News
News
9/19/2002
02:00 PM
50%
50%

A Split Reaction To Bush's Cybersecurity Strategy

The draft document reads like a request for individual responsibility. That's just fine for some and too weak for others.

The Bush administration's draft recommendations, "A National Strategy To Secure Cyberspace," have been met with mixed reviews from the information-security industry. As reported last week by InformationWeek, instead of mandates and government regulation, the draft reads more like a request that companies, agencies, and individuals take responsibility for their systems and work with the government when necessary to ensure that critical systems remain unbreached and running.

That's fine with chief security officers. "I was afraid we were going to be told we'd have to report breaches and attacks against our systems to the federal government. That's something we're not inclined to want to do," says one CSO, who asked not to be identified.

While sources familiar with the recommendations say there was nothing in earlier versions that would have called for businesses to report cyberattacks and breaches to the government, the draft released this week does call for ways federal agencies "should identify and remove barriers to public-private information sharing and promote the timely two-way exchange of data to promote increased cyberspace security."

"The government cannot dictate. The government cannot mandate. The government cannot alone secure cyberspace," said Richard Clarke, special adviser for cyberspace security, at the unveiling of the strategy at Stanford University.

While execs seemed relieved with the lack of mandates, some experts criticized the plan, saying the government needs to establish both incentives for companies that invest in security and punishment for those that don't. "Mandatory reporting by the government to some central authority with meaningful sanctions" is needed, says Mark Rasch, former Department of Justice computer-crime prosecutor. Rasch, now an attorney specializing in the legal aspects of information security, cited tax incentives as one incentive.

John Pescatore, a security analyst with Gartner, says the plan offers useful guidance on strategy and best practices but too few details on tactics. Pescatore would like to see reports about steps businesses have taken to secure their systems, much the way they had to report Y2K remediation efforts. "Only then will you bring accountability to the board," he says.

Not surprisingly, security and software vendors mostly applaud the draft. Scott Charney, chief security strategist at Microsoft, says he's all for the government giving the public a two-month window to comment on the strategy before any plan is finalized. Charney says he hopes the government will take recommendations from the private sector seriously as the strategy solidifies.

Gene Hodges, president of Network Associates, says Clarke "is walking a fine line between patting people on the back and kicking them in the behind."

The draft recommendations can be seen at www.whitehouse.gov/pcipb.

Comment  | 
Print  | 
More Insights
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Nov. 10, 2014
Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 16, 2014.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.