New Homeland Security Guidelines Called Vendor-Driven

The recommendations of a federal task force due Thursday reportedly center on increasing users' awareness of security issues through education.

A task force formed by the Department of Homeland Security is set to unveil a set of security recommendations this week for both enterprises and home users, but many industry observers say the guidelines are too little, too late.

The guidelines are the work of the Awareness for Home Users and Small Businesses task force, formed late last year by DHS and private industry at the National Cybersecurity Summit. The group and several others formed at the same event are designed to help foster better cooperation between government and industry and to tackle topics such as creating early warning systems, writing secure software and bolstering security in corporate governance.

The groups mainly comprise executives from security and software vendors such as Oracle Corp., Microsoft Corp., RSA Security Inc. and Internet Security Systems Inc., as well as government officials and security experts in academia.

The recommendations, scheduled to be released Thursday, are intended as a follow-up to the National Strategy to Secure Cyberspace, released in early 2003 and widely panned in the industry for being long on platitudes and short on definitive action. The new offering reportedly centers on increasing users awareness about security issues through education and communication.

"Because this is driven mainly by the vendors, it will be about blaming the users," said Alan Paller, research director at The SANS Institute in Bethesda, Md. "Private industry isnt doing its part to fix the problems we have with software and processes. Its like telling drivers to drive safely and not fixing the bumpers and the seat belts."

Following the national strategys release, several high-ranking government security officials left for the private sector, frustrated by the process and its results. Now, people close to the task forces endeavor say the same fate is likely to befall it. In fact, one member of the corporate governance task force—the chief security officer of a large, international company—quit after becoming fed up with the amount of influence technology vendors had in the process, according to an industry executive with direct knowledge of the incident.

"Everybody is quite irritated by the agendas being advanced by the vendors," said one executive involved in the process, who asked to remain anonymous. "IT security has always been driven by the vendors, and this is just more of the same. Ive yet to see it ever being someone besides the vendors controlling the process. When is the government ever going to engage the actual practitioners?

"Its just another example of the same fable with a different title. Its this façade of the public-private partnership, and its all [garbage]."

Some industry executives say that even though the guidelines appear to be nothing new, there is still value in continuing to bang the drum on user awareness.

"I believe theyre approaching it in somewhat the right way in trying to get a broad range of opinions," said Irfan Salim, president and chief operating officer of San Francisco-based Zone Labs Inc., who was not directly involved in the task force. "But I dont believe people should be recommending specific technologies. Regardless of the technology, user awareness is the key."

/zimages/2/28571.gifCheck out eWEEK.coms Security Center at for security news, views and analysis. Be sure to add our security news feed to your RSS newsreader or My Yahoo page: /zimages/2/19420.gif