Partners Wary Of DoD Cyber Security Plan

The comprehensive cyber security strategy outlined by the U.S. Department of Defense last week might be well a well-intentioned effort to counteract cyber attacks, but channel partners say that the document will likely be ineffective at best, and could potentially weaken the reseller community at worst.

The U.S. Department of Defense released a comprehensive cyber strategy last Friday aimed at hardening the nation’s computer systems from cyber attacks, and deeming cyberspace as another ’operational domain’ that the military will be trained to defend.

The 19-page document, titled the ’Department of Defense Strategy for Operating in Cyberspace,’ stipulates that cyber space be a domain protected by the U.S. military in the same way it defends land, sea and air, and called for new ways to bolster defenses for critical cyber infrastructure, while developing new weapons to retaliate against U.S. adversaries launching cyber attacks.

’The cyber threats we face are urgent, sometimes uncertain and potentially devastating as adversaries constantly search for vulnerabilities,’ said William Lynn, deputy secretary for defense, in a statement . ’Our infrastructure, logistics network and business systems are heavily computerized. With 15,000 networks and more than seven million computing devices, DoD continues to be a target in cyberspace for malicious activity.’

However, so far, solution providers maintain that while well intentioned, the government’s cyber security plan -- outlined in five key initiatives -- is too vague, lacks enforcement and likely won't warrant an immediate uptick of future business.

One security-focused channel partner took exception to the first initiative that redefines ’cyberspace as an operational domain to organize, train, and equip so that DoD can take full advantage of cyberspace’s potential.’

’They’re talking about protecting cyber space the way they do land and sea and air. So who’s creating the next B1 hacker airplane?’ said David Sockol, CEO of Santa Clara, Calif.-based Emagined Security. ’Everybody is going to have to wait and see.’

In fact, Sockol contended that government’s cyber security initiative could in fact weaken the knowledge base of reseller community by migrating cultivated private-sector talent to the federal sector.

Sockol pointed to the fifth initiative outlined in the document calling for the government to ’Leverage the nation’s ingenuity through an exceptional cyber workforce and rapid technological innovation.’

’So you’re ready to finally hire experts and train experts. That’s well and good,’ Sockol said. ’But that hurts the reseller community if the government is going to try to steal the talent that we’ve been working so hard to grow.’

Sockol also called out the document’s provision stipulating that it would enable the federal government to purchase and implement cyber security infrastructure within a 12-month timeframe.

’It’s moving in the right direction for them, but 12 months to buy a new technology? We need to react in days and weeks, not in terms of months, years and decades,’ Sockol said.

However, the cyber strategy plan could potentially be used as a tool to help raise awareness, which could ultimately affect the channel, albeit indirectly, some partners say.

Jonathan Dambrot, managing partner at Warren, N.J.-based Prevalent Networks, said he was uncertain if the government’s new cyber security policy would "have teeth," but said that if anything, the government’s emboldened stance on cyber security represented a collective growing awareness around the issue.

’Even without any cyber security plan, we are seeing literally a breach announcement an hour. The reality is, I think people are talking about it,’ he said. ’They say, 'am I susceptible to this type of a breach in my environment, and can you help us?' There are a lot of those conversations. ’

Next: Cyber Strategy Lacks Teeth, Enforcement

Roy Miehe, president of AAAntivirus, based in Campbell, Calif., speculated that the document was likely a public affirmation from the government about activities and plans already in progress. Even still, the initiatives outlined in the document were probably too vague prevent any security threat unleashed by attackers intent on targeting U.S. cyber infrastructure, he said.

’There’s very little the government can do to stop a cyber attack,’ he said. ’If somebody wants to get in, they’re going to get in.’

In addition, Miehe said the cyber security initiatives would likely do little to galvanize the public, and even the reseller community, into action to shore up security holes in their networks and harden their infrastructure to prevent future attacks.

’You wouldn’t believe all the hacks that are going on in the world that the public has no knowledge of and really could care less,’ Miehe said. ’How many people are paying attention to it? I don’t think there are a whole lot of guys who care. They’re tired of fighting it.’

Even if the public was apathetic, Sockol said that there were no fines or penalties stipulated that would motivate organizations or governments to implement any of the proposed initiatives, Sockol said.

’Corporations don’t do anything without a mandate. This (document) doesn’t mandate that they do anything. All these things in here sound like a great idea but the devil is in the details,’ added Sockol. ’It’s great you put it on paper, but nothing has changed.’