CSIA president Paul Kurtz told ComputerWire the recommendations present tangible goals that the White House could meet to fulfill parts of the two-year old National Strategy to Secure Cyberspace.
While Kurtz said the recommendations are presented in no particular order of priority, the one grabbing all the headlines has been the recommendation that the president create an assistant secretary of cyber security post in the Department of Homeland Security.
The call for an assistant secretary, a position that would report directly to the head of the DHS, has been going on for years, with lower-level Internet security chiefs dropping like flies.
Former White House security advisor Richard Clarke said securing the US’s information systems should be a priority, and expressed frustration with the lack of action before his early 2003 resignation.
His successor, Howard Schmidt, resigned in a matter of months. In November, Schmidt’s successor, Amit Yoran, also resigned, reportedly for similar reasons. Yoran was director of the National Cyber Security Division, two reports below DHS boss Tom Ridge.
Dick left, Howard left, I left, Amit left, I think my successor also left, Kurtz told ComputerWire. There is a frustration that was felt that could be addressed if we had a more senior-level, programmatic person.
Programmatic meaning mainly a person who has the ability to set budget, Kurtz explained. An assistant secretary would have the kind of powers to help execute some of the recommendations the CSIA lays out in its latest report.
As might be expected from a consortium made up of the CEOs of commercial, mostly publicly held, organizations, many of the items on the CSIA’s list are arguably geared at rerouting federal tax dollars into corporate coffers.
There are no recommendations on user education, for example, nor are there requests for increased law enforcement or ways to promote secure code. There are, however, many recommendations that could buoy the already buoyant security industry.
The report recommends promoting the data security guidelines of corporate governance regulations such as Sarbanes-Oxley. The Department of Commerce should urge CEOs to make security a board-level agenda item, the CSIA says.
Another priority should be to lead by example with federal procurement practices. Federal agencies following FISMA guidelines should require contractors, subcontractors and suppliers to take similar measures to secure their IT systems, CSIA says.
FISMA, the Federal Information Security Management Act, is a set of guidelines for security systems that certain government agencies must abide by. It has proved a useful way into government accounts for some security firms.
The report also calls for the National Information Assurance Partnership, which administers the must-have Common Criteria security certifications in the US, to speed up its evaluations and reduce its costs.
Kurtz said that the goal of CSIA with the new document is to identify things that are deliverable in the term of the next Bush administration. Priorities like user education are broader in scope and longer in term, he suggested.
The group recommends more money for R&D at government organizations such as the Defense Advanced Research Projects Agency, the National Science Foundation and the National Institute for Standards in Technology.
The CSIA also calls for more public-private partnership on information sharing and the creation and testing of an emergency network that could be used to coordinate recovery in the event of a catastrophic Internet attack.
The report also calls for the government to provide official measurements of the cost of cybercrime. How do we know we’re getting better? Kurtz said. We live in a world now of ad hoc reporting and anecdotal evidence.
The report also includes the recommendation that the president should urge Congress to ratify the Council of Europe’s Convention on Cybercrime, which sets guidelines for prosecuting online crime across national borders.
CSIA’s members include: BindView, Check Point, Citadel, Computer Associates, Entrust, Internet Security Systems, Juniper, McAfee, PGP Corp, Qualys, RSA Security, Secure Computing, Symantec, and TechGuard Security.
