CLARKE REPORT STRIPPED OF SOME GOVT.-BACKED INITIATIVES

Overall report is true to Cybersecurity Czar Richard Clarke’s repeated statements that Bush Administration was focused more on public-private cooperation than govt. mandates, and states clearly that cybersecurity efforts “should not involve increased government regulation or control of the Internet.” But one printer-ready draft of report circulating Tues. showed that several areas where earlier drafts had suggested govt. role had been stripped or diluted to instead encourage private sector action. Report, to be officially released today (Wed.) on Stanford U. campus, no longer calls specifically for govt. underwriting of cybersecurity software and backs off notion of govt. funding of centralized network operations center to oversee Internet, but it still calls for more R&D funding for targeted cybersecurity research.

For weeks Clarke has been circulating drafts of report among companies and trade associations, responding to suggestions from those groups. As first hinted last week by White House spokesman Ari Fleischer, report is work in progress, and Clarke said comments would be accepted at www.securecyberspace.gov until Nov. 18, 2002. (That site wasn’t functioning when tested Tues.) Our affiliated Washington Internet Daily obtained advance copy of report from industry source, with official release slated for today. Nothing in report suggests imminent possibility of Presidential Executive Order or proposed federal legislation. One high-ranking Administration official told us that while Clarke’s efforts were supported, he lacked full confidence of White House inner circle.

Concerning wireless policy, final draft said agencies should “carefully review” recent guidance from National Institute of Standards & Technology (NIST) that urged them to use caution when starting wireless networks. NIST report on security of 802.11, Bluetooth and handheld devices recommended that those systems be checked regularly for vulnerabilities and that management practices be implemented for security and user authentication. To that end, White House strategy said: “Agency policy and procedures should reflect careful consideration of additional risk-reduction measures including the use of strong encryption, bidirectional authentication, shielding standards and other technical security considerations, configuration management, intrusion detection, incident handling and computer security education.” Strategy called on both govt. and industry to promote awareness on security issues involved in wireless technologies, particularly those using 802.11b and related standards.

Earlier versions of strategy went into greater detail on potential security risks posed by 802.11, Bluetooth and grid networks. Earlier version said technology “was not intended to be deployed on secure networks, and doing so can allow unauthorized, unidentified access that result in data compromise. Though security measures can be applied to 802.11, such measures have exhibited weaknesses that need to be addressed before deploying secure networks.” While Bluetooth technology can allow for data sharing in wireless LAN, it’s used mostly as a wireless communication connection for peripheral devices, that draft said. “This technology, too, has security concerns when deployed in a network that requires data connection to remain secure.” Both Bluetooth and 802.11 can be used in ad hoc or grid networks, which strategy said had security issues that must be addressed. Ad hoc wireless networks are self-organizing, multihop networks that don’t rely on infrastructure such as base stations but involve systems in which all covered devices have their own packet-forwarding capabilities. Earlier draft said that in some cases systems entering and leaving such networks were authenticated and allowed access based on certain restrictions, but that in other cases anyone could join and interact. “This fluid environment, combined with the inadequate security of wireless technology, creates the potential for nefarious and/or damaging activity,” it said.

Final draft appeared to take a softer approach than recent comments by Clarke. At July conference sponsored by Center for Strategic & International Studies (CSIS) and ITAA, Clarke called for standards that could be widely applied to achieve higher levels of security in Wi-Fi networks, saying there now were “widespread, insecure usages.” Implications of White House strategy on pending Defense Dept. plan on restrictions for wireless devices to promote security wasn’t immediately clear. Preliminary documents recently released on pending Defense Dept. policy on securing wireless networks said Pentagon planned to keep in place July 30, 2001, moratorium on installation of telecom network infrastructure to provide wireless services. Moratorium appears to stem from concern by top brass that Wi-Fi networks not be allowed to spring up in Pentagon by individuals who haven’t coordinated use of systems with others in building.

Technology that continuously checks for unauthorized connections to wireless networks is available commercially off-the-shelf, said James Lewis, dir. of CSIS’s technology and public policy program. “I don’t know that it’s particularly interesting to know how many times someone has tried to access your network,” he said. “This is more intrusion detection, so if you knew that, you would then take countermeasures.” Use of intrusion detection technology begs question of what would be used to trigger countermeasure to offset entrance attempt, he said. “It might be a way to get people to focus on whether their wireless networks are secure. And if it does that, it might be a good thing to do,” Lewis said.

“The whole report has been undergoing a process of being walked back. This is another example,” Lewis said. “That’s not necessarily bad. It’s easy to identify the problems and it’s hard to identify the solutions.”

