The US governmentis draft of its cyber-security report, released yesterday, met mixed reviews from defense experts and technology companies. The government, which planned to release a final report yesterday, has instead opted to release a draft and requests comments until November 18th of this year.
The report puts the onus on companies and individuals to keep their systems secure, which has met with approval from the industry and concern from security groups. A CNET News article details some of the responses: technology companies referred to the plan as timely and a good start, while security groups feel that the governmentis attitude that "the government cannot mandate" is too soft on business.
The Center for Strategic and International Studies, a hawkish think tank in Washington with close ties to the military, called the report flawed because it did not demand new laws or regulations aimed at Internet companies. CSIS is headed by John Hamre, defense secretary under President Clinton, who spent years warning of "the future electronic Pearl Harbor that might happen to the United States" if extreme measures were not taken.
"Cybersecurity is too tough a problem for a solely voluntary approach to fix," said James Lewis, director of the CSIS Council on Technology and Public Policy. "Companies will only change their behavior when there are both market forces and legislation that cover security failures. Until the U.S. has more than just voluntary solutions, weill continue to see slow progress in improving cybersecurity."
Meanwhile, a Washington Post article today outlines further complaints about the decision-making process, saying that industry concerns have put too much influence on the governmentis policy.
"Consumers arenit likely to pay attention to Clarke or this effort, and to rely on them is flawed," said Russ Cooper, an executive with Reston-based TruSecure Corp. "Most consumers didnit buy a computer to become geeks. The majority of them are still trying to learn how to buy things from eBay."
Alan Paller, research director of the SANS Institute, said industry has not stepped up to do its part.
"Theyire whining, and that resonates with an administration that is business-oriented," he said. "As long as this can be done in smoke-filled rooms, then industrial pressure can continue affect national policy."
But Paller said he believes the 60-day public comment period will help to show who has worked hardest to weaken the plan.
"The whiners will now have a spotlight shone on them," he said.
For more information, you can read both the Washington Post and CNET articles, and view the governmentis Critical Infrastructure Protection Board Web site.