Once upon a time,
President Bush appointed
Richard Clarke as national cybersecurity czar, tasking him and a handful of other security-minded folks with creating a plan that would make the Internet more secure.
Such a plan, everyone reasoned, would help rein in the malicious code swirling around the Net, establish secure practices and policies throughout the computer industry, and most importantly, protect end users and corporations alike from the costly consequences of viruses and criminal hackers.
A diluted report
As you may remember, Clarke's task force quickly ran into opposition
, mostly from wealthy lobbyists representing communications, software, and security companies, but also from--surprise--the White House. Thus, the final report
called for the industry to regulate itself and provided only vague recommendations for everyone else.
More than a year after that report appeared, you and I are no better protected online than we were before Richard Clarke and his team first met. And now it will take yet another year before the computer industry proposes its own self-regulating actions.
That's too long. We need to scrap the current plan and start over.
The DHS itself remains largely unproven as an effective deterrent to cybercrime.
It's clear to me and to many in the security community that the current plan is flawed, yet the Bush administration insists it is a serious blueprint for enhancing cybersecurity. At the National Cyber Security Summit
, held last Wednesday in Santa Clara, California, government officials praised the progress they've made thus far. However, it's interesting to note that the 300 invited guests at the closed-door sessions did not include many noted individuals within the security community, giving the summit a distinctly probusiness skew.
Cyberspace no longer a priority
Since the beginning of 2003, the Bush administration has distanced itself from cybersecurity, demoting its once high-profile task force to a third-tier priority within the new Department of Homeland Security (DHS). The DHS itself remains largely unproven as an effective deterrent to cybercrime, hampered in large part by the decision of several experienced agents from the Secret Service, the FBI, and other tech-savvy agencies to take lucrative jobs in the private sector rather than join the fledgling department.
As proof of the DHS's inability to handle a real crisis, I'll remind you of the Slammer worm attack
last January, which slowed e-commerce and shut down many ATMs. The DHS neglected to issue a statement about the worm for several hours after it hit the Net, because no one was in the office. Today, the DHS is still understaffed to the point where it would be difficult for it to handle a serious Internet threat.
Even the position of cybersecurity division chief, left vacant after the departure of Richard Clarke in early 2003 and then Howard Schmidt two months later, remained unfilled throughout the virus outbreaks of Sobig.f and Blaster this past August. It wasn't until late September of this year that Amit Yoran, formerly a Symantec executive, arrived as the new chief, causing some within the security community to question whether he could be impartial.
We need a fresh start
To make matters worse, the proposals
that came out of last week's summit are still too vague. I believe the Bush administration should disengage itself from corporate special interests and once again involve the independent security community in negotiating a new cybersecurity policy, one with more immediate results for you and me.
I favor requiring broadband ISP services to provide free antivirus and firewall software to their customers.
They wouldn't have to start from scratch, either. Many of Richard Clarke's original ideas are worth reinstating. Among them, I favor requiring broadband ISP services to provide free antivirus and firewall software to their customers and speeding the process to secure wireless Internet access.
While these sorts of policies may cost some technology companies money in the short term, in the long run they would leave us all better off.
What do you think? How should we secure the Net? Through legislation or corporate self-regulation? Tell me about it--TalkBack to me!