Govt. Incentives Not Stressed

In other areas, Clarke on several occasions has resisted calls for tax breaks for companies investing in cybersecurity, arguing that it was in company’s best interest to do so, and thus they needed no govt. incentive. That philosophy appears in the most recent draft of the report: “The best way to ensure that the investment is made is for the market to demand it, rather than for government to require it.” Report suggests that “in some instances” federal govt. could be involved in funding to extent of procuring govt. systems. But in earlier draft report, Clarke acknowledges that private sector “does not invest heavily in long-term, high-risk security-related technologies, especially if competitors can easily adopt them, or if they are otherwise unlikely to generate returns that investors can capture.” Earlier report argued that cybersecurity technologies were “public goods” that benefitted entire nation. Therefore, “the government becomes the only realistic underwriter to ensure that these technologies are developed -- a need that extends beyond funding, because these technologies will serve no useful purpose if they are not adopted and deployed.”

Funding for Cyberspace Center Less Clear

Report also will call for what it terms Cyberspace NOC (network operations center), but it’s less clear on center’s funding than in previous draft. NOCs are common among Internet backbone providers -- WorldCom has large one in Loudoun County, Va., for example. Report suggests private sector could create central NOC that would work with National Infrastructure Protection Center (NIPC) and other agencies to track and remedy cyberattacks more quickly. ISPs would be leading agent in creating such a Cyberspace NOC, report said. In key clarification, latest draft says central NOC could be “virtual” in nature, that is, perhaps interconnected NOCs rather than new central facility. That approach presumably would be less vulnerable to attack and mirrors decentralized nature of Internet. As for funding, today’s report suggests federal govt. could “explore the ways in which it could cooperate with the Cyberspace NOC.” In earlier draft, Clarke had suggested Cyberspace NOC could work with NIPC and “the federal government should consider partially funding” private sector NOC.

Additional funding for R&D remains part of report, specifically targeting cybersecurity efforts. That runs counter to approach taken by House Science Committee, which through legislation has pushed for more nontargeted basic R&D that could lead to unanticipated cybersecurity innovations. In report, Clarke suggests Critical Infrastructure Protection Board Committee on R&D in short term could oversee research guidelines for cybersecurity. One item that appears to have been dropped in most recent draft is call for “Internet Fund,” which in earlier report was to be jointly financed by govt. and private sector “to address those discreet technical areas that fall outside the purview of both industry and government and yet are critical to the future secure functioning of the Internet.”

ISPs Urged to Improve Cybersecurity

ISPs find themselves in middle of many of report’s recommendations, most particularly in its call for “code of good conduct” for cybersecurity, provision that survived report’s editing. This voluntary code would involve 10 points: (1) Establishment of industrywide default cybersecurity configurations. (2) Sharing of best practices among ISPs. (3) Separation of online operations controls from other systems. (4) Automated cybersecurity changes throughout network. (5) Strong cryptographic authentication. (6) Active monitoring of server logs. (7) Regular network audits. (8) Set policy for security patches. (9) Development of disaster recovery plan with govt. (10) Combined govt.-private sector first response team to issue alerts and initiate recovery after attacks. “ISPs have demonstrated a remarkable ability to respond to the most extreme disasters and quickly repair their networks,” Clarke wrote, while ISPs “lack a single collection and dissemination point for warnings of attacks and changes in threat conditions.”

Report takes noncommittal position on Freedom of Information Act (FOIA) exemption that private sector is seeking to allow it to share cybersecurity breach information with federal govt. without that information being subject to dissemination via FOIA. House version of homeland security bill contains limited cybersecurity FOIA exemption, and one trade association executive we spoke with was surprised that report affiliated with White House didn’t echo official position of Administration, which has endorsed limited FOIA exemption. Report instead contains generic calls for increase in “voluntary sharing” of cybersecurity information but says federal govt. must be able to share information among federal agencies, with state govts. and in general way with public in form of warnings.

Federal Agencies to be Given Timetables

As Clarke has promised repeatedly, federal agencies will be ones facing direct obligations under report. Among recommendations: (1) By 4th quarter of FY 2003 federal govt. would have performed “comprehensive program performance review of the National Information Assurance Program” (NIAP) to determine if that program is improving cybersecurity. (2) By 3rd quarter of FY 2003 govt. will assess whether companies servicing agencies with cybersecurity technology “should be certified as meeting certain minimum capabilities.” (3) By 2nd quarter of FY 2003 govt. will have determined to what extent agencies can share authentication mechanisms. (4) By 2nd quarter of FY 2003 govt. will have determined what is needed to automate security updates.