When U.S. President Bush’s Critical Infrastructure Protection Board released its National Strategy to Secure Cyberspace on Sept. 18, the word “draft” figured prominently on every page. That’s just as well; it’s very much an interim document, with con-sultations and consensus building far from complete.
As a foundation for further work, the document – available at www.whitehouse.gov/pcipb – does well. Some truths, however obvious, were clearly and honestly articulated. For example, the document points out that “by 2002, our economy and national security are fully dependent upon information technology and the information infrastructure.” The Strategy is also forthright in its assessment of cyberthreat, noting that “potential adversaries have the intent,” the tools with which to attack, and a good idea of the nation’s vulnerabilities, which are “many and well known.”
That gives a certain weight to the discussion. However, it also means that any agency presuming to dictate solutions from on high must do a good job of anticipating threats and prescribing effective counter-measures. And nobody is quite ready to do that yet. Instead, the Strategy makes recommendations in many areas, points to existing programs and initiates “discussions” that may or may not lead to action.
In effect, the Strategy concedes that the development of the Internet, and U.S. government and business reliance on it, have far outstripped the ability to safeguard its operations. Until the risk is managed and vulnerabilities reduced, if not eliminated, there will be a markedly diminished return on collective investment in the information infrastructure.
The U.S. government seems eager for fresh thinking, allowing two months for comments on this draft and arranging for more “town hall” meetings like those that have already contributed to the Strategy.
A decentralized approach is the only possible answer to the enormous task of public-private sector collaboration, and the government has already divided it into smaller pieces. Lead agencies around critical infrastructure have been assigned to coordinate cybersecurity with the private sector: The Treasury Department deals with financial institutions and banks, for example, and the Environmental Protection Agency with water, chemical industry and hazardous materials.
Unfortunately, where the Strategy should be factual and persuasive, its foundations seem somewhat insecure. For example, unnamed “surveys” are cited for the otherwise reassuring note that the cost of information security is lower than that of a serious attack.
As well, the Strategy is remarkably good-natured about the hardware and software vulnerabilities that are already rooted deep in the Internet. The real threats to the system are considered to be external and motivated by malice. Weaknesses in the software infrastructure in particular are apparently less the fault of manufacturers who release flawed packages than users who are slow to patch them. The document does point to some future date when software works properly, right out of the box, but fails to prescribe remedies for shoddy code that is embedded deep in the network now and will remain in operation, for years in some cases.
Readers of the Strategy might think that wireless technology is singled out early and often for flaws and unresolved vulnerabilities; it says flatly that “federal departments and agencies must be especially mindful of security risks when using wireless technologies.” In fact, however, the language has been considerably softened from earlier drafts.
The unspoken truths that emerge from the Strategy seem to be that for the time being, when it comes to security issues, computer users of every size and type are on their own. If the private sector cannot provide adequate cybersecurity, the U.S. government will consider stepping in. Any leadership from Washington before that happens will be in the form of information and coordination rather than command and regulation.
The Strategy stays well within the bounds of the possible, assigning duties and responsibilities within the departments and agencies of the government, and offering suggestions where it lacks the legal authority to prescribe or the political will to compel. So far, no security incident has jolted the cyber-establishment out of its complacency. So far, we may have been lucky.
Richard Bray is an Ottawa journalist who specializes in high technology. A former reporter and producer with the CBC, he is also a former editor of Ottawa Computes. He may be reached at [email protected].