October 3, 2002

Bush cybersecurity plan: Now is the time for commenting on it

-By Grant Gross -

Crypto software developer Bob Crowley suggests the Open Source community may want to take a hard look at the Bush administration's draft document for the "National Strategy to Secure Cyberspace" and send some comments to the White House in the next six weeks.

Cowley, senior v.p. of Research Triangle Software had a booth at Bob Young's Lulu Tech Circus in Raleigh, North Carolina, last weekend. The Bush cybersecurity plan hasn't received a lot of attention in the Open Source community, but Crowley suggested that it should.

Crowley, whose company makes crypto software, isn't completely down on the Bush plan, although he suggests, like some others have, that the plan is a bit short on concrete proposals to implement. There's a lot of "shoulds" with voluntary compliance in the 65-page, 86-recommendation document, and as Crowley says, "doesn't that leave us essentially in the same position we're in?"

He suggests that at least some of the recommendations should have some teeth. "By leaving the report open-ended the way it does, I don't know that it accomplishes anything but give us some nice suggestions of things to do."

Several of the suggestions are fairly benign, things like, "the software industry should consider promoting more secure 'out-of-the-box' installation and implementation of their products." (Are you listening, Microsoft?)

On the other hand, there are some "shoulds" that might be worth further debate. One that could be of interest to Open Source developers and companies is: "A voluntary, industry-led, national effort should consider developing a clearinghouse for promoting more effective software patch implementation. Such an effort may include increased exchange of data about the impact that patches may have on commonly used software systems, including, where practical, the results of testing."

Even though the document calls for a voluntary patch clearinghouse, Crowley says this proposal could tie up software companies in miles of red tape.

"It's a matter of concern if that became a mandatory thing," he says. "I think on the surface it's a very well-intentioned idea, maybe even a good idea in some ways. If we're putting software patches out there, we want to make sure the patch doesn't make it worse. My big concern is the red tape and bureaucracy of having to submit patches through a government agency to get them essentially approved for use."

Although Crowley works for a company that develops proprietary software, he can see how that provision would negatively impact Open Source developers as well. "It's kind of like the whole anti-Open Source," Crowley says. "You can't do Open Source if you have to submit everything for clearance first. And yet, there is a very pervasive reason for wanting to have someone to look at everything first."

Crowley says it's good that the patch clearinghouse recommendation is a "should."
"There are things in there that could be a problem if they ever become mandatory," he says. "'Shoulds' have ways of becoming 'musts' if too many people get the wrong idea about them, and the wrong idea usually comes out of a total naiveté of what they're really asking."

Judges and lawmakers can't be expected to be experts in every industry, Crowley says, so that's why people who know the issues need to get involved.

Crowley also worries that the dozens of proposals, taken in total, suggest nearly everyone is responsible for U.S. cybersecurity.

"If you take all 86 recommendations in there as a whole, what we've got is essentially everyone who's a computer user having some level of involvement in maintaining the security of the nation's cyberspace," he says. "Yes, we should be more vigilant, but especially in this time of peril. But is that a good thing? Do we want to execute it this way? Now we're all snitching on each other, and it's almost like McCarthyism again."

The good news is that the Bush cybersecurity plan is open for debate, and public comments will be taken through WhiteHouse.gov through November 18. Crowley urges people to get involved and submit comments on the recommendations they don't like and the recommendations they do think are good ideas.

"We have a process out there," he says. "It is open now for initial public comment. Use the process; find out what's going on in the world that directly affects you. Silence is saying, 'ok, go for it.'"


  • Security
Click Here!