Security is on everyone's mind these days, and information security is rumored to be the next 'frontier' in the war on terrorism. The President's Critical Infrastructure Protection Board (CIPB) released its long-awaited National Strategy to Secure Cyberspace guidelines for protection of American critical infrastructures from cyberattack (see www.whitehouse.gov/pcipb/cyberstrategy-draft.html) and began its grassroots campaign to enlist support for the initiatives contained in the draft. While I applaud the efforts of cyber-czar Richard Clarke and others to elevate information security to the same status as physical protection of critical infrastructure, the initiative falls short in three critical areas: authorization, enforcement and completeness of scope.
What if there were a cyberwar and nobody came? The level of interest by your average information security professional in the CIPB initiatives is more as a curiosity than anything else at the moment. How will the policy affect my day-to-day operations? Are there new regulations that I need to be concerned with?
Many information security practitioners happily breathed a collective sigh of relief when the draft was found to contain not requirements but only recommendations - 'should' instead of 'will' seemed to be cut and pasted throughout the text. Unfortunately this lack of any compulsory action required on the part of industry translates into a lack of mandate that threatens to undermine the effectiveness of the initiative. And for the vendors, which will be supplying many of the building blocks of information security infrastructure, the lack of teeth in the recommendations means they can collectively hit the snooze button and return to releasing vulnerabilities for a time-to-market advantage. Imagine the enormity of the task in getting Microsoft to clean up its act with regard to software flaws - they will fight it tooth and nail every inch of the way.
I predict that sooner rather than later many of these recommendations will become mandatory. Once that happens the CIPB (or its successor) is going to face the daunting task of enforcement. With so much of the critical information infrastructure in private hands, how do you enforce minimum standards for security protection? One way is for the critical industries to self-regulate, but we have already seen the shortcomings of that approach.
Imagine a hypothetical meeting of the airline industry to discuss ways to improve passenger safety and reduce the threat of terrorist hijackings before September 11, 2001. Many good ideas would be brought out, there would be a consensus that more can and probably should be done, but with the pressure on airline profitability and the lack of any more rigorous compulsory minimum standards little would get implemented.
One valuable role that the Bush administration can play with respect to cybersecurity is identifying where the standard of due care creates an unacceptable risk to the U.S. national infrastructure at its present level. Identification of a vulnerability is one thing, however, prevention is another. For example, the report does call out unsecured personal computers attached to 'always on' high-speed cable or DSL connections as a threat by co-opting their use for distributed denial-of-service attacks. It stops short, however, of requiring suppliers of high-speed Internet connections to include anti-virus and/or personal firewall technology to prevent these kinds of attacks. This lack of an enforcement mechanism makes it difficult to see how any 'voluntary' recommendations for improving cybersecurity will get implemented.
One area where the Bush Administration could significantly advance the state of information security is in preventing identity theft. The threat is real and increasing, the link to terrorism is there, and identity theft is more of an 'insider' than 'outsider' problem. According to the Federal Trade Commission, reports of identity theft are up 177 per cent in the last two years. Many of the September 11 hijackers had valid credentials issued on stolen or forged IDs, and insider threats are the type of threat where stepped-up laws and enforcement can be effective.
And, U.S. government regulations already have a leg up in two important industries, health care and financial services. The HIPAA (Health Insurance Portability and Accountability Act) and Graham-Leach Bliley (finance) are two recent initiatives that already deal extensively with privacy issues and, more importantly, have prodded these sectors to invest more in securing information. One challenge for the Bush Administration is making identity theft sexy enough for the public to buy into the inconvenience the new rules will inevitably create.
Here are three recommendations that the Bush Administration could act upon immediately to make the world safer for cyberspace.
First, require that Internet service providers install a personal firewall and anti-virus software on each high-speed connection it installs. Make the ISP liable if a hackivist, script kiddie, or "axis of evil" government takes over a connection on its network to launch a denial-of-service attack.
Second, pursue identity theft the same way the William Bratton used graffiti to reduce violent crime in New York City, by treating it as a "stepping stone" on the way to bigger (and badder) things.
Finally, form alliances with the private sector to focus on critical infrastructure 'hot spots' - areas where critical vulnerabilities exist - and showcase the progress made, while at the same time using the threat of regulation as an incentive to act.
It's not quite a brave new world yet, but changes in the information security landscape will be welcomed by the both the public and private sector voices that have been crying that not enough is being done to protect national interests in cyberspace. The battles may not be as visible as the war on al Qaeda but the importance of small victories now will pay great dividends down the road.
Robert Lonadier is the president of RCL & Associates, a Boston-based analyst and consulting firm specializing in providing implementation-ready counsel and advocacy services to senior management in information security. He can be reached firstname.lastname@example.org.