The Strategy was released by the President's Critical Infrastucture Protection Board (PCIPB), an Oval Office entity that brings together various Agency and Department heads to discuss critical infrastructure protection. Within the PCIPB is the National Security Telecommunications Advisory Council (NSTAC), a Presidentially sponsored coffee klatch comprised of CEOs that provide industry-based analysis and recommendations on policy and technical issues related to information technologies. There is also the National Infrastructure Advisory Council (NIAC) consisting of 30 private-sector 'experts' on computer security, yet nobody knows who these people are. Thus, a good portion of this Presidential Board is comprised of CEO-level people and a shadowy group of un-named experts, picked for their Presidential loyalty, campaign contributions, or visibility in the marketplace. Factor in Richard Clarke's team many of whom, including Clarke, are not technologists but career politicans and thinktank analysts and you've got the government's best effort at providing advice to the President on information security. (One well-known security expert I spoke with raised the question about creating a conflict of interest for people who sell to the government or stand to gain materially from policy decisions to act in advisory roles, something that occured during the Bush Administration's secret energy meetings.)
Although the Administration heralds this as the first "National Strategy" for cyberspace security, we need only reflect on the Clinton Administration's "National Plan for Information Systems Protection" from 2000, and the President's Commission on Critical Infrastructure Protection Reportfrom 1996 - like its predecessors - and despite the publicity push from the Administration - nearly all of what's in this Strategy isn't new, either in what it says or what it fails to say. In keeping with tradition, the Strategy "addresses" various security "issues" instead of directing the "resolution" of security "problems" tiptoeing around the problems instead of dealing with them head-on and demanding results.
Now that you know where the Strategy comes from, let's examine some
of its more noteworthy components.
At times, the Strategy reads like the fear-mongering propaganda published by assorted industry groups and security product vendors. It claims that 70% of cyber-attacks on corporations are caused by insiders, yet provides no source for these statistics. Further, during its discussion of the threats and vulnerabilities, there's an eye-catching sidebar with a hypothetical worst-case cyberterrorism scenario conjured up by "50 scientists, computer experts, and former intelligence officers" and throughout the report are statements that the Administration consulted with experts across the country in a variety of industries. Yet there's no reference listing who these 'experts' are, or what their credentials are to enable them to make such prophecies and participate in the preparation of this Strategy, something that undermines the credibility of these statistics and statements For all we know, these 'experts' are career politicians, academics, or clueless CEOs many of whom probably never served in an operational IT capacity before - and thus don't understand the reality of today's information environment.