Form Personnal Training Outbound - DOC by cqg21324


More Info
									            ISSA Response to PCIPB Solicitation for Comments on
               The National Strategy to Secure Cyberspace draft
                                    November 8, 2002

To the distinguished members of the President’s Critical Infrastructure Protection Board:

On September 18th, 2002, the President’s Critical Infrastructure Protection Board
(PCIPB) published, in draft form, the National Strategy to Secure Cyberspace, for public
review and comment. The goals of the PCIPB map closely to those of the Information
Systems Security Association (ISSA), as both organizations wish to help ensure that the
information infrastructure, on which our economy is increasingly dependant, is built on a
stable foundation of good security practice.

To contribute to the PCIPB effort, ISSA has enlisted its international membership to
provide constructive feedback on the National Strategy to Secure Cyberspace draft. Over
the past six weeks, we have received input from individuals and corporations, both
domestic and international. The suggestions have been compiled and distilled, and are
presented here as representative of the contributions of our membership.

The responses indicate that the draft is seen as being very well written and that it does a
good job of raising the awareness of the existing information security challenges. Further,
the draft strategy provides a number of good recommendations. It clearly communicates
the need for a strategic approach to information security, both in the public and the
private sector. Professionals can gain valuable insight by recognizing key information
security practices that they can apply in their own environment, or processes that they can
improve, provided that they have adequate budget and personnel.

However, the draft strategy has also been criticized for including only recommendations,
and no mandates. Many information security professionals have already recognized the
many areas where remedial action is required, but lack the management understanding,
support, and budget to implement effective practices. While the draft may clearly
communicate many of the problems we ―firefight‖ on a daily basis, management that
does not already recognize the issues is unlikely to read 60+ pages of recommendations,
let alone commit the budget to implement solutions on a timely basis.

This is symptomatic of a critical problem in securing our national infrastructure. In
today’s market, it is increasingly difficult to align the short-term goals of a company with
the long-term best interest of the company, and of the public. The market consistently
rewards executives for short-term gains, while not holding executives or companies
accountable for long-term effects.

What industry lacks, and what the National Strategy to Secure Cyberspace draft fails to
provide, is a commitment to assigning accountability for security, whether legal or
fiduciary. Senior management will not spend money on security controls (to include
hardware, software, personnel, and management controls) without a clear financial
motivation. Nor, in their current view, should senior management do so, since this would
represent a failure in their fiduciary responsibility to their shareholders. But if those
same senior managers were legally or financially accountable for failure to implement
security controls, that responsibility would be different. Only a clear statement from the
Government can create this accountability.

Most companies recognize the potential bottom-line impact of a lack of security controls.
But at this time it is still too abstract for them to make an informed business decision.1
This strategic guide does not adequately address that issue.

Unfortunately, it is hard to develop effective measurements of risk in the context of
information security. When a factory burns down, the impact is clear and overt, and
cannot be buried in accounting statements. A failure of information security controls is
subtler. In the first place, it may not even be discovered until long after its impact has
been absorbed. Even when it is discovered, companies are often faced with a choice of
whether to publicize the incident. As the publicity may cause more damage than the
compromise, companies may frequently cover up the failure. This makes developing
industry statistics substantially more difficult, and less accurate.

Insurance companies have been understandably reluctant to codify risk, or to insure
against breaches of information security. They suffer from the same uncertainties that
plague senior management. For this reason, financial incentives to good security practice
will likely be derived from legislation, rather than free market action.

How should this legislation be approached? One proven effective approach is to create
financial incentives (or disincentives) for positive (or negative) behavior. Either of these
will promote accountability and reinforce practices that minimize risk to shareholders and
to the general public. Such legislation could be implemented directly or indirectly.
Corporations could be granted tax incentives for integrating appropriate security practices
into their operations. Examples would include the auditable implementation of effective
security domains (such as the use of firewalls to isolate sensitive systems from non-
sensitive ones, as well as from the Internet).

Another way to quantify security practices would be through comparing a company’s
information security practices to a commonly accepted information security standard,
similar in concept to the Generally Accepted Accounting Principles (GAAP) applied in
the accounting and auditing industries. There are various industry initiatives already
developing standards on this model. By defining these industry standards, or ―best

  Consider corporate management of fire extinguishers, before insurance companies developed actuarial
tables documenting the financial impact of fires occurring in buildings with and without such controls.
Once companies could make an informed choice on their risk management strategies, and on measures that
could substantially mitigate or transfer that risk, we saw more effective management across industries.
Today, the lessons learned through risk management practice have been codified into law, to protect to
common good.
practices‖, we provide a conceptual yardstick against which corporate practices can be
measured. The metrics created will implicitly support the comparison of corporate
practices across industries, adding competitive self-interest to play a positive role in a
corporation’s assessment of the value of good security practices.

Recognizing the value of these metrics, and of the competitive practices mentioned
above, some of our members suggested incorporating information security practice audits
into the more general audits of public companies. Such a broadened audit would provide
a level of review and disclosure to shareholders that ensure the corporation is performing
its due diligence in protecting their investment. The challenge here is to develop an
information security standard to serve as the basis for comparison and analysis.2

As mentioned earlier, various efforts to do so are now underway. Groups such as the
British Standards Institute and the International Standards Organization, among others,
have introduced information security frameworks (BS7799 & BS7799:2002, and
ISO17799, respectively). These frameworks can be voluntarily adopted by organizations,
in a process similar to the implementation of ISO9000 practices by many organizations
today. As the value of these practices is recognized, independent audits of the corporate
implementation of common security practices will become valuable differentiators
between companies, much as ISO9000-compliance is today.3

Other standards are more proscriptive, and include the Health Information Portability and
Accountability Act (HIPAA), and the European Union’s Data Protection Directive. Each
of these explicitly legislate information security standards, and the failure of a company
to meet those standards can result in civil or criminal penalties.

Of course, legislation is only as strong as its area of jurisdiction. In today’s market of
increased internationalization, and increased awareness of extra-jurisdictional
opportunity, it is critical to be aware of the impact and enforceability of legislation. The
impact will be seen in instances where compliance with laws in multiple jurisdictions
drives the cost of compliance past the point of profitability. Companies that don’t make a
profit don’t survive. If U.S. companies have to comply with one set of laws domestically
and another set internationally, they may be forced to either relocate their core business
outside of our borders, or shut down.

  In addition, it should be noted that public disclosure of security practices and security incidents would,
over time, provide data for insurance companies to evaluate the risks associated with different practices,
and assume some degree of risk, by offering insurance.
  It is likely that ISSA would endorse the institution of a non-profit organization to certify corporations’
compliance with commonly accepted standards. Conceptually similar to an Underwriters’ Laboratories
model, members with sufficient expertise in their practice area would be certified or licensed by the
governing organization to audit corporate compliance, and accredit corporations that met or exceeded a
minimum standard of compliance. Additionally, the ―Information Security Practice Auditor (ISPA)‖ would
have the opportunity to evaluate the corporations’ risk-tolerance, and evaluate the corporation’s security
posture in that context, if appropriate. The ISPA’s would be required to actively maintain their professional
knowledge, would be held to the highest ethical standards, and would be held accountable for their work, as
are licensed professionals in other industries. This is in keeping with the previously discussed desire for
adequate accountability in an industry which has largely practiced self-governance since its’ inception.
The other side of the coin is the difficulty of enforcing law across jurisdictions. A dicey
proposition in the first place, the problem is exacerbated when the laws in the different
jurisdictions are incompatible, or have no analog in one or more venues. We have seen
cases where variance in local standards leads to a variance in legal findings, depending
on the venue of prosecution. We have seen cases where criminals (in U.S. law) are not
breaking the law in their native country. There will also be cases where the cost of
prosecution exceeds the expected return, particularly in cases where extradition may be
required. By minimizing the variance in laws across jurisdictions, we minimize these
types of cases.

