The National Strategy to Secure Cyberspace [LWN.net]

[This article was contributed by Tom Owen]

The Friday release of the National Strategy to Secure Cyberspace may have been overshadowed by the recent departure of Richard Clarke, President Bush's Cybersecurity advisor. It certainly didn't get a big build up. But now we have the "final" version of what will doubtless be a continuously evolving strategy.

The draft released in September generated apathy and dismissal after widespread unsourced reports of tech firms lobbying to remove references to insecure "out of the box" configurations and wireless hazards. The biggest change over the draft is external: the Department of Homeland Security (DHS) now exists, with a budget and a head, and by far the majority of the action items fall on it.

The strategic objective is clear:

It is the policy of the United States to prevent or minimize disruptions to critical information infrastructures and thereby protect the people, the economy, the essential human and government services, and the national security of the United States.

as is the purpose of the document:

The purpose of this document is to engage and empower Americans to secure the portions of cyberspace that they own, operate, control, or with which they interact.

The core of the strategy is the five national priorities

A security response system
A threat & vulnerability reduction system
A Security awareness and training program
Security within government operations
National and International security co-operation

Within the strategy, each priority generates five to fifteen actions and recommendations. The actions typically fall on the federal government, typically the DHS or the United States generally, while the recomendations are for the private sector and academia.

Some consistent themes inform the discussion of all priorities:

The threat is real: the US depends on the integrity of cyberspace, and that integrity can now be undone by enemies.
Most of what's needed is outside the scope of Government: beyond protecting its own operations and the commons, the work has to be done by corporations, colleges and the public.
Public and private can, must, work together
Privacy and liberty must be protected. It's not that prominent, but it's a pleasant surprise to see it at all.

Regarding the called-for national security response system:

The National Cyberspace Security Response System will involve public and private institutions and cyber centers to perform analysis, conduct watch and warning activities, enable information exchange, and facilitate restoration efforts.

The plan appears to be mandating DHS to co-ordinate between Government agencies, and academic and private sector agents. Obvious candidates would include CERT, the AV vendors' labs, disaster recovery providers and perhaps operators like Bugtraq.

The challenge is twofold. Firstly, to co-ordinate their work on attacks and vulnerabilities, before and even -- using fax, conferencing and and voicemail -- during an attack, and secondly, to ensure that the private sector is using the resources created. It appears that there will be an effort to remove antitrust obstacles to this co-operation.

Responding to security incidents is important, but so is preventing those incidents before they happen. The strategy asks private and government agencies to communicate better to find and protect against potential problems. Even before the recent "Slammer" worm, others like Nimda and Code Red had made it clear that threats, once released, spread faster than fixes. So it is important to find and fix vulnerabilities before they are exploited.

One stand out point is a clear intention to use criminal justice more aggressively: this might be a good time to stop writing stupid viruses for fun. The strategy gets more specific here. Examples of the work planned include

Improving infrastructure: the Commerce Deptartment's review of a national transition to IPv6 and the DHS's intention to bang heads together to get progress on securing DNS and BGP, together with longer term efforts to to add source address verification and secure out-of-band management to the Internet

Securing plant and equipment control networks to exclude terrorists from air-traffic control, dams and chemical plants.

Addressing software vulnerabilities: establishing a neutral clearinghouse, with, interestingly, a national policy defining appropriate vulnerability disclosure, central testing for patches to Government systems, and promotion of tools and best practice for patch distribution.

Then, there is the call for a national security awareness and training program. This priority addresses a slightly broader range than most. The traditional targets for security training: users, admins and developers, are there, but the plan goes further:

Many information-system vulnerabilities exist because of a lack of cyberspace security awareness on the part of ... procurement officials, auditors, chief information officers, chief executive officers, and corporate boards.

Getting these people trained is not going to be easy. School curricula, awareness programs and certification and the other plan items can reach professionals and users, but getting informed discussion between corporate policymakers at the country club will take something more -- there may be a role for the insurers here.

Of course, the government must also worry about cleaning up its own act, so it is not surprising to see internal security as an important part of this plan. The plan in this area is blandly conventional, revealing that government practice is no better than the private sector. One of the few mentions of a specific technology, wireless, occurs under this heading.

The last item (national and international security coordination) seems like a bland commitment to improve international co-operation, encouraging foreign countries to achieve effective criminal law and participate in information-sharing programs. But early on comes this jaw-dropper:

When a nation, terrorist group, or other adversary attacks the United States through cyberspace, the U.S. response need not be limited to criminal prosecution. The United States reserves the right to respond in an appropriate manner.

The strategy doesn't expand on this point, and responsibility for that action falls on no specific agency, but when it happens, it'll be on the evening news.

Given the source, the document as a whole is at least as good as could have been hoped. Part of the value comes from what's left out:

Theres no hysteria about encryption or crackers
No plan to wall off the US and unplug those nasty foreigners
No dramatic legislative program
No mandation or prohibition of specific technologies and vendors

High-level strategic planning can be used to hide a lot of vagueness and unreality, as the broad scope needed in the language and objectives makes it hard to visualise what is intended. This hasn't happened here. The Department of Homeland Security's interest in the network comes into clearer focus. Some of the organisations and networks which will protect cyberspace are making their first appearance here. And we can see that some people are asking the right questions.

(Log in to post comments)