UP until now, the debate over the Bush administration's draft National Strategy to Secure Cyberspace went something like this: "It's a hands-off plan, and that's OK," said its supporters. "It's a hands-off plan, and that's not good enough," said the detractors.
Both sides have it wrong.
Contrary to popular opinion, the Bush administration intends to exert a heavy hand over national cybersecurity policy. Expect coercive government programs posing as voluntary partnerships and federal certification of companies that meet government cybersecurity standards.
The president's National Infrastructure Advisory Council in September 2002 issued its initial draft of the cyberspace strategy, a 65-page report that included 86 specific recommendations directed at everyone from home PC users and small businesses to large enterprises and government agencies. On Jan. 6,
According to the AP report, the new version slashed nearly half of the original initiatives to tighten network security, eliminated a number of voluntary proposals for U.S. corporations, and recommends a broad U.S. government study to assess risks. The draft's detractors pounced on the changes as a further abdication of government responsibility. IT folks, unaccustomed as they are to bureaucratic oversight, no doubt breathed a sigh of relief.
Critics of the cybersecurity plan have said they would prefer a new, more stringent regimen of government security regulations. Security improvements "could not be reached in the absence of new regulation," said a letter to the White House from InfraGard, an organization of security experts. Meanwhile, IT execs, meeting with presidential adviser Richard Clarke a couple of weeks ago, said that the government should promote network security through its massive purchasing power.
Both sides will end up getting more than they bargained for.
Consider a few provisions of the original draft:
- Corporations should consider joining in a public-private partnership to establish an awards program for those in industry making significant contributions to cybersecurity.
- A public-private partnership should refine and accelerate the adoption of improved security for Border Gateway Protocol, Internet Protocol, Domain Name System and others.
- A public-private partnership should perfect and accelerate the adoption of more secure router technology and management, including out-of-band management.
These sound benign enough, but what are these public-private partnerships? A whole raft of these creatures are being organized in the wake of September 11 by the U.S. Customs Service and other agencies in order to protect the homeland from attack by weapons secreted in international cargo. The Customs-Trade Partnership Against Terrorism, or C-TPAT, is in the process of issuing guidelines for everyone from manufacturers to transportation providers to warehouse operators; the goal is to prevent a supply-chain security breach.
While these are nominally voluntary programs, the perception in the private sector is that membership is required if you don't want to see your goods held up by Customs. In political science terms, this may not qualify as government regulation, but it does involve government coercion.
I don't know which, if any, of the above proposals survives in the new draft, but that is beside the point. Consider what is in the new draft, at least according to the Associated Press.
"The draft obtained by the AP puts the new Homeland Security Department squarely in the role of improving Internet security. ..." The department will also be home to the C-TPAT programs once the government reorganization is complete. So we shouldn't be surprised to see coercive public-private partnership initiatives emanating from Department of Homeland Security, regardless of what the written plan says.
"The new version also makes it more clear than ever that the Defense Department can wage 'cyber warfare' if the nation is attacked." The administration, in other words, is as serious about tackling the issue of cybersecurity as it is in fighting terror or toppling Saddam Hussein.
The private sector, by advocating the exercise of government purchasing power, may yet eat its words. Government acquisition of security tools and services will involve issuing capabilities specs and will likely include federal government certification of private-sector companies. Any company that does business with the government is going to have to be certified, as will any company doing business with a company doing business with the government.
The bottom line is this: regardless of the rhetoric, the U.S. government will be taking the lead in setting standards and practices for cybersecurity. Any way you slice it, what the government chooses will become standard.
Peter A. Buxbaum has been writing about business and technology for more than 10 years. In addition to his regular contributions to SearchCIO.com, his articles have appeared in Forbes, Fortune, Chief Executive, InformationWeek, Line56, Computerworld and more than a dozen other publications. He has also developed and taught seminars on international business at Penn State University.