For these reasons, there are advantages to supporting standards which are recognized
worldwide, and which do not place unreasonable expectations on extra-national or
international corporations. Additionally, insuring that our laws harmonize with
international regulations in effect, as far as possible, will minimize the expense and
disruption to our nation’s businesses, while still supporting our goal of implementing
effective security standards. Further, adopting standards and best practices that align with
practices in other countries will help to ensure that compliance with those standards and
practices is economically feasible for corporations intending to reap the benefits of an
international market.

Finally, it is becoming increasingly clear that there is no silver bullet for information
security, and no technology that can ―solve‖ all the problems that we face today. As in
any other industry, many people claim greater competence than they exhibit in practice.
For this reason, it is recommended that proposed standards and legislation define and
recognize qualified professionals. This could entail regulation of the industry, in much
the same way that doctors, lawyers, accountants, and professional engineers are
regulated. This regulation needn’t be legally mandated, but could by managed by an
independent non-profit organization similar to (ISC)². Alternately, recognition could
consist of a mapping of responsibilities to already existing certification programs. There
are a number of excellent certification programs available today, but there is inadequate
distinction between the programs outside the field. Clarifying which certifications are
appropriate to which job functions would help companies avoid the equivalent of hiring
accountants to perform medical procedures.4

   It is held to be a reasonable expectation that companies place an accounting professional as CFO. It is
similarly reasonable that positions responsible for the security of a corporation’s intellectual assets, from
firewall administrator to CISO, be staffed with professionals who have similarly demonstrated their
expertise, whether through experience or education. In the absence of first-hand knowledge of an
individual’s work, certifications targeting specific areas of interest are the best indicator of ability available
to corporate management.

However, the value of certifications as indicators is proportional to accurate corporate knowledge of the
various programs, and their applicability to different areas of responsibility. There is a definite benefit to be
derived from a neutral analysis of the different certifications.

The authors could certainly make recommendations for some of the responsibility-certifications mappings
mentioned, but consider this to be outside the scope of this document, and have no wish to exhibit bias. A
committee could be commissioned by ISSA, another industry group, or a governmental task-force to
analyze industry certifications, and make appropriate recommendations.
To recap, we have discussed four themes that run through many of our members’
recommendations and industry thoughts. These thoughts are encapsulated here, as the
take-away message.

It is critical to introduce accountability to companies and individuals who fail to
take adequate steps to secure their computer systems. The National Strategy should
encourage the assignment of this accountability.
        When computer systems are compromised, their failures can impact the general
        public, as well as the owners of the systems. In order to protect the commons,
        system owners need to be held accountable for maintaining their systems. This
        can be achieved through legal or financial incentives.

It is critical to adopt a consistent set of public standards that will help companies
and individuals to secure their section of cyberspace. The National Strategy should
state this as a clear goal.
        By providing clear guidance, taking a public position, and providing frequent
        reinforcement, the U.S. government can take a leading position in the effort to
        secure cyberspace.

It is advisable to enact legislation to encourage companies and individuals to
implement proper controls, as specified in the adopted set of standards. The
National Strategy should propose that such legislation be created.
       While many companies will implement recommended standards, the critical
       dependence of society on the information systems we have built and on the
       infrastructure through which the systems communicate is such that a legal
       requirement would be appropriate in many instances (i.e. medical, banking,
       commerce, etc.).

It is advisable to “professionalize” the information security industry through the
licensing, certification, or accreditation of information security professionals. The
National Strategy should propose this professionalization.
        There is currently a market demand for information security expertise. This has
        created a market demand for certified information security professionals.
        Unfortunately, that has in turn created a market demand for information security
        certifications. The creation of a professionally licensed information security
        credential or the official recognition of a de facto standard would help to reduce
        the prevalence of ―snake-oil‖ in the industry, and also help to increase the
        accountability of information security professionals.

In conclusion, while the Draft Strategy is an excellent compilation of information, it does
not provide adequate motivation for companies to make a significant investment in their
information security infrastructure. It provides good advice, but it does not create a clear
vision for a secure infrastructure, and it does not establish a roadmap for reaching a
secure future. Without sufficient motivation, advice is just that—advice.
The suggestions in this letter will help to address that shortfall, and if implemented, will
provide a compelling argument for the positive changes documented in the National
Strategy to Secure Cyberspace draft. With these changes, the National Strategy to Secure
Cyberspace could be part of an effective program to secure our information


ISSA National Strategy to Secure Cyberspace Feedback Committee
      Lee Imrey, CISSP, CISA
      Laurie McQuillan, CISSP
      Michael Rasmussen, CISSP
      Kevin Richards, CISSP

ISSA Member Contributors
      Michael Hamilton, CISSP
      Barbara Hillenbrand
      Melody Iffland
      George Kondos
      Lawrence M. Oliva
      Derek J. Oliver CISA, CFE, FBCS, FIAP, PhD
      David Schlesinger

Note: Those contributions received by email have been appended to this document, in order of receipt.
Their formats have been modified for consistency; the general content has not been edited with the
exception of deleting references to individual and company names. The list of contributors is found above.
Have three comments to contribute to the draft of the National Security to Secure

   1. In the section "A Range of Threats" there is a reference to Script kiddies using
      "malicious" software. I have issues with the pejorative word "malicious." The
      reasons are as follows: The software used often is legitimate security software
      available to security professionals who are seeking to harden their networks. The
      fact that it can also be used to attack a network whose administrator has not
      hardened the system is regrettable. But unless the government intends to set up a
      new police agency whose job it is outlaw certain software and only allow
      registered users, this idea is unenforceable and leaves the door open to actually
      making it harder for the average system administrator to get the tools he or she
      needs to audit the system that is being protected. The script kiddies may be
      "malicious", but the software is often only testing software.

   2. In the section "Cyberspace Threats and Vulnerabilities" section. I object to the
      rationalization about ROI and cost in the bullet point that reads: "costs associated
      with a severe compute attack are likely to be greater than the preemptive
      investment in a cybersecurity program..." the issue I have is that this is the wrong
      way to value the damage of an attack.

           a. The potential danger to environment, children, the elderly, the public and
              our emergency personnel cannot be adequately expressed in dollars should
              water supplies or traffic control systems be impacted. While this is
              addressed elsewhere, it is not as prominent as this attempt to assert
              positive ROI. Cost is not the major risk value.

           b. However, there is a more realistic and strategic investment value: all work
              to repair computer attack damage is effort done while the business is no
              longer functioning. This effort is classed as wasted expense in that it does
              not bring in revenue nor improvement. On the contrary, all work done to
              make a computer system secure has the additional benefits of happening
              while the company is productive and earning money. giving the staff the
              opportunity to upgrade and standardize their infrastructure lowers overall
              maintenance costs, and developing a coherent view of the infrastructure
              helps all future expansion and improvements. The costs of good security
              are turned into intellectual corporate assets. This is the Opportunity ROI.

