The Bush administration's draft recommendations, "A National Strategy To Secure Cyberspace," have been met with mixed reviews from the information-security industry. As reported last week by InformationWeek, instead of mandates and government regulation, the draft reads more like a request that companies, agencies, and individuals take responsibility for their systems and work with the government when necessary to ensure that critical systems remain unbreached and running.

That's fine with chief security officers. "I was afraid we were going to be told we'd have to report breaches and attacks against our systems to the federal government. That's something we're not inclined to want to do," says one CSO, who asked not to be identified.

While sources familiar with the recommendations say there was nothing in earlier versions that would have called for businesses to report cyberattacks and breaches to the government, the draft released this week does call for ways federal agencies "should identify and remove barriers to public-private information sharing and promote the timely two-way exchange of data to promote increased cyberspace security."

"The government cannot dictate. The government cannot mandate. The government cannot alone secure cyberspace," said Richard Clarke, special adviser for cyberspace security, at the unveiling of the strategy at Stanford University.

While execs seemed relieved with the lack of mandates, some experts criticized the plan, saying the government needs to establish both incentives for companies that invest in security and punishment for those that don't. "Mandatory reporting by the government to some central authority with meaningful sanctions" is needed, says Mark Rasch, former Department of Justice computer-crime prosecutor. Rasch, now an attorney specializing in the legal aspects of information security, cited tax incentives as one incentive.

John Pescatore, a security analyst with Gartner, says the plan offers useful guidance on strategy and best practices but too few details on tactics. Pescatore would like to see reports about steps businesses have taken to secure their systems, much the way they had to report Y2K remediation efforts. "Only then will you bring accountability to the board," he says.

Not surprisingly, security and software vendors mostly applaud the draft. Scott Charney, chief security strategist at Microsoft, says he's all for the government giving the public a two-month window to comment on the strategy before any plan is finalized. Charney says he hopes the government will take recommendations from the private sector seriously as the strategy solidifies.

Gene Hodges, president of Network Associates, says Clarke "is walking a fine line between patting people on the back and kicking them in the behind."

The draft recommendations can be seen at www.whitehouse.gov/pcipb.