Probe Research has a very lucid take on this very topic at http://www.proberesearch.com/alerts/networksecurity.htm Their point is that, given the current climate, the RBOCs are likely to be setting the agenda for cyber security. To quote Probe's first two conclusions: "First, the RBOCs will be the focus of developing a telecom national security plan; Second, the RBOCs will use this position to force costs onto all players. For example, co-location will be viewed as increasing the risk to telecom, so carriers may be forced to abandon co-location in favor of smaller nodes and these nodes will have to have remote backup nodes." Cheers, Mathew At 08:22 PM 7/18/2002 -0400, Sean Donelan wrote:
http://www.eweek.com/article2/0,3959,387377,00.asp
"All the while maintaining that the government will not set IT security requirements for the private sector, top federal IT officials today said they expect such mandates will be imposed on federal agencies and that the same standards will also be used by industry."
While standards are great, one-size-fits-all standards aren't. When the government's cyber-security plan is released in September, will there be 500 requirements that Internet Service Providers must meet? Should ISPs be more secure than the post office or the telephone or the bike messenger? Must Bill's Bait & Sushi Shop ISP Service meet the same security requirements as the ISP for the White House?
ISPs come in all sorts of shapes and sizes. Consumers use cordless phones at home, but the NSA prohibits use of cordless phones in secure areas. Just because the government issues a security standard doesn't make it suitable for all purposes. Some people like paying $9.95 for Internet service from an ISP without a backup generator, and wouldn't want to pay $29.95 for a "certified" ISP with a backup generator. If the $9.95 ISP fails, heck they could almost afford two more for the same price as a single "certified" ISP. Sometimes a hammer is just a hammer, and you don't need a MIL-SPEC. If the Department of Homeland Security creates a new security standard for ISPs, what do you think will happen to any ISP which doesn't meet it?
The security "Gold Standard" for Microsoft 2000 was written by the Critical Infrastructure Protection Board, the Center for Internet Security, the National Security Agency, the General Services Administration, the National Institute of Standards and Technology, and the SANS Institute.
Do you know who is writing the security "Gold Standard" for Internet Service Providers?