   3. In the section "National Policy & Guiding Principles" There is a reference to the
      need to keep the "security infrastructure one step in front of the would be
      attacker." I am in total agreement with this, however, the present state of mind is
      one in which the members of the computer community who look for weaknesses
       (in order to keep our "infrastructure one step in front") are often lumped into the
       same group as the "would be attacker." Consider the issues that constantly come
       up when somebody informs a company that their web site is leaking personal data
       or uses easily guessable passwords. Almost all computer security researchers tell
       stories of receiving threats from the company's legal department for their helpful
       efforts. Other companies are without clue regarding the possibility of any
       security issues with their web sites, and return standard customer complaint

The connection between labeling vulnerability-seeking security software as "malicious"
and the ability for interested parties to investigate vulnerabilities is linked. The reality is
that today many companies want to "kill the messenger" when a vulnerability is exposed.
Regulations against disclosure of vulnerabilities are often designed to support the denial
by manufacturers of their lack of ability to write secure code. The true criminal does not
publicly share any vulnerabilities discovered.

The solution is not to close down the gates of knowledge, but to open up the minds and
capacities of the security professionals. If the Government wants secure code without
regulation, then all they need do is make sure that they do not buy insecure
software. Their weight in the marketplace will do much to change the tide and make
secure software systems the norm rather than the exception.

Dear ISSA,

I have reviewed the referenced document as requested, especially from an international
perspective as an audit and security consultant of some 20 years experience.

First, I must congratulate the CIPB on the development of a thorough and very readable
document; it is indeed an excellent piece of work.

My comments are directed in two main areas with one, common recommendation for

Level 2: Large Enterprises.

Whilst the identified threats and recommended actions are excellent, I feel there is
insufficient emphasis within this section on the need for global enterprises to look
holistically at their international security infrastructure. On the basis that a chain is only
as good as its weakest link, more could have been made of the need for an organization's
internal security infrastructure, potentially crossing many international boundaries, to be
standardized and compliance assured by regular audit.

As an example, I can cite my current assignment which is advising a very large, US and
Swiss based multinational enterprise in implementing a controls infrastructure across 87
countries: they have realized that they lack confidence in their ability to meet corporate
risk with such a complex, international structure of subsidiaries and affiliates. By issuing
a corporate requirement for adherence to given standards and the implementation of local
procedures, recognizing local threats as well as local legislation and regulation but
addressing specific control objectives in the form of global policies, the organization will
gain greater assurance of the security of its entire system. Needless to say, the
management of such a global concern is heavily dependent upon the use of cyberspace.

Level 5: Global

Though I am no "diplomat", I appreciate that the Federal Government must maintain a
diplomatic approach to other national governments and cannot, therefore, be too
proscriptive in its demands for securing cyberspace.

I do feel, however, that this section could be stronger in its plans for the development of
international co-operation in "cleaning up", for example, the Web. With apologies for
stating the obvious, as long as there are countries which are content to leave use of the
Web unregulated and unpoliced, the entire structure is weakened and available for use by
terrorists, not to mention the more obvious unpleasantness of pornography and religious
and political extremity.

The answer, I regret, I do not have. This is within the remit of the United Nations,
perhaps, to give consideration to electronic blocking of and sanctions against countries
which fail to maintain internationally agreed standards of acceptable, civilized behavior.

Perhaps, however, this point could have been raised more evidently within the Strategy as
international co-operation must, in this electronic world, be essential to internal
cyberspace security of any, and every nation and addressing international legislative and
regulatory disciplines ought to be a formal part of national strategy.


With my final point I attempt to address an important area of internal as well as
international security; the need for all concerned to agree on, meet and obtain
certification against recognized security standards.

I must declare an obvious interest as a founder of and recognized international speaker on
the BS7799 security standards, now established as ISO17799 (Guidelines) and ISO27799
(Specifications). I do not claim that these particular standards have yet achieved the
ultimate requirements to ensure cyberspace security, but the concept of adherence to
internationally recognized security standards, and the potential for certification of
compliance with those standards should be a key requirement of any security strategy.

In short, whether in international government relations, internal business infrastructures
or business interrelationships greater assurance of a globally secure infrastructure can be
obtained if all are agreed on acceptable minimum levels of security. Certified compliance
with agreed standards provides a level of trust and confidence which can otherwise be
obtained only by detailed audit or, at least, long-standing relationships.

Perhaps the Draft could have addressed, at least the need for internationally recognized
standards and stressed the benefits to cyberspace security, even if the current ISO
standards are not mentioned by name. I appreciate the Federal Government may not wish
to appear to endorse any specific standard or product, but the concept of IT Governance
has been well established by the combination of ISO1/27799 and CobiT(tm) in many
parts of the world and cyberspace security is a very important element of Governance.

I should like to thank ISSA for giving me the opportunity to review and comment on this
most important document from which all other national governments could learn. I wish
it, and the US Federal Government every success.

I found the document comprehensive and have only a minor comment:

p. 35, Level 3:

The Critical Infrastructure Sector Contributors for the Private Sector included: Banking
& Finance, Electric, Oil & Natural Gas, Water, Transportation, Information &
Communications and Chemicals--but not Healthcare. I was wondering whether the
Healthcare sector (encompassing Public and Private Hospitals, Medical Clinics,
Laboratories, Doctor's Offices, insurance companies, Pharmaceuticals, Peer-Review
Organizations and so on) should be included here. My reasoning is that the security
challenges faced by the Healthcare sector may be unique and further complicated by the
structure of the healthcare industry itself. For example, although the confidentiality of
patient information is important, a certain amount of information sharing is necessary to
preserve the continuity of a patient's medical history over time, for ER visits and for
billing/reimbursement purposes. Another potential issue would be how to ensure the
security over Community Health Information Networks (CHINs) wBest Regards,

XYZ backs the National Strategy to Secure Cyberspace, but is concerned about its lack of
aggressiveness. The strategy in its current draft state is only a good first step. XYZ
recommends the following:

        Financial incentives

   Create incentives for speedy implementation of security policies. XYZ recommends
   tying federal funding to compliance in order to speed adoption of a policy and the
   deployment of innovative solutions. There need to be incentives to act now to
   underscore the urgency of securing the critical elements of the infrastructure. The
   risk of not securing cyberspace is of a magnitude that none of us could possibly
   predict. Government needs to deal with security issues directly and require results.
All programs cannot be recommended; some must be mandated in order to head off
the most severe attacks. Cyber incidents are increasing in number, sophistication,
severity, and cost. Fixing vulnerabilities before threats emerge will reduce risk.
Costs associated with severe network attack are likely to be greater than the
preemptive investment in a cyber security program. Financial incentive now will
save us all much more in the future.

    Adoption of NIST guidelines

XYZ encourages adherence to the National Institute of Standards and Technology
(NIST) ―Security Guide for Interconnecting Information Technology Systems.‖ It is
critical that government agencies as well as private enterprise know all
interconnections to their networks. They need to manage the strategy, the
implementation, the relationship and the termination of those connections. Managing
interconnections is the crux to effectively managing the perimeter of a network. In
order to create highly secure systems, we need to understand the reach of those
systems. We must become more aware of network infrastructure vulnerabilities in
order to develop strategies to protect the networks. But first, the scope of the network
needs to be defined. If organizations in both the public and private sector define their
interconnectivity points and proactively manage their connections, vulnerabilities will
be apparent and the proper security measures can be applied to ensure proper levels of
protection. Adherence to the NIST guidelines would go a long way in securing the
national critical infrastructure.

XYZ also encourages adherence to the National Institute of Standards and
Technology (NIST) ―Guidelines on Firewalls and Firewall Policy.‖ Since firewalls
are vulnerable themselves to misconfigurations, they alone do not provide complete
protection from problems. Firewall and security policies should be audited and
verified at least quarterly.

