White House issues cybersecurity draft

The White House issued its long-awaited National Strategy to Secure Cyberspace report, the document intended to summarize ways to improve network security for government agencies, the private sector and citizens in their homes.

About fifty pages, the final document, signed by President George W. Bush, drops some of the more controversial statements made in the earlier draft document about whether ISPs or universities, for example, could be doing more on behalf of cyberspace security. Instead, the “National Strategy to Secure Cyberspace” tones down its criticism and is content to “encourage” industry, government agencies, and the public to reduce risks wherever practical. However, beyond the advice about denial-of-service “zombie” software and access controls, the report does take up a few new issues that could have far-ranging impact.

For one, the report says the government will consider expanding the “Common Criteria” purchasing mandate, which took effect last July primarily for the “national security systems” of the Defense Department, to include any purchasing done by the government’s civilian agencies as well.

At present, agencies operating national security systems must purchase software products from a list of lab-tested and evaluated products in a program run by the National Information Assurance Partnership (NIAP), a joint partnership between the National Security Agency and the National Institute of Standards and Technology.

The NIAP is the U.S. government organization that works in parallel to similar organizations in a dozen other countries around the world which have endorsed the international security-evaluation regimen known as the “Common Criteria.” The program requires vendors to submit software for review in an accredited lab, a process that often takes a year and costs several thousand dollars.

This program has been many years in the making among countries supporting the idea of a single international certification system. But last July a purchasing mandate to buy “Common Criteria” evaluated products for the U.S. military’s national security systems. Now, the White House cyberstrategy report said the government will undertake a review of the program this year with the view it may “possibly extend” it as a requirement for civilian agencies in terms of purchasing.

In other ways, the cyberstrategy report could have far-reaching implications. For one thing, it makes clear that the U.S. government reserves the right to respond “in an appropriate manner” if the U.S. is attacked in cyberspace. While the Clinton Administration did issue an earlier decision related to cyberspace defense and counterattack, the White House statement was inserted into the final cyberspace report at a time when war tensions are rising in the Mideast leaves it completely clear what the Bush Administrations views are.

In addition, the report strongly suggests that all U.S. agencies seek to “explore exercises” for “cyberspace preparedness” as it says the Defense Department is now doing.

Since large-scale worm attacks often exploit holes due to software vulnerabilities, the White House said it expects to see U.S. General Services Administration set up “test beds for patching” to help agencies apply needed fixes as quickly as possible.

The report notes that the newly created Department of Homeland Security will be in charge of operating a round-the-clock facility for monitoring cyberthreats, sharing information and incident response. The report indicates the government is seeking to build a private communications network, called the Cyber-Warning and Information Network, to be able to share information with the private sector when need be.

“There’s a greater emphasis in this final report on the government getting its own house in order and leading by example,” commented Larry Clinton, operations officer at the Internet Security Alliance, a nonprofit industry group in Arlington, Va. that has been following the year-long evolution of the cyberstrategy report. “And that’s probably the way it should be.”