The CyberSecurity Plan -- A Developer's Perspective

The nation's first CyberSecurity Plan was released last month to mixed reviews. But drill past the sound bytes and front-line developers might actually find a few tidbits and recommendations that will prove important to them and their tech managers. IDN peels away the covers of the 64-page report, and makes it easy for you to send in your comments to Uncle Sam (which are due by mid-November). You'll also hear from fellow developers.

Tags: Security, Plan, Report, Recommendations, Review, Cybersecurity, Hoo,

The nation's first CyberSecurity Plan, which is 64 pages long and the result of 10 months of research and draft reviews, was released last month. It recommends a better partnership between the government and private industry. And while many initial reviewers have panned the plan, there are important aspects of the plans that may prove relevant to developers and CIOs.

Two Key Take-Aways
First, the CyberSecurity Plan has already received an exhaustive review by members of the high-tech industry. As a result, any less-than-forceful language might be a result of that review -- rather than government indecision.

"[The plan] was written largely by people outside of the government," said Richard Clarke, special adviser to the president for cyberspace security and chairman of the president's Critical Infrastructure Protection Board (PCIPB) in a statement. .

Integration Developer News spoke with Kevin Soo Hoo, a senior security architect with @stake, who with his boss, @stake CTO Dan Geer, served as contributing writers to the plan. Hoo told IDN that the final draft was watered down compared to some of the original language. "It almost feels like someone did a 'global search and replace' on the words 'will' and 'must' and replaced them with 'should'," Hoo said.

Second, hidden away in the rhetoric, the plan makes several recommendations that strongly suggest -- but don't mandate -- that company CEOs and business leaders pay more attention to recommendations and policies of their IT staff (CIO, managers and even below).

Roger Sullivan, president of Phaos Technology Corp., a provider of security products and tools to Java developers, in New York City, told IDN: "The plan provides managers with enough information to objectively evaluate the security of the projects," adding that the defining of a high-level checklist for security needs could "spur the use of open standards and technologies" for security. This, in turn, might better empower enterprise developers -- rather than outside consultants -- to fill security needs by providing more tools and techniques that are not product-specific.

Inside the "Cyber-Security Plan"

Just how bad -- or at risk -- is the nation's cyberspace? In part, the report found:

  • Cyber incidents are increasing in number, sophistication, severity and cost.

  • The nation's economy increasing dependence on cyberspace has introduced "unknown interdependencies and single points of failures."

  • A digital disaster strikes some enterprise every day. Infrastructure disruptions have cascading impacts, multiplying their cyber and physical effects.

  • It is a mistake to think that past levels of cyberdamage are accurate indicators of the future. Much worse can happen.

  • Waiting to fix any important vulnerability in the critical infrastructure until learning of an impending attack "is an unacceptably risky strategy." The report notes the reactive nature taken in response to the Code Red attack, and said that even though no arrests have been made in that episode, private and public concerns must be on the offense.

  • Network security device is no substitute for "constant focus." The plan cited a report from the Computer Security Institute that stated even though 90 percent of companies use antivirus software, 85 percent have been "damaged" by viruses. Similar statistics exist for companies that use firewalls (89 percent use them; 90 percent report intrusions).

  • Where's the Money?

    Despite these dire observations, the government isn't ready to just throw money at the problem. Before spending money or changing rules to improve infrastructure, the report suggests that the government complete a comprehensive program performance review of the current National Information Assurance Program "to determine the extend to which NIAP is cost-effective and targets clearly identified security gaps." That study should be completed by September 2003. In addition, the plan wants to do real case-use tests of possible cross-government security breeches by defining and conducting "scenario-based security exercises for select cross-government business processes."

    The plan also stated: "Public-private partnership should, as a high priority, develop best practices and new technologies to increase security of digital control systems and supervisory control and data acquisition systems in utilities, manufacturing and other nets." In the interim, owners of these systems should examine the risks, and implement solutions within 24 months.

    The Recommendations
    While the plan said that mapping the exact threats will require more study, it made other recommendations that could be taken up now by private companies.

    Those other recommendations include:

    1. CEOs should consider forming enterprise-wide corporate security councils to integrate cybersecurity, privacy, physical security and operational considerations.

    2. Company execs should consider regular IT security audits, remediation programs and best-practices reviews.

    3. Corporate boards should consider forming committees on IT security, and ensure that the CIOs security recommendations be formally reviewed bysuperiors.

    4. Corporate IT staff should consider diversity in IT service providers to mitigate risk.

    5. IT staffs should develop IT Best Practices (on procurement, deployment, assessment, review, etc.) work with insurance companies to expand availability of "Cyber-Risk" insurance.

    6. It staffs should be sure to review mainframe security practices and products (whether they are connected to the Internet or not) to ensure effective technology and procedures are being used.

    The Rest from Frontline Developers
    Meanwhile, frontline developers we spoke to said the report lacks what many developers see as a "call to arms."

    As a result of the compromises, @stake's Hoo said he is concerned that industry may not listen to the appeal for better cooperation on cybersecurity. "The whole document could sink out of sight during the next few months," Hoo said, "unless there is some government action or concrete follow-up."

    But for all that is missing from the report, there was also at least one "surprise" addition, Hoo said. The plan suggests increasing the role of the U.S. Secret Service in monitoring and responding to cybersecurity breaches, Hoo said. While best known for protecting the U.S. president, the Secret Service is an arm of the Treasury Department and as such is also responsible for currency fraud and even some wire transactions. The report recommends that the Secret Service set up a cybercrime unit.

    But, for now, Hoo concedes, the message to industry and users is just to be aware and to start taking a more active role in security. "The problem with that," he said, "is if you don't follow the recommendations, the government won't do anything to you." In summary, Hoo likens the report to a warning from the speed police. "When you speed, you may get pulled over. But if all you get is a warning, are you going to drive slower? Or just keep driving the way you always did, but just watch your rear view mirror more often."

    Eric Uner, one of the founders of Bodacion Technologies, a provider of dynamic Web scripting and advanced secure hosting well before these became common service offerings, said, "Vendors may be offering industry new products and upgrades, but there is not enough industry-wide input from developers, the people building the newest applications, to truly solve these problems.""Ultimately, the larger vendors aren't taking the problem seriously enough."

    Uner's recommendation: "To move this report forward, vendors and users need to start sharing their experiences, and to bring the developers into the conversation. So far, many people just haven't been willing to do that.

    "I'm not sure that the government is in the best position to make a recommendation of setting security policy and practices for industry," Uner said. "The problem is that if the largest vendors have the most say you may get a biased view and may not get the best technologies or perspectives on the problems."

    "Ultimately, the larger vendors aren't taking the problem seriously enough, Uner added.

    And so what about getting an increased number of smaller vendors involved? Phaos' Sullivan told IDN that he has tried to get his company more involved with the plan drafters, including those that work with Clark at the President's Critical Infrastructure Protection Board. But to no avail, thus far.
    Phaos would be very interested in participating in a concept laboratory and would be willing to contribute security toolkits to such an effort. We've tried to engage folks at the PCIPB, but have little success in getting a response."

    But now is the time for the smaller firms -- both vendors and users. Clark says his group will be taking comments on the plan through mid-November. Contact them, and us at IDN, with your thoughts.