    Look to small innovators

It’s very apparent by some of the vagaries of the strategy that many different
stakeholders participated in its creation. The creation of the final strategy and
implementation will take additional cooperation between industry and government.
XYZ encourages the government to be open-minded about seeking security counsel
and solutions from the specialized security vendors, and would like to see a greater
mix in the composition of the Critical Infrastructure Protection Board including
noted computer security experts. Although we commend our constituents at major
computing vendors for their involvement in this initiative, specialized vendors, such
as XYZ, have been the true innovators in solving security problems.

Also, in regards to a certification process don’t discourage the small innovator with
rigorous certification standards that will put up unnecessary barriers. Certification
tends to be a very expensive process that oftentimes is only afforded by big
        Step up assistance for home users and small businesses

   The home users and small businesses are crucial to protecting cyberspace because
   they can unknowingly become the base for attack and spread viruses. Often home-
   based users are logging into corporate networks (e.g. telecommuters). However,
   shifting too much responsibility for protecting cyberspace to ordinary citizens is
   unlikely. Even with increased education, the ordinary citizen may be overwhelmed
   with how-to accomplish security tasks and with the ongoing nature of the process.
   Computer hardware and software manufacturers, and ISPs need to take on additional
   responsibility to assist home users and small businesses.

XYZ agrees that Government alone cannot secure cyberspace (should not and could not
secure the computer networks of private companies, small businesses, universities and
homes), but Government can mandate some of the recommendations they put forth in the
draft of the National Strategy to Secure Cyberspace.

         There is a definite need to improve the quality of information security and privacy
in industry and the private sector. When I reviewed the Cyber Security Draft, what
struck me was the rhetoric about the need for security programs but I did not see the
substance. There was no mechanism or framework that would provide actual benefit.
The security community knows the rhetoric, knows what should be done. The difficult
part is making it happen or making a difference in how things are. This is a difficult area
to address because there is a definite feeling that industry doesn’t want the government
―Big Brother‖ watching over their shoulder or telling them what to do. The same
problem exists in the private sector where individuals do not want their freedom
         I wish to address the portion of the draft that deals with home users in the public
sector. The draft talks about home systems and the need for personal firewalls. When I
conduct security awareness training for our employees, I include information on the need
for personal firewalls and current virus protection. This not only holds their attention
because it is something they can take home and use themselves but it helps secure
personal computing resources. But lets start with the basics and limitations impacting the
common home user.
         Home users are encouraged to download security patches from software
manufacturers. This is not as easy as it sounds on a slow dial up connection. On a
personal basis, I have tried to keep up with security patches on a home Windows 98
system. Patches generally take a minimum of 30 min and often require the connection to
be left to process overnight. In January of 2000, I was forced to reformat the hard drive
and start all over with upgrades. Eventually, Microsoft changed their software so that
scripts which check for needed patches no longer work on my system. All efforts to
delete and install the new scripts have failed. I have some technical expertise but not in
the Windows 98 environment. To circumvent this problem I plan on ordering a service
CD from Microsoft. If I use a Netscape browser, information or even the existence of
this capability is not to be found. Using IE which has severe security vulnerabilities, I
was able to find contact information on how to order a maintenance CD. I’ve yet to order
the CD so I don’t know the cost.
        Educating home users would seem to provide the most benefit for the money
spent. Educate the public on the vulnerabilities they are exposed to. This is something I
present in security training programs I’m involved with. I believe it is easy to make a fair
case for individuals with high speed connections but many feel ―why buy a $50 lock
when I have nothing to steal.‖ High speed connections become attack tools for hackers.
How do I quantify the damage of slow dial up connections that are only connected as
needed? I would like to suggest presenting a 60 minute ―Personnal Computer Privacy‖
session once a quarter on national television. Show the dangers of Trojans, worms,
viruses and the current crop of home computer vulnerabilities. I and members of my
ISSA chapter would be happy to help come up with the topics to be covered and take part
in the presentation if the opportunity presented itself.
        Also provide a website with useful URL’s of tools home users could use to check
the status of their systems. Telling non-technical people to install a personnel firewall or
run anti-virus software, may cause concern but probably no action unless their system is
compromised to such a degree that they notice it. A URL to check for Trojans, worms, or
viruses even if it only provided trial software or performs the check from the Internet
might increase home security.

Section R4-14: A voluntary, industry-led, national effort should consider developing a
clearinghouse for promoting more effective software patch implementation. Such an
effort may include increased exchange of data about the impact that patches may have on
commonly used software systems, including, where practicable, the results of testing.

Section D4-21: How can industry be encouraged to incorporate appropriate privacy
protections into their planning and products, using flexible, non-regulatory approaches?

Comment: The Report provides numerous examples of how catastrophic Cyber crime
attacks can be on the American industrial, educational and Federal infrastructure,
however it seems to ignore the speed at which terrorists and cyber criminals operate.
Given the drastic impact on society and business that a successful, large-scale attack
could incur, my comments are focused on two activities that are referenced in very
general terms in the report (section R4-14 and D4-21).

Concerning Section R4-14: NIST, or another standards setting agency, should be
designated as the official security validation source for all commercial Operating system,
email and network operations and management software sold to individuals, industry and
government. This agency would check all releases of software for compliance with
minimum security standards for user privacy, data encryption, user authentication, and
network integration. Software that does not meet these minimum standards would be
certified as ―compliant‖ or ―non-compliant.‖ The software would display the appropriate
designation during installation and operation to provide user/owner assurance that they
had purchased and/or installed the correct version of software. Regardless of certification
level, all software could be legally sold by its developer, but market preference for
―compliant‖ software would probably drive increased sales for that product. No
government laws or regulations would need to be changed to permit this scenario to
occur, and the decisions on minimum-security standards could be developed through
current committees and agencies.

Concerning Section D4-21: Given the continuous increase in sophisticated cyber attacks
by groups intent on committing significant damage to American society and business, it
makes sense for the Government to immediately (i.e. next six months) provide tools and
expertise on the scale of a ―Manhattan Project‖ or ―Y2K Project‖ to the public, to
industry and to all levels of local, state and Federal Government. Given the sluggish
economy, funding for all IT projects – even important ones – has been cut to the bone,
and without some assistance from Federal sources, investment in upgrading security
software and systems will not occur for several more years. This delay provides a long
window of opportunity to plant Trojan Horses, worms, viruses, and trap doors in non-
obvious systems and software that can be accessed in the future.

Initiating a highly focused, and media promoted, support campaign to install security
patches, close trap doors, and clean up worms, viruses, and other dangerous programs on
computers used in academia, business and government would go a long way towards
securing the nations computing infrastructure. Using a mix of government, private and
academic centers of expertise, software patches and self-installing tools could be created
and distributed for free through the Internet and with commercial software application
modules. Being able to obtain these certified and reliable tools for free would greatly
expedite their acceptance and operation, thus closing a window of opportunity that now

Free time is extremely important and for many, they simply don’t want to spend their free
time trying to secure their computers and home networks especially when computer
security isn’t their expertise or their interests. Worse, many think that computer security
isn’t their problem and that security simply slows their productivity.

I believe by making security as simple as possible for home computer users that it doesn’t
take great effort to make their computers more secure. Very simple ideas can go a very
long way by saving time and effort by limiting the need of searching online security sites
and purchasing security books.

