On Thu, 19 Sep 2002, batz wrote:
From a security perspective, the recommendations in this report are the same things that have been advocated for the last decade. In fact it looks like many of these recommendations could have been culled from the various vulnerability assessment report templates I have seen and even used over the years. I don't mean to undermine the importance of the strategy, but I think its impact will be through adding weight to us Cassandras in the security industry.
People expecting the government to wave a magic wand and make us all safe will be disappointed. Security consulting firms probably aren't going to get a windfall from the publication of the national strategy. But if you had more modest goals, the strategy did accomplish some things. Despite the daily drumbeat of vulnerability announcements, there really aren't any new fundamental causes of security problems. The National Academies of Sciences published a report last year recapping 10 years of computer and network security studies. http://www.nap.edu/catalog/10274.html The particular instance may change, but the classes of security problems are unchanging. Although the security problems are the same, the solutions can change. In the 1980's I had a Multics/Dockmaster account. Multics may have been secure, but the system sucked. Perimeter firewalls may not be the security solution for the next decade. Would anti-virus software become obsolete with a better kernel? Are the same password rules we had for our one mainframe account applicable in today's web with dozens of "logons"? I think we need to re-evaluate our best solutions for our security problems. That National Cybersecurity Strategy did a nice job of collecting the problems from all groups into one document, and showing an interdependence between the groups. Simply securing one industry, company or home user isn't enough to solve the problem. I especially pleased that at least part of the US government now seems to recognize that security is more than just secrecy. Could the government move faster? It took over 15 years from the introduction of seat belts on an American car until they became "standard" items in American cars. The government only "mandated" seat belts after most car makers were already offering them. There were a lot of studies along the way. A democratic government can't get too far out in front of the public. American Seat Belt History (http://www.lemurzone.com/airbag/belts.htm) 1947 The first time seat belts were offered in a American car was the Tucker. The state of the art then were Lap belts. 1956 Ford introduces seat belts in American cars 1964 Seatbelts became a "standard" feature in American cars 1966 Rear Seatbelts became Standard 1967 Front Seatbelts became Mandatory 1968 Shoulder Belts became Mandatory Nevertheless, seat belts won't help unless the driver buckles up.