America's National Cybersecurity Strategy: Same Stuff, Different Administration

Richard Forno
(c) 2002 All Rights Reserved
Article #2002-11.

Permission granted to reproduce and distribute in entirety with credit to


Today the White House releases its long-awaited "National Strategy To Secure
Cyberspace." This high-level blueprint document (black/white or color),
in-development for over a year by Richard Clarke's Cybersecurity team, is the
latest US government plan to address the many issues associated with the
Information Age.

The Strategy was released by the President's Critical Infrastructure Protection
Board (PCIPB), an Oval Office entity that brings together various Agency and
Department heads to discuss critical infrastructure protection. Within the PCIPB
is the National Security Telecommunications Advisory Council (NSTAC), a
Presidentially-sponsored coffee klatch comprised of CEOs that  provide
industry-based analysis and recommendations on policy and technical issues
related to information technologies.  There is also the National Infrastructure
Advisory Council (NIAC) - another Presidentially-sponsored klatch - allegedly
consisting of private-sector 'experts' on computer security;  but in reality
consists of nothing more than additional corporate leaders, few if any
considered an 'expert' on computer security matters.

Thus, a good portion of this Presidential Board chartered to provide security
advice to the President consists of nothing more than executives and civic
leaders likely picked for their Presidential loyalty and/or visibility in the
marketplace, not their ability to understand technology in anything other than a
purely business sense. Stacking the deck with friendly faces (and thus receiving
anything but objective advice) is not new to the President, who recently stacked
his Scientific Advisory Council with those supporting his policy agendas.
Factor in Richard Clarke's team – many of whom, including Clarke, are not
technologists but career politicians and thinktank analysts – and you've got the
government's best effort at providing advice to the President on information
security, such as it is. (One well-known security expert I spoke with raised the
question about creating a conflict of interest for people who sell to the
government or stand to gain materially from policy decisions to act in advisory
roles, something that occurred during the Bush Administration's secret energy

Now that you know where the Strategy comes from, and where the real interests
lie behind its creators, let's examine some of its more noteworthy components.

Although the Administration heralds this as the first "National Strategy" for
cyberspace security, we need only reflect on the Clinton Administration's
"National Plan for Information Systems Protection" from 2000, and the
President's Commission on Critical Infrastructure Protection Report from 1996 -
like its predecessors - and despite the publicity push from the Administration -
nearly all of what's in this Strategy isn't new, either in what it says or what
it fails to say. In keeping with tradition, the Strategy "addresses" various
security "issues" instead of directing the "resolution" of security "problems" –
tiptoeing around the problems instead of dealing with them head-on and demanding

At times, the Strategy reads like the fear-mongering propaganda published by
assorted industry groups and security product vendors. It claims that 70% of
cyber-attacks on corporations are caused by insiders, yet provides no source for
these statistics. Further, during its discussion of the threats and
vulnerabilities, there's an eye-catching sidebar with a hypothetical worst-case
cyberterrorism scenario conjured up by "50 scientists, computer experts, and
former intelligence officers" – and throughout the report are statements that
the Administration consulted with experts across the country in a variety of
industries. Yet there's no reference listing who these 'experts' are, or what
their credentials are to enable them to make such prophecies and participate in
the preparation of this Strategy, something that undermines the credibility of
these statistics and statements  For all we know, these 'experts' are career
politicians, academics, or clueless CEOs – many of whom probably never served in
an operational IT capacity before -- and thus don't understand the reality of
today's information environment.

To its credit, the Strategy provides (yet another) list of suggested 'best
practices' and proposals to improve technology security in a variety of venues,
from homes and small business to government and large enterprises. It uses
simple, easy-to-read language and presents its contents in vibrant color with
lots of white space and eye-catching sidebars and high-tech graphic motifs, very
much like a vendor's Powerpoint presentation for prospective customers..

In the areas of corporate security improvements, the Strategy indeed shines, as
it recommends Board-level accountability for information security, proper
security administration, and better integration and alignment of information
security with senior management and business goals. This is perhaps the best
component of the Strategy, and actually provides innovative guidance that can be
implemented fairly easy by corporations.

The Strategy makes it clear that it is to serve not as a "Federal government
prescription" but as a "participatory process" to develop America's national
information security environment with the private sector, and believes that a
hands-off policy is the correct way to work with them.  Indeed, for technology's
private sector, this is a good thing given the speed that government operates.
Unfortunately, for the federal government, what is currently needed is not a
prescription but a mandate on what must be done (and by when) to improve federal
information security, not another list of things that "should" be done but most
likely won't.