Level 1

R1-2: Antivirus products are often confusing for the everyday user. These products are
often misconfigured and virus definitions not updated. There are options for Download
Scan, Email Scan, Internet Scan, and System Scan all within a single product. System
Scan may be the only thing enabled leaving Internet browsing activity, Emails, and
Downloading activity all wide open for viral infections. Below are some ideas that can
immediately help these users:
There should be an easy setup process or a wizard that will help these users for different
types of configurations (i.e. Corporate, Home, No Fear, & Paranoid auto-configurations).
The ideas is to have a basic wizard install that will auto-configure for their settings.

It would be very nice if these virus and firewall manufacturers will allow us to create
―Templates‖ of our current configurations that we can email to others that they can
simply ―double-click‖ and have their configurations automatically set up.

There should be a webpage devoted to securing computers properly at the manufacturers’
websites with plenty of pictures and easy to follow directions. The skimpy manuals users
currently receive require a power user with previous knowledge of virus products to
securely and properly configure this software.

Antivirus software can be created to look like most firewall software settings. A quick
and easy ―Settings Bar‖ that you can drag back and forth for ―No Protection, Minimal
Protection, Medium Protection, High Protection, and Paranoid.‖

Without these features, users sometimes disable their products just so that they can
download a file from the Internet that their security software doesn’t allow them to
download at the time. Or they want to install software that requires that they disable their
antivirus software. Once disabled, some never get around to re-enabling it or perhaps
worse, they don’t re-enable properly under the impression that they’re protected,
therefore, more likely to install apps off the Internet while unprotected.

R1-3: We need Anti-spam laws to free our time, free time that can be much better used
elsewhere, like security. With less clutter, people can spend more time in taking
precautions when they receive email that seems to be a little abnormal. With more free
time people can make more effort to contact the person that sent the original email
message to confirm its legitimacy.

Some security professionals believe that most home and business users, and ISPs, are
victims of active content exploits. Aberdeen Hurley said, "These new software exploits
are largely unchecked, unseen and unknown.‖ He says hackers often use active content to
grab e-mail addresses when people preview spam and believes the exploits are already in
widespread use for everything from electric reconnaissance to cyber-terrorism and
identity theft.

We can also benefit from outlawing the use of cookies. Cookies on the Internet are often
misused by using them to build web browsing profiles,

R1-4: Many house holds now have more than one computer. Instead of throwing away
the older computer that can no longer run the newest games or latest updated
applications, these computers should be kept. If possible, Internet users should have a
single, old PC just for browsing the Internet and for email. The Internet computer should
have all the updates, antivirus, and firewall software. This PC should contain no personal
Also, this computer should have its firewall software set up to block all ports except for
outbound port 80, denying inbound port 80. This way if someone’s PC is compromised,
only one or very few ports are available for the malware/Trojan/virus. The exploit would
have to find a open port that it can use, and somehow conform to the protocol on that

Level 3

R3-3: They say that the ―Cyber Policy‖ lacks teeth. Perhaps corporate incentives will
help take a bite out of crime. The government should be aware of this fact: ―A recent
study by UK-based managed security services provider, Activis, highlights the reality for
IT administrators. The study indicates that a company with an infrastructure of nine NT
servers and eight firewalls, for example, would have needed 1,315 updates during the
first nine months of last year. That works out to five updates per working day. Not to
mention having to manage 500,000 log entries every day, the study adds.‖

Consider all of the different hardware, software applications, and operating systems in
every computer, server, and device that you are responsible for. It is unlikely that
security is the network administrator’s top priority. Top priorities are not with corporate
security. Priorities are often mandated by the fact that the admin needs the job and is
more worried about other issues that are far more important to most companies.

For example, server up-time, reliability, fault-tolerance, fault-prevention, and disaster
recovery are all extremely important. This requires updating device drivers, disk drivers,
firmware updates, BIOS flashes, software patches, OS patches, fixes, and service packs
of all installed software, hardware and operating systems. All of this equates to very little
time for security for someone that wears many other hats.

It is to the best interest to everyone if companies place a higher priority on hiring security
professionals. Perhaps incentives could come from vendors. If the customer’s
employees are certified in their products, they can cut a better deal on licensing knowing
they’ll have to provide less support since the company has employees that have passed
the vendor’s security certifications.

One way to help companies become more security-aware is by offering tax incentives for
the 1st year or two for hiring a certified security professional while employed full-time.

R3-17: All email server software should come with an easy option to stop spam by
preventing SMTP relaying. There are many SMTP applications out there and the
majority of them do not have SMTP relay disabled as a default. As a precaution, this
software should come secured against message relaying by default.

When a company unknowingly has an SMTP relaying server on their network, it causes
many problems, for example:
         The company itself will receive huge amounts of flame mail from those that
          have the technical skills to trace the email to their servers.
         The company will most likely get black-listed. This is bad news for a legitimate
          company. When a company is black-listed, many anti-spam and some ISPs
          download daily a list of IP addresses that are known for spam. When this
          happens, these ISPs and other organizations will not accept email from this
          company. With their email receiving bounce-back error messages, companies
          lose time and money as they try to correct the problem. It can take weeks and
          sometimes much longer for a company to get off all the black-lists on the
         The company’s bandwidth will spike and so will their server resources as their
          email server is being used as a spam relay
         The company’s reputation can be ruined.

D3-1: Yes, Federal agencies should be required to comply with a maximum time limit for
implementing patches for known vulnerabilities. Police officers are required to extract
their weapons within a time limit, vehicle airbags are required to deploy within a time
limit, and Army’s 82nd Airborne is required to be able to jump into any country within a
given time limit…..why is this? Simply put, time limits are in place to save lives. How
many more lives depend on the security of our Federal computers?

Furthermore, service packs, patches, hotfixes and more should be spot-checked by an
appropriate unbiased agency to insure compliance.

Level 4

R4-3: To be a part of this ―Code of Good Conduct‖ group, there should be some type of
incentive. There should be a ―Code of Good Conduct‖ logo that can be placed on the
companies’ letterhead, websites, business cards, etc. This may help companies and
organizations participate if they get a return on the investment of time and effort they will
have to place into this group.

R4-13: Businesses selling wireless devices should ship their wireless products with a
warning label on it stating that data can be intercepted and good security should be used.
It should warn the purchaser of the possibility of losing proprietary information or easily
creating a new vector of attack. Furthermore, a document or sticker with a website the
customers can go to for the most current security information on the product they just
purchased. A sticker on the device would be preferred as it would follow the device
wherever it may go. The site should have information regarding the most updated step-
by-step procedures to secure their wireless device and links to hotfixes and updates.

R4–17: Cyber Laws should be plainly written out and accessible for each state from a
central location. A centralized webpage containing links to each state’s Cyber Laws
would aid companies who wish to prosecute criminals. Each state should have a clear-
cut law regarding spam, what is considered hacking activity, etc. Many still don’t know
what personal information is considered personal while using company computers and
company email servers.

By knowing this, security professionals and lawyers will find the resources necessary to
create proper company policies without worrying about lawsuits. Many companies do
not create policies simply because they fear they may be breaking the law themselves.

R4-19: The programs should be accessible to all, not just those with low-income or
specific age groups. These programs should also include Cyber-law for lawyers that
want to specialize in computer crime.

R4-32: Fear of lawsuits can and do impede on the right to secure our own computers.
When someone asks a friend to scan his server/network/pc to check for vulnerability, it
would be to the best interest of small businesses and home users that the penetration
tester not get sued by the ISPs. I have read about someone who got approval to scan a
company’s network. The company had both requested and approved that their network
be scanned, however, that company’s ISP took the pen-tester to court because the
scan/attack traversed their network. Personally, I have had numerous companies and
friends ask if I can test the security yet I fear doing so from home because of this single
issue. It needs to be plainly written what the law is in each state. Are we allowed to scan
someone’s IP addresses/network when given permission to do so? Hackers know your
weaknesses, shouldn’t you?

