"For some reason, Richard Clarke continues to believe that he can increase cybersecurity in this country by asking nicely. This government has tried this sort of thing again and again, and it never works. This National Strategy document isn't law, and it doesn't contain any mandates to government agencies. It has lots of recommendations. It has all sorts of processes. It has yet another list of suggested best practices. It's simply another document in my increasingly tall pile of recommendations to make everything better. (The Clinton Administration had theirs, the "National Plan for Information Systems Protection." And both the GAO and the OMB have published cyber-strategy documents.) But plans, no matter how detailed and how accurate they are, don't secure anything; action does.
And consensus doesn't secure anything. Preliminary drafts of the plan included strong words about wireless insecurity, which were removed because the wireless industry didn't want to look bad for not doing anything about it. Preliminary drafts included a suggestion that ISPs provide all their users with personal firewalls; that was taken out because ISPs didn't want to look bad for not already doing something like that.
And so on. This is what you get with a PR document. You get lots of varying input from all sorts of special interests, and you end up with a document that offends no one because it demands nothing.
The worst part of it is that some of the people involved in writing the document were high-powered, sincere security practitioners. It must have been a hard wake-up call for them to learn how things work in Washington. You can tell that a lot of thought and effort went into this document, and the fact that it was gutted at the behest of special interests is shameful...but typical. "
Tuesday, October 15, 2002
