The government has spent months working on the much-touted National Strategy to Secure Cyberspace. The release of the document was delayed once in July 2002. When the White House finally released the 60-plus-page document on September 18, it was only a draft, which, it turns out, might be a very good thing. As a draft, there is ample opportunity for you—the patriotic IT manager—to fill in the missing blanks and strengthen the document as a whole. And, according to many IT pros, the document will need some serious strengthening.
The general consensus from the IT community seems to be that the government hasn’t made any great strides in protecting the infrastructure, since most of the recommendations discussed in the plan involve Best Practices that are already in place at most large organizations. There are also a number of disappointed IT managers who were expecting strict mandates and/or enforcement mechanisms to help force the issue of security at their less-than-accommodating organizations. On the contrary, the Strategy is not designed to be a Federal mandate. No one will be required to comply with any aspect of it. Rather, the government is essentially urging people to read the Strategy, take it to heart, and make their own recommendations for achieving its goals.
In defense of their Strategy, White House cybersecurity advisers Richard A. Clarke and Howard A. Schmidt explain in their accompanying cover document that the Strategy aims to “ensure that America has a clear roadmap to protect a part of its infrastructure so essential to our way of life.”
What does this mean to you? The first step in maintaining this road map is that everyone—private home users, government and military employees, and big businesses—need to be more aware of existing and possible security threats and be more proactive in avoiding them. This means choosing more difficult passwords and changing them frequently, installing and using antivirus and firewall software, and designing software that’s harder to crack. Be aware of what’s out there so that you’ll know your own risk level.
If you are already taking all of those measures and are wondering how this Strategy will ever rise above its first, tremulous draft, you are not alone. In fact, the government is waiting to hear from you on this very matter. From now until November, the government is actively soliciting recommendations from experts like you. This is your chance to shine within your organization and on a national level as well.
The best way to go about finding fixes and suggestions for the Strategy is to first download a copy of the draft. If you’ve been trying in vain to get your bosses—and even your underlings—to understand why you shouldn’t use the same password for everything, why firewalls really do matter, and that the most expensive security system is useless if you don’t use it, much of the introductory material in the draft will help you. With it, you can put together a company-wide program. Ask department heads to voice their greatest cybersecurity concerns. Find out how many of them actually know what firewalls are.
Section II of the draft, Large Enterprises, packs a wealth of information into four pages. Much of it won’t be new to you if you keep current with the high tech world, but it’s a great basis for putting together talking points for a meeting with your CEO or Board of Directors.
Put together a document that translates the general information presented in the draft and personalize it for your company’s specific situation. What steps should you take to comply with the government’s recommendations? Outline your own Strategy, complete with a timeline for implementing changes. As you go through this process, be on the lookout for missing strategies. When you find additional measures that can—and should—be taken, write them up, and submit them to firstname.lastname@example.org.
You lose your right to complain if you sit quietly and twiddle your thumbs instead of act. The current draft of the National Strategy to Secure Cyberspace isn’t going to keep the U.S.—or you and your job—safe. So do your job, and find ways to make it better.