D4-8: Create a security certification for programmers, for example, ―Secure
Programming.‖ Also, perhaps security basic courses for those in the CIS and MIS fields
of study as one of your core studies before obtaining your BA.

D4-18: There is a gap between our country’s states in what is considered cyber crime.
The implication of this is confusion. What policies to create, what agency should be
contacted when a cyber crime has been committed?

Is the agency you’re contacting competent? Will the agency do more damage to your
network and company name than the hackers themselves? Many companies in Silicon
Valley alone do not contact law enforcement because they can’t afford to have their
servers whisked away without the smallest idea when and if they’ll ever see it again.

Many other companies believe that these specialized task forces aren’t even interested in
smaller cyber crimes unless they’re high-profile cases either to lack of care or due to lack
of staff. Either way, there’s not much confidence in law enforcement.

A quick example of this is the Sacramento High-Tech Crimes Task Force. They have
taken a personal computer away to investigate the PC and the computer was never
returned without any evidence or crime.
D4-2: Routers and many other devices can be automatically updated through
technologies like Blue Iguana. These encrypted updates will make updating much easier,
therefore, most likely to be implemented.

D4-27: Install more echelon servers

Commentary on the National Strategy to Secure Cyberspace

Overall this is a much better document than I had expected. You have covered most of
the important points at one level of another. As a starting point, I think that it does the
intended job very well, but obviously much more detailed work is needed. In the
following pages I have attempted to comment on any areas in the paper where I felt that
specific discussion was needed (with page and/or paragraph number where I felt that they
were needed for clarity). At the end I have provided a discussion on a few areas that I feel
are not touched on very well in this document and that I feel are critical to the success of
any attempts to secure critical components of our nations cyber infrastructure.

Strategy as a Place

It should be made very clear that a strategy is a high-level statement or plan. The levels of
advice that CIOs, politicians, etc. need will not only be at this level, but, in order to be
more than just ―fluff‖, must be detailed enough to guide courses of action at the tactical
level (e.g. real technical guidance for the implementation of multi-level security).

Strategy as a Process

p. 2 para 2
I did not see these meetings very well advertized. I am on a ton of mailing lists and saw
almost nothing.

p.2. para 5
I went to the site and saw no valid info on when/where additional
meetings will be held.

The National Strategy ... Supplements other Strategies

p. 2 para 2 under the above.
A bit of a nit, but this says that the Strategy is a roadmap. Although this document is not
a bad start, it falls far short of what could be called a roadmap.

Strategy for Cyberspace, in Cyberspace

p. 2 para 1 under the above
What online version contains hyperlinks? The only online version that I found was a PDF
file (no hyperlinks). Also, the PCIS membership app would not come up on my system
(running Netscape).

Cyberspace Threats and Vulnerabilities: A Case for Action

This section makes a number of good points, especially with statements about the
government not capable of securing cyberspace alone and voluntary efforts. I have more
comments concerning these in later sections.

p. 3
Key Themes box
I think that a statement such as: ―The nation’s defense is dependent on cyberspace‖
should be added here.

A Range of Threats

p. 4 para 2
It is especially important to identify potential attackers (and their capabilities) in the case
of foreign military threats.

National Policies and Guiding Principles

p. 7 para.2
... that requires coordinated and focused ... - add educational institutions to this list - they
will be critical players and they tend to include public and private institutions.

Embrace Private-Public Partnerships

p. 8 para 3
There is a lot of talk throughout this document about encouraging the private sector and a
partnership with the private sector. Having been involved in the private sector in critical
industries such as telecomm for many years, I do not believe that any kind of ongoing
major efforts in the area of security can be dependably sustained with financial incentives
and possibly legal ramifications. I am not a big fan of new laws and government
intervention, but look at the airline industry prior to 9/11. It was well known that security
was spotty at best, and often inadequate, but little was done about it. Why? Because it
costs money to have good security and CIOs, CEOs, etc. are not rewarded for spending
money which has an unclear payback (after all, an attack of some kind may not happen).
Until there is a solid monetary or legal reason for implementing what in many cases will
be expensive measures to improve security, do not depend on industry to give much more
than lip service to implementing real, effective measures. Some portions of some
industries will take steps to improve the current situation, but ongoing, truly effective and
evolving measures may require financial incentives and legal actions. As for incentives
that the market provides (under Avoid Regulation) these would be my choice, but I doubt
that it is realistic to expect much from them.
Designation of Coordinating Agencies

p. 9
From working on cyberwarfare issues with a government contractor I have come to
believe that there are too many overlapping government agencies all trying to
―coordinate‖ things and produce guidelines, rules, accreditation requirements, etc. There
are simply too many ―paper pushers‖ as it is. There is a need to consolidate and clearly
identify areas of responsibility and eliminate overlap which is wasteful of the taxpayers’
money and counterproductive. An effort to identify and eliminate redundancy is needed
early on, otherwise much of the good that could come from these efforts will be buried in
the bureaucracy graveyard.

Guiding Strategic Principles
p. 9
A key point that is mentioned many times but cannot be stressed enough is: education,
education, education.



p. 11 para 2
Under the six major tools listing:
How about, ―determing/evaluating the security weaknesses of Operating Systems,
Applications, etc.‖.It seems that a certification of some level might be useful. Whether
this should be included here or in another section is up to you.

LEVEL 1: The Home User

p. 15
It seems that it is critical that the home user receive proper documentation concerning
security with each computer purchased. It might be worthwhile urging suppliers to
include security packages, including simple tutorials with each computer. Inexpensive
upgrades for virus checkers and the like would also be worthwhile. Given that some of
this is already being done, a bit of a nudge from the government might help to improve
things just enough to be really beneficial. Some good points on this are included in this
section. Remember that it is the kids who are often on the computers the most, so security
education targeted at ages 8 or 10 to 16 may be productive.

Discussion of Strategy

p. 16
In general there should be some concentration on working with ISPs to help ensure the
protection of their users. Education and adoption of secure processes and procedures will
vary greatly with the end-user. Moving a step up to the ISPs themselves may provide
more bang-for-the-buck. A security practices scale of some sort could be developed,
where ISPs voluntarily undergo testing/certification and a security rating is awarded
based on how well they help their customers enhance security.

In general I believe that working with service providers is critical here. Other than that,
low cost security software packages and help/education are also important.

R1-4 and R1-5

Costs and problems with updates causing other software to malfunction will make it hard
to force updates. Manufacturers must get their acts together in this area. The biggest thing
driving many machine updates is newer versions of applications that do not work
properly on old software and, of course, games. A big problem has been that updates and
new applications, all too often, have not been properly tested for security holes. Most
programmers have little or no training in how to write secure software. This is an area
where education might help.


Why do we have a cybercrime role for the NIPC, for the DOJ, for the FBI (in addition to
work done in other parts of the DOJ, in the FTC, etc., and also scattered throughout other
government agencies. It seems like the taxpayers’ money could be better spent with some
kind of consolidation.


In a country where parents and children often do not seem to communicate very well, this
area seems a bit naive. It is worth a try, but don’t expect a lot. If you want to get children
interested in security, work with game developers to see if a security theme, or some
extra bit of education in this area, can be incorporated into games.

