title: If it had teeth it might bite someone

If it had teeth it might bite someone

The National Cyber Security Partnership just released the first two of a planned five reports concerning various aspects of cyber security. The reports are not all that bad but I'm having a hard time not dismissing the whole effort as a cynical effort to avoid facing up to reality.

The National Cyber Security Partnership (NCSP) (http://www.cyberpartnership.org/) is an outgrowth of the December 2003 National Cyber Security Summit that was convened in response to last year's National Strategy to Secure Cyberspace (http://www.whitehouse.gov/pcipb/). All of the press coverage that I have seen about the two new reports says that NCSP was created to forestall governmental regulations in the area of computer and network security. It's better to voluntarily offer to do something not all that hard than to be forced to do something quite painful. Maybe the powers that be will be satisfied, at least for a while, and forget about this particular problem.

The first two reports are "Awareness for Home Users and Small Businesses" from the "Awareness and Outreach Task Force, and "Cyber Security Early Warning" from the "National Early Warning Task Force." To be published late this month or early next month are reports from the "Technical Standards and Common Criteria Task Force," the "Security Across the Software Development Lifecycle Task Force" and the "Corporate Governance Task Force."

The "Awareness for Home Users and Small Businesses" (http://www.cyberpartnership.org/init-aware.html) report recommends a bunch of things targeted at educating and helping home Internet users, big and small businesses, schools and governments (other than the federal government) by, for example, developing a "cyber security toolkit" for home users, and designating September 2004 as "Cyber Security Month" to try to get the attention of the CEOs of large enterprises on the cyber security problem (assuming, I guess, that these CEOs have been in caves for the last few years).

The "National Early Warning Task Force" (http://www.cyberpartnership.org/init-early.html) reports recommends establishing yet another fail-safe "national cyber security early warning contact network" to "broaden the horizon of shared information regarding cyber security vulnerabilities, exploits and incidents, to facilitate the process of information sharing and to provide a facility for the rapid dissemination of critical information, all within the framework of a vetted trust community." In other words, tell some selected people when there is something wrong.

In and of themselves these reports are fine and seem to represent some amount of thinking on the problems. The reports may accomplish the apparent underlying goal of the NCSP and keep congress from creating a legal requirement for vendors to pay attention to security (one of the critics of the reports compared such a requirement to the federal mandate for seat belts in cars). Voluntary efforts are fine and often can bring positive results but there is little that would focus the corporate mind better than being told that they would be liable for any damages their customers suffer because of software failures. There is at least one place that could happen today. If the software in a car's control computer goes wacko and the car crashes as a result I would doubt that a court would accept a shrink-wrap license liability disclaimer. But apparently applying the same rules to computer operating systems would be too logical.

disclaimer: Come to think of it, I expect Harvard would not want the same rules to be applied to educating students, but I did not ask and the above ramble is mine alone.