Critics who called the governments draft plan for improving cyber-security toothless and overly broad are likely to be sorely disappointed by the next version when its released within the next few weeks.
A current version of the document circulating in Washington contains even less detail and fewer specific recommendations than did the original draft released last September, say sources. The document also reflects the Bush administrations propensity to avoid regulation and mandates in favor of using market forces and other unofficial methods of influencing industry decisions.
Richard Clarke, the chairman of the Presidents Critical Infrastructure Protection Board, which is writing the national strategy, has said repeatedly that he plans to use the governments purchasing power to buy more secure software and hardware products. He hopes that this will, in turn, force vendors to improve the security of their offerings in order to have a shot at some of the billions of dollars that federal agencies spend annually on IT purchases.
“Theres going to be less command-and-control and more of a market-driven approach,” said Mark Rasch, senior vice president and chief security counsel at security vendor Solutionary Inc., based in Omaha, Neb., who has been in close contact with people in the White House regarding the national strategy. “The problem with that strategy is, we already have that. We already have exactly the level of security that the market dictates.”
And, thanks to lobbying efforts by such vendors as Cisco Systems Inc. and others, the National Infrastructure Assurance Council voted to remove a provision from its forthcoming report to the president that would have required security testing of any product used to protect a portion of the critical infrastructure. This effectively kills what would have been a major incentive for software and hardware vendors to improve the security and reliability of their products.
The NIAC, comprised of private sector representatives appointed by the president, is currently developing a report for President Bush that is closely tied to the national strategy. The council will make its security testing proposal a recommendation instead of a requirement.