LEVEL 2: Large Enterprises

p. 19
There are some good points here, but an injection of reality is required. Given the
questionable behavior of corporate boards, CEOs, CFOs, and other officers of major
companies, do you really think that voluntary compliance will do the job? Company
boards and officers are judged on how well the company stock performs. Security costs
money. Adding security means that profits, at least in the near term, will generally
decrease. Until corporate officers are truly held responsible, probably through laws or as
the result of lawsuits, don’t expect much more than a bit of a show here. I have worked
with European based companies on security (among other things). Privacy laws in
Europe generally allow corporate officers to be held responsible for privacy breaches. As
a result, security is taken more seriously at high levels in the companies as part of the
overall response to the need to ensure privacy. I hate to suggest more laws, but, at least
for companies that play critical roles in the ability of this country to defend itself and
prosper, laws, with real teeth in them to hold boards and corporate officers responsible,
may be required.

p. 20 para 2
Here’s still another government office. Can you say ―Consolidate‖?

A Corporate Security Council is a good idea.


Some good points are made here. The problem lies in the combination of lack of
expertise and cost. When it really comes down to it, companies have historically been
hesitant to pay the price for such expertise until after something drastic happens to them.
In addition, the systems and software required, the planning and implementation costs,
etc. can be high. Some kind of incentives will surely be necessary.

Under the S, Smart procurement. How is a company to know if a product that it buys is
really secure? Security is often advertised much more than it is delivered. How secure is
the operating system that you have sitting on your desktop machine right now? (Hint: If it
isn’t open enough for it to have been reviewed by experts throughout the country and the
world, it just may not be very secure, despite whatever hype has been peddled with it.)

p. 21
Instant Messaging is just one of the newer applications or technologies that pose a threat.
I notice that you discuss wireless networks also. In general, new technologies must be
evaluated for security issues, just as they would be for other operational issues.

Insider Threats

This is a critical area that I will discuss in more detail below. The potential threat due to
the large number of foreign workers in various technology industries must be adequately

Recommendations, Programs and Discussions

p. 22
There is one theme that must extend across all areas, especially when dealing with large
enterprises. Who is responsible? Without clearly stating responsibility, do not expect
much real, useful action.

Level 3: The Federal Government
A lot of good statements are made in this section. Overall, some government
organizations have made great strides in security, but having worked for a government
contractor recently, I have a few overall observations:

Bureaucratic red-tape and obfuscated hiring practices seem to run rampant throughout the
government. In everything from hiring to the freedom to express contradictory or new
ideas, to the very mentality that drives many government agencies, change and the ability
to respond to anomalous events is hampered by the very structure of the institutions. If
those who wish to attack this country can change and adopt faster than we can, we may
win some battles, but we will eventually lose the war. No government or other large
enterprise can succeed if its very structure resists change to any large degree. Mandates,
dictates, laws, etc., although necessary in some places, cannot work alone. A culture that
rewards new ideas, even when sometimes radical, provides for flexibility where needed,
and protects those who raise issues or identify problems, is required for ultimate success.
Do you really think that the current government structures support this?

Do you wonder how serious government agencies are about cyber security? Ask the FBI
if it has hired more law school graduates or more technical school graduates over the last
year. Ask how open government agencies are to help from citizens who have the very
expertise that is needed. Ask if government agencies (federal, state, and local) are even
responding to citizens who volunteer their help (my experience is that they aren’t very
often responding at all). The government must work with its citizens to ensure adequate
cyber and infrastructure protection. The answer is not dozens of more government
agencies, spending billions of dollars, so that a lot of additional hot air and paperwork
can emanate from Washington. By the way, from what I have experienced from the
Infragard people that I have spoken with, it looks like there is at least a good start toward
getting companies and individuals involved in this area. Keep up the good work in this
and do not let it fall by the wayside.

As I have stated earlier, laws are needed, but your emphasis on education is just as
important. For education to work, there must be incentives, with grants, scholarships,
etc., being one place to start.

This section makes many good points and the key will be follow-up. Managers in
government positions must be held responsible for security. Security must be more than
filling in the proper paperwork (too many government and contractor ―security experts‖
are really paperwork experts.
and it is critical to leverage off of the work that has been done in some industries
(banking for example) to really make a difference.

LEVEL 3: Private Sector p. 35 - 37

The major industries of this country are extremely vulnerable. In many cases they are
also critical to the security of this nation. Partnerships, and federal, state, and local
support for protecting these industries are all important.
An idea that seems to be prevalent here is that each industry has some large number of
security issues that are unique to itself. This is simply not the case. It is important to
understand that there are probably many more R&D challenges that overlap industries
than there are unique challenges in particular industries. For the sake of temporal needs,
efficiency, the best use of technical expertise (which is often in short supply), etc. it is
critical to identify these overlaps. I think that the idea of an ISAC is good, but not one per
industry. Leverage the work being done in places such as Carnegie-Mellon for an overall
ISAC, and then, as necessary develop smaller, focused centers, for any industry specific
issues. The bottom line is to consolidate wherever possible.

There is a shortage of real experts in cyber security. I mean those who really know the
technology down to the detailed level necessary to fix some core problems. I recently
inquired about a security position that I saw advertised from a major supplier of security
consulting. It quickly became clear that they were much more interested in a sales person
rather than someone who really knew security in depth. As more engineers get interested
in the security field, more true experts may be available, but even the courses that I have
seen in many colleges are more geared to providing an overview, or a manager level of
knowledge (which does have its place), than to providing the in depth knowledge
necessary to engineer security into systems and products.

LEVEL 4: National Priorities p. 39-44

Securing Shared Systems
You might want to add a heading on p. 40 for this. The copy of the paper that I have
seems to have omitted this. Also, an introduction here that explains exactly what you
mean by shared systems might be useful. You seem to jump right into the internet, and
shared systems can mean different things to different people.

p.40 para 1 - list
Network product manufacturers are already moving ahead fairly well in improving the
security and (at least to some degree) the resilience of key internet protocols. Work on
IPv6 is a major example. The same is true in the area of increasing router security, and
identifying internet technology needs. It would probably be worthwhile to establish best
standards, practices, etc. and publish them, but the real problem is not so much the state
of the technology, or even of security standards and policies. The real problem is the lack
of implementation. The technologies available must be implemented, by those who are
knowledgeable enough to use them properly. This is not yet happening to a large extent.
For example, in many companies, who is assigned to jobs of admin (the first line of
defense) or network installation? It is often the person at the bottom of the totem pole. I
was recently asked if I was interested in a job monitoring the operation and security of an
absolutely critical system of government (DoD) computers. Salary range for this: in the
$40s (I’ve seen even lower). The old adage of ―you get what you pay for‖ comes into
play here.
It is the implementation that is most important, and if that is not clearly understood, and if
government and industry is not willing to put out the bucks to ensure that top-notch
people are doing the implementation, then establishing all of the standards, saying all of
the right words, and doing all of the research in the world to improve protocols and
equipment, won’t really matter much in the end.

There are a lot of good statements on pps. 40 - 44. Here are some general comments:
As I have stated earlier, success in security will depend not only on education, research,
and awareness, but also on making it clear who is responsible for making real security
happen. Educating users, managers, and other decision makers (and especially money
allocators), in the costs of security breaches is extremely important. Calling on
patriotism, and the idea of helping to defend the nation is also useful. In may cases
though, it may be necessary to provide some form of legal recourse where actions are not
taken to protect critical areas. Under the SCADA section, the comment that ―security
requires investment that companies may not be willing to make‖ is absolutely true, but
not only for this section, rather throughout the entire document.

Suggestion: To try to foster voluntary cooperation, put together a paper with stories of
how lack of security or poor security (or redundancy or disaster recovery) focus and
implementations have cost companies. I know of some examples.

