title:

Patching yesterday's holes?

By Scott Bradner

There is hardly a dearth of groups worrying about cyber security. Yet another report on the subject was released in early April by yet another group few people had heard of. The new report has raised eyebrows by saying that buyers should be able to say that they want vendors to offer secure systems.

Last month I wrote about the purposely toothless recommendations that the National Cyber Security Partnership (NCSP) is in the process of releasing (they have released an additional report, that fits the same mold as the previous two, since that column). (http://www.nwfusion.com/columnists/2004/0329bradner.html)

The new report is from a group called "Corporate Information Security Working Group" (CISWG) that was established late last year Congressman Adam Putnam (R-Fla.), Chairman of the Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census. The working group was established in lieu of introducing legislation, strongly opposed by the business community, that would have forced publicly traded companies to include a report of an information security audit in their annual SEC filings. I guess the business community was worried that such audits might reveal that corporate indifference to information security issues is far too common a condition for comfort. I guess the threat of the truth can make some people nervous.

The CISWG report consists mostly of 4 lists of recommendations and some supporting information (including a quite good list of information security-related references). (http://reform.house.gov/TIPRC/News/DocumentSingle.aspx?DocumentID=3030) This set of recommendations, if fully implemented, might not be quite as toothless as the NCSP recommendations. That might or might not be a good thing.

The Awareness and Education Recommendations suggest developing materials that would make it clear to home users, and people, including corporate executives in small and large businesses that information security is good stuff.

The Best Practices Recommendations suggests, among other things, establishing an international "umbrella organization to oversee the further development of IS guidance for organizations and users of all sizes and types" with representatives from just about every walk of life. Sounds like a perfect way to ensure that nothing gets accomplished.

The Incentives-Liability/Safe Harbor Recommendations include throwing the insurance industry at the problem by asking them to "modify the degree of availability as well as the cost of cyber-risk insurance protection based on the degree that the company exercises cybe5-risk best practices." This presumes that the insurance industry would be better at picking effective best practices and the high-end auditing firms have been to date, a presumption I have a hard time supporting. But making it harder for a company that does not even try to address information security problems be able to pass the risk of their inaction to an insurance company is not a bad idea.

Finally, the Procurement Practices Recommendations include the recommendation that has attracted the most attention from the news media. After recommending that the U.S. Government mandate minimum configuration security standards for government purchased equipment the working group recommends providing "an exemption from US antitrust laws for critical infrastructure industry groups that agree on obligatory security specifications for software and hardware they purchase." It seems to me that this approach is like that of the anti-virus industry - most can only fight yesterday's problem because that is all they know. They also give a good roadmap of ignored areas.

disclaimer: Harvard does not confine history to the history department but is not constrained by it in other departments. But the university has not commented on this report.