Yesterday the White House released its long-awaited "National Strategy To Secure Cyberspace."
This high-level blueprint document (black/white or color), in-development for over a year by
Richard Clarke's Cybersecurity team, is the latest US government plan to address the many issues
associated with the Information Age.
The Strategy was released by the President's Critical Infrastucture Protection Board (PCIPB), an Oval Office entity that brings together various Agency and Department heads to discuss critical infrastructure protection. Within the PCIPB is the National Security Telecommunications Advisory Council (NSTAC), a Presidentially-sponsored coffee klatch comprised of CEOs that provide industry-based analysis and recommendations on policy and technical issues related to information technologies. There is also the National Infrastructure Advisory Council (NIAC) - another Presidentially-sponsored klatch - allegedly consisting of private-sector 'experts' on computer security; but in reality consists of nothing more than additional corporate leaders, few if any considered an 'expert' on computer security matters.
Thus, a good portion of this Presidential Board chartered to provide security advice to the President consists of nothing more than executives and civic leaders likely picked for their Presidential loyalty and/or visibility in the marketplace, not their ability to understand technology in anything other than a purely business sense. Stacking the deck with friendly faces (and thus receiving anything but objective advice) is not new to the President, who recently stacked his Scientific Advisory Council with those supporting his policy agendas. Factor in Richard Clarke's team – many of whom, including Clarke, are not technologists but career politicans and thinktank analysts – and you've got the government's best effort at providing advice to the President on information security, such as it is. (One well-known security expert I spoke with raised the question about creating a conflict of interest for people who sell to the government or stand to gain materially from policy decisions to act in advisory roles, something that occured during the Bush Administration's secret energy meetings.)
Now that you know where the Strategy comes from, and where the real interests lie behind its creators, let's examine some of its more noteworthy components.
Although the Administration heralds this as the first "National Strategy" for cyberspace security, we need only reflect on the Clinton Administration's "National Plan for Information Systems Protection" from 2000, and the President's Commission on Critical Infrastructure Protection Report from 1996 - like its predecessors - and despite the publicity push from the Administration - nearly all of what's in this Strategy isn't new, either in what it says or what it fails to say. In keeping with tradition, the Strategy "addresses" various security "issues" instead of directing the "resolution" of security "problems" – tiptoeing around the problems instead of dealing with them head-on and demanding results.
At times, the Strategy reads like the fear-mongering propaganda published by assorted industry groups and security product vendors. It claims that 70% of cyber-attacks on corporations are caused by insiders, yet provides no source for these statistics. Further, during its discussion of the threats and vulnerabilities, there's an eye-catching sidebar with a hypothetical worst-case cyberterrorism scenario conjured up by "50 scientists, computer experts, and former intelligence officers" – and throughout the report are statements that the Administration consulted with experts across the country in a variety of industries. Yet there's no reference listing who these 'experts' are, or what their credentials are to enable them to make such prophecies and participate in the preparation of this Strategy, something that undermines the credibility of these statistics and statements For all we know, these 'experts' are career politicians, academics, or clueless CEOs – many of whom probably never served in an operational IT capacity before -- and thus don't understand the reality of today's information environment.
To its credit, the Strategy provides (yet another) list of suggested 'best practices' and proposals to improve technology security in a variety of venues, from homes and small business to government and large enterprises. It uses simple, easy-to-read language and presents its contents in vibrant color with lots of white space and eye-catching sidebars and high-tech graphic motifs, very much like a vendor's Powerpoint presentation for prospective customers..
In the areas of corporate security improvements, the Strategy indeed shines, as it recommends Board-level accountability for information security, proper security administration, and better integration and alignment of information security with senior management and business goals. This is perhaps the best component of the Strategy, and actually provides innovative guidance that can be implemented fairly easy by corporations.
The Strategy makes it clear that it is to serve not as a "Federal government prescription" but as a "participatory process" to develop America's national information security environment with the private sector, and believes that a hands-off policy is the correct way to work with them. Indeed, for technology's private sector, this is a good thing given the speed that government operates. Unfortunately, for the federal government, what is currently needed is not a prescription but a mandate on what must be done (and by when) to improve federal information security, not another list of things that "should" be done but most likely won't.
