2 on National security

[Dave Farber <dave () farber net>]

------ Forwarded Message
From: Declan McCullagh <declan () well com>
Reply-To: declan () well com
Date: Fri, 20 Sep 2002 07:33:14 -0700
To: politech () politechbot com
Cc: JALewis () csis org
Subject: FC: CSIS' James Lewis replies to Politech on WH cybersecurity
report

Previous Politech message:

"Defense hawks bash White House report, want new laws, regulations"
http://www.politechbot.com/p-03999.html

James Lewis was one of the two CSISers I quoted in that article as wanting
more laws. He had said: "Cybersecurity is too tough a problem for a solely
voluntary approach to fix. Companies will only change their behavior when
there are both market forces and legislation that cover security failures.
Until the U.S. has more than just voluntary solutions, we'll continue to
see slow progress in improving cybersecurity."

-Declan

---

Date: Fri, 20 Sep 2002 10:16:33 -0400
From: "James Lewis" <JALewis () csis org>
To: <declan () well com>
Subject: Defense Hawks bash, etc

Declan: I actually think the National Strategy is very strong, but I
question the heavy reliance on voluntary action and self-regulation.
Politech readers might want to look at the section (460 words) from a
draft report that I pasted below.  It outlines ideas on regulation as an
incentive for cybersecurity. Thanks, Jim Lewis

***
In a perfect market, the private sector would purchase adequate
security and firms would offer the products needed for it.  This has not
been the case.  While some industry sectors (such as financial services)
have moved to increase security, other sectors may not improve absent
increased incentives.  Despite arguments that market forces and the
evolution of the IT industry will improve security voluntarily, we must
ask if cybersecurity, as with health, environmental, or safety issues,
requires further government intervention.

Government intervention could include direct or indirect subsidies for
cybersecurity spending, i.e. tax relief, R&D funding, or the use of
Federal purchases to promote more secure products.  It could also
include reinsurance subsidies (the U.S. provides reinsurance for natural
catastrophes) in exchange for insurers' adherence to cybersecurity
standard such as ISO 17799.  Continued exhortation by government
officials for the private sector to voluntarily take action is a form of
intervention that occasionally is effective.

Governments can also use law and regulation as incentives to encourage
certain behaviors.  Legislation and regulation (or even the threat of
legislation and regulation) will energize the private sector to move
faster in cybersecurity.  Regulation should avoid a heavy-handed,
prescriptive approach and instead aim to increase transparency and
assign responsibility, leaving it up to individuals as to how best to
meet  requirements.  The Health Insurance Portability and Accountability
Act of 1996 and the Gramm-Leach-Bliley Financial Reform Act, by creating
responsibility for privacy (and consequently security), worked to
increase awareness and demand for security products and are useful (but
not perfect) models of this.

While security is an ongoing problem and Y2K was a single event, Y2K
may also be a model on how regulation can energize private sector
behavior for cybersecurity.  The primary function of government in Y2K
was as an organizer and educator.  The Y2K effort gathered and
disseminated information, organized multinational networks, shared
information on best practices and worked through public-private
partnerships to raise awareness.  However, regulatory action by the
Securities and Exchange Commission and by banking regulators also played
a galvanizing role in Y2K preparations.  Companies had to show publicly
and to their regulators that they had taken adequate steps to protect
against Y2K disruption.  Similar SEC requirements for companies to
report the steps they are taking to protect themselves from cyber attack
would improve network security.

Internet policy problems challenge governments' ability to carry out
their functions.  Traditional governmental responses, such as
prescriptive regulation, will not create cybersecurity, but neither will
a reliance on self-regulation and voluntary action.  One solution may be
a new style of governance built on explicit public-private partnerships.
  Defining the scope of these partnerships and the responsibilities of
each partner requires that we identifying places where the market
response is weak as candidates for government action, and which
government actions (if any) would be an appropriate response.


And


------ Forwarded Message
From: Declan McCullagh <declan () well com>
Reply-To: declan () well com
Date: Fri, 20 Sep 2002 10:45:32 -0700
To: politech () politechbot com
Subject: FC: Bush releases "National Security Strategy" -- no Internet
mention

Is it just me or does this document seem a little strange:
http://www.whitehouse.gov/nsc/nss.pdf

There's no mention of the Internet, cybersecurity, or even "information
warfare." Coming just two days after the highly-touted "cybersecurity
strategy" (http://www.whitehouse.gov/pcipb/cyberstrategy-draft.pdf), this
could be seen as a rebuke to Clarke's handling of it. Or perhaps
Wednesday's report was seen as simply irrelevant.

Remember how the Clarke draft report talked up the topic: "Cyberspace is
essential to both homeland security and national security; its security and
reliability support the economy, critical infrastructures, and national
defense."

If it's so essential, then why isn't it part of the official National
Security Strategy? That document talks about agricultural aid, public
health threats like AIDS, and improving third world literacy rates -- you'd
think "cybersecurity" might rate a mention.

-Declan

---

                         THE WHITE HOUSE

                          Office of the Press Secretary
FOR IMMEDIATE RELEASE                         September 20, 2002


                         STATEMENT BY THE PRESS SECRETARY


Today President Bush submitted to Congress the National Security Strategy
of the
United States as required by the Goldwater-Nichols Defense Department
Re-Organization Act of 1986.  The president's national security strategy
reflects the union of our values and our national interest.  This strategy
states that the safety and security of America is the first and fundamental
commitment of the our government.

America must always stand for and protect the universal values on which it
was
founded.  To this end, President Bush makes clear that the United States
will
use its position of strength and influence in the world to defend,
preserve, and
extend the peace.

The full text of the National Security Strategy can be accessed at
www.whitehouse.gov.


                                       ###

-------------------------------------
You are subscribed as interesting-people () lists elistx com
Archives at: http://www.interesting-people.org/archives/interesting-people/