Internet Security Alliance Pans Obama's Security Plan

Wednesday, August 17, 2011



Larry Clinton, President of the Internet Security Alliance, criticized the Obama administrations cybersecurity strategy as being too heavy on regulatory mandates, and too light on market incentives.

The proposal, unveiled in May, was the culmination of over two years of effort by the White House to finish laying the groundwork for the protection of critical infrastructure in the face of increased threats posed by attacks on both public and private sector network systems.

While several information security and regulatory interest groups have lauded the administration for finally producing the much-touted plan of action, the consensus is that the strategy is lacking in depth and breadth.

"There's really no doubt that they have proposed here developing a fairly extensive regulatory structure and again that is precisely the opposite of what the president himself promised when he released the cyberspace policy review back in 2009," Clinton stated during a taping of C-SPAN's "The Communicators", to air this  Saturday at 6:30 EDT on C-SPAN and Monday at 8 AM and again 8 PM on C-SPAN II.

Major challenges in drafting the proposal included how to best prioritize federal security initiatives, defining the government's role in protecting and regulating private sector networks which administer the majority of the nation's critical systems, and protect privacy and civil liberties in the process.

"This is a punitive model where we're trying to blame the victims of the attack. I don't think that the administration's proposal really does anything that I can see to enhance cybersecurity," Clinton said.

As outlined last spring by TechNewsWorld, the administration's cybersecurity proposal addresses four key issues:

  • Commercial transactions: The proposal addresses identity theft, including appropriate procedures to notify consumers of data breach events that compromise personal information. The program standardizes what the administration calls a "patchwork" of 47 state laws, and clarifies federal laws and penalties governing computer crimes.
  • Critical infrastructure: The plan attempts to reduce legal barriers that inhibit private industry and state and local governments from seeking federal assistance, such as technical analysis by the Department of Homeland Security (DHS), when suspected intrusions related to power, water, finance, transport and other vital functions occur. The plan requires DHS to closely monitor the implementation of enhanced cybersecurity measures by businesses.
  • Federal government protection: The administration proposes significant improvements to existing measures, including solidifying the central role of the DHS in protecting federal civilian agencies and updating the Federal Information Security Management Act (FISMA). The plan extends protections for Internet Service Providers to the federal government, enhances privacy and civil liberties protections, and bolsters security for data management functions, especially those that will be migrated to cloud platforms.
  • Privacy: The proposal enhances current privacy and civil liberties protections regarding personal information flowing to federal agencies, broadens the role of the U.S. Attorney general in privacy matters, and provides protocols for granting immunity to the private sector and state and local governments for compliance with security standards.

The administration's proposal is seen as long on defining federal authority, but short on providing incentives for the private sector to make the necessary investments in security technology and best practices.

"They are fighting the last war. The model they are using for dealing with the private sector is largely antiquated," Clinton said.

The ISA represents enterprises from the aviation, banking, communications, defense, education, financial services, insurance, manufacturing, security, and technology industries.

ISA’s mission is to integrate advanced technology with the realistic business needs of its members and enlightened public policy to create a sustained system of cyber security.

ISA has continually articulated its pro-market approach to cyber security through the two editions of its “Cyber Security Social Contract.” When the Obama Administration released a policy paper for cyber security, the Cyberspace Policy Review, the first document it quoted was the ISA Social Contract. 

In fact, the Administration’s Executive Summary both begins and ends by citing the ISA, and more than a dozen ISA white papers are cited in the Administration’s policy review - far more than any other source.

In 2009, the U.S. State Department sent Larry to Estonia to brief the NATO Cyber Security Center of Excellence on the ISA Social Contract model. In addition to the Social Contract model, ISA has also taken on other projects to address cyber security from an enterprise-wide, risk management perspective.

ISA’s two most recent publications on this topic are: “The Financial Management of Cyber Risk,” and “50 Questions Every CFO should be asking about Cyber Security.

You can watch Larry Clinton's video interview with Infosec Island's Anthony M. Freed conducted at the RSA Conference earlier this year HERE.

Possibly Related Articles:
Network Access Control
Government Internet Security Alliance Cyber Security Headlines Obama National Security White House ISA
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.