In this regard, the Strategy is no different than other government
cyber-strategy documents (mentioned earlier) and audit reports (from GAO or OMB)
published over the years eschewing the need for better systems security and what
"should" be done to improve it. For the private sector to take the government
seriously in this area, government needs to police itself first before
coordinating the efforts of industry.

As expected, the Strategy gives a tiny nod to developing a separate
government-only network, otherwise known as GovNET. While sounding good on
paper - and been Clarke's vision for years - leading security professionals
question the logic of such a network. Given that the Internet is redundant with
multiple – if not infinite – numbers of pathways between nodes, one wonders why
Clarke & Co. are considering moving large chunks of the government to a network
with a finite series of nodes, and multiple single points of failure or attack –
thus consolidating all his eggs into one basket just waiting to be dropped?
(Earlier this year, Clarke acknowledged that GovNET would still have its share
of viruses, trojans, and worms, so one has to further wonder about this
proposal, since it's apparently not going to be any more secure or robust as
what he's got now.)

According to the Strategy, vendors and possibly security consultants may be
required to obtain government or industry-based certifications to prove their
competency. Again, this sounds good on paper, but some argue this requirement
could be skewed to favor large, established companies (or products) and thus
alienate small firms, consultants, or alternative technologies from the
'certified' mainstream security or technology industry. Further, the
Administration fails to note that a certification (or a college degree in
cyber-security, another of its proposals) does not make a person any more
competent a professional; rather it takes years of applied experience to be
considered an 'expert' and 'competent' in one's field.  Contrary to the
profiteering interests of certification and testing organizations, we forget
that nearly anyone can pass a test; what matters is how they perform in the
workplace, not in the classroom.

Regarding technology products, the Strategy discusses employing programmers who
understand security to code better products, yet makes no mention about the
executives in marketing and corporate leadership wanting to bundle features
together to make a product 'convenient' for marketing  purposes and thus likely
more exploitable. Certainly, we need programmers to understand software and
system-level security, but programmers are only one small part of the problem (a
very small one in the grand scheme of the software industry) and act at the
direction of the higher-ups in the company. Executives must realize the dangers
of – and work to reduce or eliminate – 'feature-creep' in their products that
leads to exploitation. Just consider how much 'more secure' your information
would be, and how much less spam you'd receive had Microsoft not integrated
Internet Explorer and Visual Basic Scripting into Windows.

The Strategy notes that "systems often become overloaded or fail because a
component has gone bad" and proposes that "trustworthy computing" be part of a
national priority. Not surprisingly, this is the same term used by Microsoft to
describe its multi-faceted approach to securing future versions of Windows.
Conspiracy theories about this will abound, particularly given the close ties
Redmond has with the White House. Industry analysts will also watch to see how
quickly Hollywood's cartels leap to position their copy control initiatives as
part of "trustworthy computing" to ensure their profit streams, and link their
revenue protection to computer security features.

It's interesting that - perhaps as a result of industry lobbying (or the
Administration's ignorance) - the Strategy has no concern over the current
'monoculture' environment for operating systems, choosing instead to support the
development of new security products, technologies, and services to be built
around (or over) the current (and heavily-flawed) 'foundation' for most of
America's critical systems. The Strategy must consider such preventable (but
recurring) problems as the price of doing business in the Information Age,
something that many believe is foolhardy and complacent thinking.

Then again, effectively securing the foundation of our systems – the operating
systems – would mean less security products and services need to be purchased
from third parties….perhaps this oversight in the Strategy is tribute to the
lobbying efforts of security vendors trying to preserve their revenue streams?

A national strategy is certainly necessary to effectively deal with the many
problems of computer security. While there are indeed well-conceived portions of
the Strategy that will lead to procedural improvements in America's information
security posture if implemented, the Strategy falls far short of what it was
heralded as by the Administration, and were the subject of this article.

Today's release of the National Strategy To Secure Cyberspace is yet another
Oval Office attempt to gain consensus in dealing with the many problems
associated with effective information security in the United States.
Unfortunately, in the areas most responsible for the dismal current state of
information security, the Strategy fails to recognize and deal with them at all.

If the administration spent one-tenth the time or money on actual security
implementation and education (thus leading to long-term solutions) that it does
on convening boards of advisors, councils, town hall meetings, and issuing
vaguely-worded, broadly-encompassed, slickly-packaged "feel good" reports like
this one, there wouldn't be such a large computer security problem needing to be
remedied in the first place.

Maybe I should start my own Coffee Klatch.

IWS INFOCON Mailing List
@ IWS - The Information Warfare Site

Reply via email to