Cybersecurity Draft Plan Soft on Business, Observers Say

The Bush administration's draft cybersecurity plan offers plenty of recommendations for how home users should protect their systems, but critics say intense lobbying from the high-tech industry has pulled nearly all the teeth from the plan when it comes to steps the technology industry should take.

The White House strategy, unveiled Wednesday at a Stanford University gathering attended by government and industry leaders, omits several recommendations contained in earlier drafts that prompt industry to take more responsibility for Internet security. For example, cut from the plan were proposals to ask technology companies to contribute to a security research fund and for Internet service providers to bundle firewall and other security technology with their service.

White House cybersecurity adviser Richard Clarke said the changes were made in the hopes that the IT industry would adopt the recommendations voluntarily, instead of being forced to adapt to more government regulation. The administration is giving technology firms and the public 60 days to offer further input on the plan.

But critics say that the changes already made to the plan ask consumers to shoulder too much responsibility for improving the nation's cybersecurity posture.

"Consumers aren't likely to pay attention to Clarke or this effort, and to rely on them is flawed," said Russ Cooper, an executive with Reston-based TruSecure Corp. "Most consumers didn't buy a computer to become geeks. The majority of them are still trying to learn how to buy things from eBay."

Alan Paller, research director of the SANS Institute, said industry has not stepped up to do its part.

"They're whining, and that resonates with an administration that is business-oriented," he said. "As long as this can be done in smoke-filled rooms, then industrial pressure can continue affect national policy."

But Paller said he believes the 60-day public comment period will help to show who has worked hardest to weaken the plan.

"The whiners will now have a spotlight shone on them," he said.

The Bush administration's approach to winning cooperation from the private sector is loosely based on the model put in place during the Clinton administration to prepare critical computers systems for the Y2K rollover.

In that effort, the federal government took the lead in fixing its own systems, built an effective information-sharing network with the private sector, and gave companies an incentive to ready their own systems for the date turnover.

But in a departure from the Y2K approach, people involved in assembling early drafts of the Bush administration's cybersecurity plan say Clarke's team failed to circulate their recommendations among the industry officials who were originally solicited for input. When industry insiders saw what was to be a final strategy, many balked, prompting the administration to cut key recommendations.

The only concrete proposals left in Wednesday's version of the report appear to be for the government, said Bill Conner, president and CEO of Entrust Inc.

"It looks as though a PhD wrote the government items, but it reads like someone a year out of grade school wrote the rest of the plan," he said.

Conner added that the Y2K model fails in today's environment because companies no longer have money to throw at security risks as they did before 2000.

"It's not enough to just upgrade their infrastructure, because we're in different economic times today," he said. "Now more than ever the administration needs to prove why this makes good business sense for companies."

The administration may need to do more than just worry about how its recommendations could affect bottom lines in the business world. As officials have discovered, corporations don't want to approve anything that might put them on the legal hot seat as well.

Since last year's terrorist attacks, the White House has stepped up an aggressive outreach effort to the companies that control 90 percent of the nation's critical infrastructures in an attempt to convince them to share information on vulnerabilities and attacks with the federal government. The majority of more than 80 recommendations in the latest cybersecurity draft are aimed at improving communication between the two sectors in order to prevent and respond to major cyberattacks.

Yet, many companies remain reluctant to share such information for fear of being sued by shareholders or customers when they report flaws.

"Industry does not want to head down the road of tort liability," said Jim Dempsey, deputy director of the Center for Democracy and Technology. "This has produced for the administration a sort of policy paralysis."

Bruce Schneier, chief technology officer and co-founder of Counterpane Internet Security, said that without liability and disclosure requirements, the administration's plan will have "absolutely zero effect."

"You really have to ask why CEOs would bother to follow any of these recommendations, particularly at a time when most companies' earnings are down 20 percent," Schneier said. "The fact is, companies aren't rewarded for altruism; they're rewarded by the strength of their stock price."

TruSecure's Cooper said Internet service providers and technology manufacturers will improve their security practices and the integrity of their products only when they are held liable for failing to do so.

"From the looks of what's happening, what we'll get in 60 days will be even more watered down and with less teeth," he said.

Phil Lacombe, senior vice president for cyberassurance at Arlington-based systems integrator Veridian Inc., said that sharing threat information between the private sector and government raises "a number of very tricky issues ... and in that regard it is a wise idea to get industry's input on the actual wording."

But many business groups - particularly security outfits that cater to large entities like the federal government - hailed the latest draft as a step in the right direction.

"The more aggressive the federal government is in deploying these recommendations the greater likelihood there will be a bleed-through to the larger Internet and e-commerce community," said Michael Aisenberg, director of public policy for VeriSign, a company that sells digital authentication technology.

Christopher G. Caine, vice president of governmental affairs for IBM, praised the administration for putting the strategy out for further scrutiny, but said those expecting a quick fix from the White House should not hold their breath.

"I think the administration is trying to find a balance, one that allows for progress to be made in a complex area that involves private and public sector organizations that are at very different stages of IT use and implementation," Caine said. "It's like Y2K without the clock, and I think we all have to understand that cybersecurity is a continuing process, not a thing you do and get done with."