US cyber defence plan lacks teeth, claim critics

The White House's National Strategy to Secure Cyberspace, which was released yesterday, got mixed reviews from experts, with some...

The White House's National Strategy to Secure Cyberspace, which was released yesterday, got mixed reviews from experts, with some saying it lacked bite.

While most of those present at the unveiling ceremony at Stanford University applauded the US government's effort to raise awareness of security issues and its willingness to take a leadership role, many were surprised by the lack of tough enforcement language in the document.

"Anything that could have made a difference was removed at the last minute," said the president of a major security consulting firm who did not want to be named.

Many private-sector experts and a White House source acknowledged that major changes, such as the removal of "politically sensitive language", were made to the plan in the last 24 hours of preparation.

"What happened here?" asked Wyatt Starnes, chief executive officer of Tripwire, a global IT security company. "We thought we were going to get something concrete. They probably underestimated the politics."

The strategy calls on corporate CEOs to establish enterprise security councils to integrate cyber security, physical security and privacy into their daily operations, It also urges major Internet service providers to adopt a "code of good conduct" governing their cyber security operations, but real change in the private sector remains voluntary.

Russ Cooper, "surgeon general" of TruSecure, was unhappy with the strategy document. He said the administration had removed language that would have offered a definition of liability and an assignment of responsibility for Internet security.

"It's time that the government mandates some action be taken," said Cooper. "I'd like to see ISPs be told that it is illegal to carry identified Internet attack traffic. But I don't see anything similar or at that level in what they're proposing."

James Lewis, director of the Council on Technology and Public Policy at the Centre for Strategic and International Studies in Washington, agreed that linking real change in cyber security to a voluntary system would not work in the long run. "The administration hopes market-driven solutions, rather than new regulations, will be enough for security," said Lewis.

"The report has many good ideas, but cyber security is too tough a problem for a solely voluntary approach to fix," he said. "Companies will only change their behaviour when there are both market forces and legislation that cover security failures."

Others were less critical of the report. "You have to look at this as a good starting point," said Scott Crenshaw, vice-president of business development at security firm NTRU Cryptosystems.

"For example, the section on assessment of gaps and weaknesses in the private sector is particularly strong. If this document raises awareness of those issues, it will have served us well."

Microsoft chief security strategist Scott Charney applauded the strategy as a critical starting point. "It's really important to get the vision piece right," he said.

The report will now undergo a two-month review period before the final version is sent to President Bush for approval, "People need time to sit down with the document to debate the pros and cons," said Charney.

Read more on IT risk management