesnt happen, I think its DOA."
Others in the security industry agreed.
"Any time theres this awareness about security, it has raised the bar to the level of the [chief financial officer], and thats important because companies are more likely to act on it," said Pete Morrison, director of the public sector at Netegrity Inc., in Waltham, Mass. "But unless organizations see how it can help financially, its not a top priority."
Issues facing implementation of the National Strategy to Secure Cyberspace:
- Lack of information security leadership at DHS
- Few incentives or mandates for private companies to comply
- Lack of clear funding sources for many proposed programs
- Few clearly assigned tasks within the government