Critics Say National Cybersecurity Strategy Too Weak


Computer security experts denounced a White House panel's eagerly awaited strategy on defending the nation's critical systems from cyberattacks, assailing Wednesday's report for not being tough enough.

Instead of proposing bold government actions, the "National Strategy to Secure Cyberspace" stresses voluntary cooperation and education. It says users -- from home PC buyers to corporate technology officers -- need to know of vulnerabilities so that they can assess the risks in their own corner of cyberspace.

"The government cannot dictate. The government cannot mandate," said Richard Clarke, the White House's cybersecurity adviser. "The government cannot alone secure cyberspace."

But some question whether the plan is too little, too late with yet another two months of comment and debate before it is handed to President Bush for approval.

"It's far too amorphous," said Christopher Wolf, head of the computer security practice at the law firm Proskauer Rose LLP in Washington. "It creates a voluntary security plan. It's like asking ordinary citizens to erect a nuclear shield when it's obviously the government's job to organize those things."

The 60-page document suggests government's role is to foster communications within industries and set the example. It focuses on a free-market approach, relying on the carrot of increased revenues and profits rather than the stick of government regulation.

The report also calls for a change in thinking about computer security, from focusing on existing threats and attacks to identifying vulnerabilities before disaster strikes.

Critics say the strategy report does not go far enough. And while it's being debated, systems remain vulnerable.

The United States has quickly grown dependent on networked computer systems -- everything from manufacturing and banking to utilities and national security.

So far, cyberattacks have been mostly isolated and typically have stemmed from individual hackers rather than organized terrorists. But the relatively minor attacks last year led to overall losses of $13 billion, Clarke said.

"The worst case has not happened," he said. "The worst case can happen."

The strategy report, formally released Wednesday at Stanford University after portions were leaked to the press, lists problems, makes about 70 recommendations and raises issues for further discussion.

But it does not point fingers.

In fact, Microsoft Corp., the world's largest software maker, was not mentioned at all during a 90-minute presentation unveiling the strategy, even though many security experts blame problems on its ubiquitous Windows operating system software.

Later, Clarke declined to comment on the safety of specific operating systems but pointed to Microsoft's "Trustworthy Computing" initiative as an example of a software company making security the top priority.

"We look forward to Microsoft doing that," Clarke said. "We look forward to other companies doing that as well."

Scott Charney, Microsoft's chief security strategist, said the report was meant to discuss specific strategies, not target companies.

"Microsoft may have a large share of the desktop operating systems, but some environments run proprietary systems that have to be secured just as well," he said.

Charney also criticized the report for not going far enough, saying many of the recommendations should carry more force.

In some of the more obvious recommendations, it calls on computer users to choose difficult-to-guess passwords, update antivirus software and install firewalls. For businesses, the report urges companies to establish security policies and hire outside auditors to make sure they are followed.

Security experts say the report might help establish acceptable standards for security, even if it doesn't impose any of them.

"Right now, most users don't know what you should do to take reasonable care," said Michael Overly, an author and security expert at Foley and Lardner.

The Clarke report also suggests companies in critical sectors such as banking and utilities should form groups to which individual firms can report vulnerabilities. Such information can then be sent to others without identifying the vulnerable competitor.

And other countries should name a point-person where other nations can go to share information on attacks.

Parts of the strategy are already being put in place. Many critical industries, for instance, already have centers where problems common to the industry can be shared anonymously.

Clarke dismissed criticisms that the strategy report does not have enough specifics or teeth.

"It's not a plan -- it's a strategy," he said. "A strategy is meant to be somewhat high level, state strategic goals and how to implement them."

He also said the strategy will continue to be revised, as new threats and solutions develop.

"Everyone will have an equal say in making recommendations," Clarke said. "No one is going to have any more right to comment on this strategy than anybody else."

Copyright © 2002 The Associated Press. All rights reserved. The information contained in the AP News report may not be published, broadcast, rewritten or redistributed without the prior written authority of The Associated Press.