Training and Education p. 42
You are correct that the investment in training has not kept pace, but schools were
starting to get more students interested in engineering prior to the latest economic
downturn, and what did Congress and the Government do? Instead of favorable tax laws
and incentives to help graduate more American engineers, they opened up the flood gates
to foreign engineers, allowing more and more foreign workers (H1B visas, etc.) into the
US with minimal background checks (with the urging of industry). Let’s get one thing
absolutely straight, our Government has been part of the problem for years, rather than
part of the solution. See my comments on concerns about foreign workers at the end of
this paper.

Under the list after para 3:
        There are some good ideas here, but remember that recruiting people into IT
security career fields will depend on the availability of reasonable jobs in these areas.
Given that many areas of the technology sector are hurting, this will not be easy. How
about a program that takes out-of-work engineering professionals and provides them with
extended unemployment (without the state-by-state gimmicks) while they train as
security professionals.

Certification p.42

I believe that there are some real problems with some of the certification programs out
there. Some seem to be more designed to make money for various groups and
organizations than to provide the in-depth knowledge needed for all but the most cursory
of security jobs. I can at least say that they help to improve security awareness by making
people study for tests, but given the number of ads for 5, 10 or 15 day ―boot camps‖ that
teach you how to pass various tests, how can most of these certifications be considered
much more than a first step. Also, have you seen some of the ridiculous costs of some of
the tests and courses in this area? As long as the economy was good, and companies were
willing to pay the costs of education and testing, maybe this wasn’t much of an issue, but
in the current situation it could well mean fewer people even bothering to learn enough to
take the tests.

Cybercrime p.42

Again you have made some excellent points. How will you empower Federal, State, and
local law enforcement? A police officer generally makes much less than a computer
expert, and although some officers have learned on their own and have been sent to a few
courses, there is the real problem of cost. To really learn enough about computers to fight
crime, especially at the state and local levels, I suggest an new type of police position.
That of Cybercrime Investigator. The goal would be to recruit computer and telecomm
experts. The problem is that this is not how most police agencies operate. As someone
who has seriously considered police work (my son is a Police Officer) I was amazed at
the process that police applicants go through. It is generally archaic, makes little or no
attempt to determine possible areas where the candidates might have background or
expertise in technical areas, and seems targeted at recruiting those who will be willing to
spend years working jail duty or patrol before doing anything else. This is not the type of
environment that attracts or keeps the kind of technical experts who would be best at
fighting cybercrime. Police positions also tend to have more than their share of ―politics‖,
as do many State and Federal positions. These types of things will have to be dealt with
to succeed in anything other than a ―spotty‖ way. Note that there are some exceptions that
could be studied, such as the work being done in and around the Silicon Valley area to
combat cybercrime.

Market Forces p. 43

I agree that it would be best if the market drove the demand for security. The problem is,
in most cases, what incentive is there for this to be happen? Good security takes time and
money. Company management is all too often driven by (and rewarded based on) short
term profits, short term fluctuations in the stock market, and whatever the latest
buzzword seems to be.

Developing National Plans and Policy p. 43

A key operation that must not be omitted is that of expending the proper effort on
vulnerability analyses. This is an area where the government could really help. A section
on this should be added somewhere, if not here.

Continuity of Operations, etc. P. 43 - 44
There are some good comments here, and this is a critical topic, but I think that the lead
role will have to taken by the Federal Government (I would rather that this wasn’t the
case.) Any planning will have to recognize this and make adequate provision to recruit
and develop the necessary expertise to ensure that this is done properly.

National Security and Interdependency and Physical Security p.44

I could write for days on these areas and still not cover them completely. A true, detailed
vulnerability analysis should be conducted. I don’t mean just an overview. I mean
something that covers all aspects of the potential threats to this country and its strategic
infrastructures, even in areas that may be politically touchy (e.g. immigrations issues,
trade issues, etc.). See my comments at the end for more.

Agenda pps 44 - 47

There are some excellent ideas, comments, etc. here. I would like to be involved in
discussions in some of the areas here. Since my time is limited now I will leave it at that.

LEVEL 5: Global

Working globally will be critical to the successful tracking, identification, and
prosecution of cyber criminals, but what about those who are sponsored by governments?
This is an area that will need a lot of work, but at least you are attempting to address the
reality that we are dealing with an international problem here.

General/Additional Comments

I believe that there are a few critical areas that have been, at best, barely mentioned in
this document. Here are my comments on these.

The issue of potentially hostile or criminal foreign workers in key positions within some
of our major companies must be addressed. I have worked with many foreign workers
throughout my career, including many from China, India, and most Middle-Eastern
countries. I believe that most would not do anything to attack this country, but not all of
them can be guaranteed to feel this way. I have worked with more than one foreign
worker who has expressed anti-American sentiments. I don’t doubt that there were more
that were anti-American, but kept quiet about it. If we do not address the very real
possibility that persons who are hostile to this country are working in industries that
supply critical cyber components to other industries and to the US government, then all
our work in other areas may not be adequate. Does anyone doubt that the Chinese (who
must be considered our biggest potential cyber attack threat), radical Islamic
organizations, criminal organizations, etc. have people working in critical areas in Silicon
Valley, Redmond, Portland, and probably Washington, DC? The biggest danger is that
which is internal, and this particular aspect is definitely not stressed enough in this
Additional Commentary:

Having been a senior level engineer and engineering manager in more than one US
fortune 100 company, I have seen foreign workers hired into positions instead of
qualified American workers, with the only reason, that I could see in some cases, being to
save a buck. How will you deal with this, when some of our most critical industries have
foreign workers in positions where they can affect the security of those industries and
others? To ignore the possibility that some, even if only a small percentage , of these
people are enemies of this country is to ignore reality. I believe that the decisions to
increase the number of H1B visa workers were not well thought out. Our Congress gave
in to hype from big business at the expense of American workers. We should be working
to ensure that we produce enough skilled engineers to do the work required by our
businesses. I have seen American engineers, with good skill sets, bypassed for foreign
workers. It is true that some of these foreign workers are very good engineers, but the
goal of our government should be to improve things for our citizens. If this means
providing incentives for training and development of a sufficient American work force,
then this is what we should be doing. I am not against immigrants coming here and
working (my wife is an immigrant), but given recent events, the emphasis should be
given to improving our own abilities, rather than importing expertise that may be used
against us. Educational grants, tax incentives, etc. should be used to help develop the
skilled base of experts needed to ensure that we can secure our major industries and our
government organizations.

Security of Products:
You have touched on the issue of the security of products purchased by the government
in the ―Federal‖ section, here are my comments.
US Government agencies and the DoD are constantly upgrading their systems and
software. How well is this software analyzed for back doors, software ―time bombs‖, etc?
Software systems that are proprietary and not subject to scrutiny from the software
community at large (as most aren’t) may be disasters waiting to happen. Systems that are
overly complex or where constant, unevaluated (for security) upgrades are being made
should be considered as questionable. Systems where everything is an add on must also
be considered as problematic until proven otherwise. Consider the source for all critical
systems. Does the source have a history of providing real (not hyped) security? Is the
source open to timely testing of its products for any security issues? Is the product
supplied overly complex, with massive amounts of code that seems to constantly require
upgrading (and updated hardware just to run the basic operating system)? All of these
must be considered, both by industry and government when making purchases.
Companies supplying systems should be willing to open up their products for scrutiny,
and should not try to hide problems when they occur. This includes OS and applications
suppliers. Think about this, and think about how decisions are made concerning the
implementation of new OS products and applications.

To top