On September 18, the President's Critical Infrastructure Protection Board (PCIPB) released its draft report, "The National Strategy to Secure Cyberspace," which contains recommendations for protecting our information systems and technology resources from the desktop to the Internet. The board's members are senior officials from more than 20 agencies and departments. The report is available for comment at http://www.securecyberspace.gov.
In his cover letter, board chair Richard Clark indicated that sector groups developed their own strategies as part of this effort. These sector reports are available at http://www.pcis.gov. Both Clark and the report stress public/private partnerships, coalitions, and cooperative efforts. Other input was obtained through surveys, experts, and town meetings held around the country. More town meetings are scheduled. Clark stated: "Even more input is needed. This unique partnership is needed because the majority of the country's cyber-resources are controlled by entities outside of government."
National and international economic activities are increasingly reliant on information systems, the Internet, and technology. The builders and designers of these systems did not pay sufficient attention to security in the initial stages. They sacrificed security for efficiency and speed.
In response to the need to protect information and communication assets, President Bush established the President's Critical Infrastructure Protection Board by Executive Order 13231 in October 2001. The board's responsibilities are to "recommend policies and coordinate programs for protecting information systems for critical infrastructure, including emergency preparedness communications and the physical assets that support such systems." The board was directed to reach out to the private sector, academe, and state and local governments.
The report's key recommendations are based on strategies suggested by each sector and are presented in five levels, ranging from homes and small business to the global level. The first level includes homeowners and small businesses that are encouraged to protect their cyberspace through anti-virus software, firewalls, software patches, and Internet service providers. Firewalls are most important for DSL, cable modems, and wireless systems. The continuous connections of these systems create vulnerabilities and risks of sniffing, snooping, data theft, and other invasions. Homeowners and small businesses also are asked to regularly update software and operating systems to current versions. While the activities are not compulsory, people are urged to follow the recommendations.
Large corporations and enterprises are the second level. They're encouraged to form corporate security councils and implement processes and procedures to authenticate or verify network users by employing techniques such as Public Key Infrastructure smart cards, secure tokens, and biometrics. These efforts may not ensure against violations because "trusted insiders" carry out 70 percent of attacks on enterprise systems. Large companies also are urged to conduct regular security audits and consider using diverse IT service providers to mitigate risk and to implement best practices.
The board's recommendations also included actions for the boards of directors. "Corporate boards should consider forming board committees on IT security and should ensure that recommendations of the chief information security official in the corporation are regularly reviewed by the CEO." This recommendation is consistent with activities in the financial area to increase corporate CEO and board responsibility and accountability.
Level three includes the federal government, higher education, state and local governments, and critical industries in the private sector. Federal government-recommended activities include "identifying and documenting enterprise architectures; continuously assessing threats and vulnerabilities and understanding the risks they pose to agency operations and assets; and implementing security controls and remediation efforts to reduce and manage those risks." The federal government's role in regulating information and communications is softened in this report, with emphasis put on voluntary efforts, public/private sharing, and partnerships.
Many hackers operate from colleges and universities. Campus computers have been used for hacking into a variety of government and private systems, the denial of service attacks, and other activities. A recent study by the Pew Internet & American Life Project pointed out that 85 percent of college students own computers, and most of them have unlimited and ready access to the Internet.
Hacking for some young people is a game. Often they mean no harm, and they find it a challenge to figure out how to enter another system. The report recommends that higher education institutions establish a "point of contact reachable at all times to Internet Service Providers (ISPs) and law enforcement officials in the event the school's IT systems are discovered to be launching cyber-attacks." The report recognizes the dilemma faced by academic institutions that value open access on the one hand and value security on the other.
Private-sector companies in level three are asked to cooperate with the government and to consider establishing "an information analysis and sharing center (ISAC) that should cooperate with other ISACs." Each sector is asked to conduct an analysis of security and technology gaps, develop best practices for security, and establish mutual assistance for emergencies. These collaborative efforts will require the Department of Justice and the Federal Trade Commission to remove barriers.
State and local government representatives identified activities they could implement that would increase cooperation. They include the formation of a state CIO advisory group, increased information sharing among states, inclusion of local government representatives on state cyber-security boards, and finding ways to integrate information at all levels of government to eliminate "stovepipes." PCIPB recommendations are in concert with the state and local recommendations.
Level four recommends 49 national priorities; many of these require public/private partnerships. Other priorities concern federal agencies; training, research, and establishment of a clearinghouse for "promoting more effective software patch implementation"; and other activities. Global concerns are reflected in six level-five recommendations and include a variety of collaborative efforts with other nations.
An awareness of risks and vulnerabilities is stressed at all levels. Training, maintenance of systems and software, and responsibility for security for information systems are also stressed. The report does not specifically recommend legislation, regulation, or performance measures. It uses words such as "voluntary," "encourage," and "empower." If voluntary efforts do not produce the desired results, it is not clear if this board will later recommend stronger measures in the form of regulation or legislation.