The 64-page document details initiatives to secure U.S. information systems against "deliberate, malicious disruption and to foster an increased national resiliency." The document, organized by the president's Critical Infrastructure Protection Board, is the strategy of the steps the United States will take to secure the information technology networks and systems that are necessary for the nation's economy, defense, and critical services to operate.
Among the many recommendations are:
The comment period ended last month.
"Do we agree with everything in the government report? No. But we do believe that this is the most comprehensive and serious attempt to address these issues to date," says Harris Miller, president of the Information Technology Association of America (ITAA), in Arlington, Va. "I think it could be simplified a bit in terms of grouping some of the recommendations under fewer categories," says Harris.
The government must pay closer attention to and ensure the security of its own systems, Harris says. A September 2002 ITAA-Meta Group survey of IT management found that 77% of respondents felt the private sector was more advanced in hardening information systems than the public sector. The same percentage termed the vulnerability of the public sector to cyber attack either "high" or "extremely high."
'There Is No Perfect Plan"
ITAA's position is that government entities at the federal, state, and local levels need to better coordinate their national security activities in order to improve coordination and cooperation with the private sector; and "cyber ethics" must become a regular and understandable part of the Internet lexicon, Harris says.
"Ours is a risk management and risk mitigation approach," says Miller. "There is no perfect plan to assure absolute information security, just as there is no strategy short of grounding the nation's air fleet to assure absolute airport security. We must wage a long campaign in which we constantly identify risks, weigh vulnerabilities, and adopt reasonable, rational fixes to each."
The Chicago-based Society for Information Management (SIM) submitted a response based on its membership's collective experience in this area. The association's two main suggestions were the formation of an independent security certification organization, and placing a greater emphasis on the role of the chief security officer (CSO).
Currently, there is no single way to ensure that technology products have security certification, says Christine Atkins, SIM vice president for Issues Advocacy. There are various organizations issuing certification, "but we need a single way to ensure software has security certification...What we need to avoid is having individual states pass legislation or various organizations issue conflicting requirements." Otherwise, she contends, it will become more costly and confusing, and no one will know what they should follow if there are conflicting policies. Then the process will not be effective.
An independent certification organization will ensure the strengthening of accountability, which is paramount to accomplishing the goal of protecting the country's critical infrastructure, says Atkins.
"And, like any critical initiative, it needs dedicated resources and focus especially in the area of setting policy, which is why we believe the burgeoning role of the chief security officer in corporations is also essential to success," Atkins says.
Additional suggestions offered in SIM's response included issuing tax credits for security investments, built-in security from Internet service providers (ISPs) and tapping into the expertise of volunteer IT security professionals.
"Many experienced IT security professionals would be willing to help the government, but they have no idea who to contact, or what help is needed," maintains SIM President Steve Finnerty. An electronic copy of this 64-page document can be found here.