In this regard, the Strategy is no different than other government cyber-strategy documents (mentioned earlier) and audit reports (from GAO or OMB) published over the years espousing the need for better systems security and what "should" be done to improve it. For the private sector to take the government seriously in this area, government needs to police itself first before coordinating the efforts of industry.
As expected, the Strategy gives a tiny nod to developing a separate government-only network, otherwise known as GovNET. While sounding good on paper - and been Clarke's vision for years - leading security professionals question the logic of such a network. Given that the Internet is redundant with multiple – if not infinite – numbers of pathways between nodes, one wonders why Clarke & Co. are considering moving large chunks of the government to a network with a finite series of nodes, and multiple single points of failure or attack – thus consolidating all his eggs into one basket just waiting to be dropped? (Earlier this year, Clarke acknowledged that GovNET would still have its share of viruses, trojans, and worms, so one has to further wonder about this proposal, since it's apparently not going to be any more secure or robust as what he's got now.)
According to the Strategy, vendors and possibly security consultants may be required to obtain government or industry-based certifications to prove their competency. Again, this sounds good on paper, but some argue this requirement could be skewed to favor large, established companies (or products) and thus alienate small firms, consultants, or alternative technologies from the 'certified' mainstream security or technology industry. Further, the Administration fails to note that a certification (or a college degree in cyber-security, another of its proposals) does not make a person any more competent a professional; rather it takes years of applied experience to be considered an 'expert' and 'competent' in one's field. Contrary to the profiteering interests of certification and testing organizations, we forget that nearly anyone can pass a test; what matters is how they perform in the workplace, not in the classroom.
Regarding technology products, the Strategy discusses employing programmers who understand security to code better products, yet makes no mention about the executives in marketing and corporate leadership wanting to bundle features together to make a product 'convienient' for marketing purposes and thus likely more exploitable. Certainly, we need programmers to understand software and system-level security, but programmers are only one small part of the problem (a very small one in the grand scheme of the software industry) and act at the direction of the higher-ups in the company. Executives must realize the dangers of – and work to reduce or eliminate – 'feature-creep' in their products that leads to exploitation. Just consider how much 'more secure' your information would be, and how much less spam you'd receive had Microsoft not integrated Internet Explorer and Visual Basic Scripting into Windows.
The Strategy notes that "systems often become overloaded or fail because a component has gone bad" and proposes that "trustworthy computing" be part of a national priority. Not surprisingly, this is the same term used by Microsoft to describe its multi-faceted approach to securing future versions of Windows. Conspiracy theories about this will abound, particularly given the close ties Redmond has with the White House. Industry analysts will also watch to see how quickly Hollywood's cartels leap to position their copy control initiatives as part of "trustworthy computing" to ensure their profit streams, and link their revenue protection to computer security features.
It's interesting that - perhaps as a result of industry lobbying (or the Administration's ignorance) - the Strategy has no concern over the current 'monoculture' environment for operating systems, chosing instead to support the development of new security products, technologies, and services to be built around (or over) the current (and heavily-flawed) 'foundation' for most of America's critical systems. The Strategy must consider such preventable (but recurring) problems as the price of doing business in the Information Age, something that many believe is foolhardy and complacent thinking.
Then again, effectively securing the foundation of our systems – the operating systems – would mean fewer security products and services need to be purchased from third parties ... perhaps this oversight in the Strategy is tribute to the lobbying efforts of security vendors trying to preserve their revenue streams?
A national strategy is certainly necessary to effectively deal with the many problems of computer security. While there are indeed well-conceived portions of the Strategy that will lead to procedural improvements in America's information security posture if implemented, the Strategy falls far short of what it was heralded as by the Administration, and were the subject of this article.
The release of the National Strategy To Secure Cyberspace is yet another Oval Office attempt to gain consensus in dealing with the many problems associated with effective information security in the United States. Unfortunately, in the areas most responsible for the dismal current state of information security, the Strategy fails to recognize and deal with them at all.
If the administration spent one-tenth the time or money on actual security implementation and education (thus leading to long-term solutions) that it does on convening boards of advisors, councils, town hall meetings, and issuing vaguely-worded, broadly-encompassed, slickly-packaged "feel good" reports like this one, there wouldn't be such a large computer security problem needing to be remedied in the first place.