WASHINGTON, D.C.—After 20 years as an Army Corps of Engineers officer, Marcus Sachs now has something else to engineer—a strategy for national cyber-security. And he needs your help.
Sachs is now the director for communication infrastructure protection in the White House’s Office of Cyberspace Security. On Tuesday, he was the office’s pitch man, presenting the draft of the National Plan to Secure Cyberspace to an audience of open-source advocates and security gurus at Red Hat’s Open Source Security Summit here. The White House is taking comments on the draft, which has been posted on the Web at http://www.cybersecurity.gov, through Nov. 16.
The Summit, just a week after the distributed denial of service attack on the Internet’s 13 root Domain Name Service (DNS) servers, drew about a hundred people from the Washington security and open source community; many came from government contractors and consulting agencies.
But if anything, the opinion of the experts on hand at Georgetown University’s conference center was that the events of last week were proof of how resilient the Internet’s infrastructure is.
“It mostly ended up just irritating the guys who run the core networks,” says Sachs. “They had to stay at work late and miss Monday Night Football.”
The attack also demonstrated the continuing vulnerability of the average Internet-connected PC. “Distributed denial of service attacks are usually launched desktop computers that have been turned into ‘zombies,’ ” says Michael Tiemann, Red Hat CTO.
It was clear that the ideologies of the open-source movement were well-represented; a majority of the questions that Sachs and other speakers fielded during the course of their presentations were wrapped in attacks on Microsoft’s End-User License Agreement language, the Digital Millenium Copyright Act and the Uniform Computer Information Transaction Act (UCITA)—a law being pushed through state legislatures by software company lobbyists.
Sachs was looking for feedback, and he certainly found it As he concluded his presentation, Sachs fielded a number of barbs from the audience before being surrounded by attendees in the Georgetown University conference center for nearly a half-hour. The Office of Cyberspace Security have been presenting the plan at “town meetings” around the country, with similar results.
“The reaction so far has been about half-and-half,” says Sachs. “The people who don’t like it usually complain that it doesn’t have enough teeth.” That’s because the strategy consists mostly of a set of recommendations—the White House is trying to avoid additional regulations.
That’s partly out of recognition that the Internet is too big for even the government to handle on its own. “The government can’t provide a safety net in cyberspace,” Sachs told the audience in Georgetown. The plan places a major emphasis on the contributions of industry and private citizens.
Additionally, the plan avoids dealing with specific types of threats, instead focusing on how individuals and companies should reduce their overall vulnerability to attack. The plan proposes a set of “best practices” for security for security, with the federal government leading by example and “empowering” the public and private sectors through investment in the development of the tools that are required for a “secure” Internet—accountable addressing (“IPv6 or something like it,” said Sachs); trusted network services (like secure versions of the Bridge Gateway Protocol for routers and the Domain Name Service); and authentication for user services like Web browsing and e-mail. “We also need a working public-key infrastructure,” Sachs said.
But don’t look for the White House—or any other government agency—to mandate a specific set of standards. While the United States may have been able to exert some limited control over the Internet in its early days, now “the rest of the world wouldn’t stand for that,” says Sachs.
Instead, the government may pilot some of the technologies on its own secure networks, like the Navy-Marine Corps Intranet (NMCI) network or whatever network is built to support the Department of Homeland Security when it gets funded.
There have been some creative suggestions as to how to add a little more bite to the government’s strategy. One attendee posited that the government could get better results with the private sector if it made security compliance reporting part of required SEC filings—an option that Sachs said had been suggested elsewhere. “And that would have the effect of raising security to the corporate board level, where it should be,” he added.
