The Right Balance - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


The Right Balance

National cybersecurity plan takes shape but raises questions about expectations

The Bush Administration this week is scheduled to unveil its long-awaited strategy to protect the nation's IT infrastructure. Already, however, some IT executives caution that certain proposals in a draft circulated last week among government officials may be ineffective. And they don't want Congress or federal agencies to force measures on them.

The National Strategy to Secure Cyberspace, developed by White House cybersecurity adviser Richard Clarke and being reviewed by President Bush and Homeland Security director Tom Ridge late last week, will call on everyone from the largest businesses to consumers to help the federal government track cyberthreats and prevent attacks, particularly those aimed at financial, government, utility, and other key networks.

President Bush's Critical Infrastructure Board will ask for feedback on 86 proposals contained in the document and issue a final statement in February. Congress and federal agencies then will determine how to fund the proposals and which, if any, will be mandated.

"We're looking to work with the government so we are part of the solution and not being dictated to," says Kenneth Lacy, senior VP and CIO at United Parcel Service Inc. But Andy Purdy, deputy chairman of the Infrastructure Board, says the government may have to intervene if the private sector doesn't do its part to combat threats.

White House cybersecurity adviser Richard Clarke. Photo courtesy of AP.

Clarke's strategy may ask businesses to share security data with the government
That may include voluntarily sharing security data with a new network operations center, to be developed and owned by the private sector. The center could share with the government information collected from the networks of businesses, government agencies, and other NOCs, letting experts quickly discover threats and issue alerts.

But critics note that private organizations already provide early warnings of threats and vulnerabilities. The SANS Institute's and Internet Storm Center collect information from firewalls and intrusion-detection systems in more than 60 countries. "There's no need to build a huge mechanism to redo all of that," says Lloyd Hession, chief security officer at Radianz, which runs a network for the financial-services industry.

And some IT executives are concerned about sharing sensitive data with the government. "I have a responsibility to this company, its customers, and shareholders to protect such information," says John Hartmann, VP of corporate services for Cardinal Health Inc. "How will they ensure it's not leaked?" The administration intends to address such concerns by encouraging Congress to craft legislation that would shield shared data from the Freedom of Information Act, Purdy says. That's key for Cindy Floyd, technical services manager at Geneva Pharmaceuticals Inc., who doesn't want to provide security data if it's made public. "Then you're just opening yourself up to hackers," she says.

Floyd has concerns about another part of the plan that calls for creating a center to test patches for commercial software, mainly because it seems overwhelming. "I don't think anyone could properly understand the code of a gazillion packages out there," she says. Geneva does its own testing of its 200 apps.

Cindy Floyd, technical services manager at Geneva Pharmaceuticals Inc. Photo by Ray Ng.

Sensitive information must be protected, Geneva's Floyd says.
The government's plan also is expected to recommend the development of special secure versions of common operating systems. Some observers fear costs will go up and functionality will suffer if vendors are pressured to invest in developing such systems. "You don't need a special secure operating system," Hession says. "You need people to learn how to secure a regular OS."

The draft also suggests that businesses buy cyberinsurance. Companies would have to undergo a security evaluation before they're eligible for such coverage; the more stringent their efforts, the lower their premiums. If the government encourages companies to buy insurance -- prompting some to upgrade their security -- that could make everyone a bit safer, says Douglas Lewis, executive VP and CIO at Six Continents Hotels, a subsidiary of Six Continents plc, operator of more than 3,000 hotels.

But businesses don't want the government to go too far in forcing security practices that may be costly or unreasonable. For example, it would be inappropriate for the government to mandate that all of Cingular Wireless' systems be continuously available, says Thaddeus Arroyo, Cingular's CIO. Such decisions should be left to the business.

UPS's Lacy concurs: "The government has to understand what businesses we're in and that security can't be one-size-fits-all."

Write to George V. Hulme at [email protected]. Visit our Security Tech Center:

Photo of Clarke courtesy of AP.
Photo of Floyd by Ray Ng

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Enterprise Guide to Digital Transformation
Cathleen Gagne, Managing Editor, InformationWeek,  8/13/2019
IT Careers: How to Get a Job as a Site Reliability Engineer
Cynthia Harvey, Freelance Journalist, InformationWeek,  7/31/2019
AI Ethics Guidelines Every CIO Should Read
Guest Commentary, Guest Commentary,  8/7/2019
Register for InformationWeek Newsletters
Current Issue
Data Science and AI in the Fast Lane
This IT Trend Report will help you gain insight into how quickly and dramatically data science is influencing how enterprises are managed and where they will derive business success. Read the report today!
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll