President's cyber security plan misses the (end)point
Posted by Maxim Weinstein
President Obama’s cyber security plan is revealed within the Homeland Security agenda posted on Whitehouse.gov. The plan echoes many of the recommendations made in a report (PDF) by the Commission on Cyber Security for the 44th Presidency.
The elements, all of which are sensible, include:
- Appointing a national cyber advisor
- Investing in R&D for infrastructure security
- Working with the private sector to set standards for infrastructure security
- Working with industry to develop safeguards against cyber-espionage
- Shutting down untraceable payment schemes used to facilitate cybercrime
- Providing law enforcement with money and training to improve their cybercrime enforcement efforts
- Set standards for securing personal data and disclosing data breaches
If the administration makes progress towards all of these goals and plays its part well, this would represent a significant step forward in the fight to secure our homeland security and to protect consumers.
I am, however, disappointed that the President’s plan does not include elements specifically focused on botnets and other malware that present a risk to individuals, business, and critical infrastructure. As demonstrated in the 2007 cyber attack against Estonia, infected PCs can be used to attack infrastructure. Just as a traditional military strives to not only defend its assets, but also to reduce its opponent’s armaments, we must work to get the malware off of users’ PCs. A sensible federal cyber security policy should include a focus on education, technology, and research to help keep users’ PCs safe. Ideally, this would incorporate working with the private sector to encourage data sharing, engaging the academic and malware research communities, increasing funding for non-profit initiatives such as the National Cyber Security Alliance (and, dare I say, StopBadware.org), and investing in the development of new technologies and new policies aimed at keeping computers secure.
will this administration or following be alowed to close a site or any site or e-mail sender the right to free speach when it may be contrary to the current administration and the autority of this stopbadware.org? D. wicks
White House Comment line: (202) 456-1111, M-F, 9a-5p EST
Left out of all this is Microsoft's responsibilities.They are obliged to sell a minimally-defective product,and it seems like 99% of these problems are Windows/I.E. vulnerabilities,they can and should do alot more than bloated,sporadic service pack updates.There also should be an official qualification process for someone to create/host a website,within the U.S. anyway.Far,far too many neophytes are just throwing a basic CSS/HTML code up,with no security,getting hacked,and distributing malware purely through incompetence,this could be prevented.Iframe exploits are getting out of control.Becoming infected simply by clicking on an unknown link is shameful and unacceptable and until Microsoft gets much more aggressive,nothing will change,no matter how much gov't money is throw at the problem.Just my humble opinion.
I agree fully with Max's assessment of the situation, but I do think this is most likely the best that can be expected. The US government has to look at the most accessible part of the problem and can not shoot the stars from the heavens. Reaching a solution in the US solving this problem isn't going to fix the issue of such an attack against the US. To address the greater concern of botnets and malicious softare the US will never be able to be the only force driving towards this goal. So, I think, instead of setting an unattainable goal, the more reasonable of these have to be the foremost important, i.e. protecting the homeland. The world and internet community does however need to address the problem of botnets and malware much more agressively. Perhaps a more global organization needs to get involved to make this happen. The only organization capable of pushing for a solution, is probably the UN. It's a delicate matter and freedom of speech must be maintained as a way for every person to be able to voice their opinion, all of which is also part of the equation/solution.
As the federal government seems to lurk more and only take action in very serious cases I think they may have a good idea of which PC's (inside of US borders and outside) are part of botnets. They likely let the spamming go on and will only use the information they have to blacklist the botnet PC's if there is a threat to national security. This effectively makes US enemies think they have powerful weapons which the US can disable should they become a real threat. I would rather have a “sensible federal cyber security policy” but I do not see this happening. Remeber these are covert goverment operations.