Washington, DC – Unenforced procurement rules, insufficient guidelines and a lack of accountability hamper efforts to secure Federal computer networks from terrorists and other online criminals, the Computer & Communications Industry Association (CCIA) said today. But fixing vulnerabilities in Federal networks, officials said, will help the security of all network users.
CCIA, which represents a variety of computer, technology, and telecommunications companies, urged the government to action in its comments on the Bush Administration’s recently released “Draft National Strategy to Secure Cyberspace.” The Administration requested public comments on the strategy, which were due by the end of today.
While broadly agreeing with the Administration’s market-driven approach to cybersecurity, CCIA urged the Bush Administration to enforce existing laws and regulations more vigorously than outlined in the Strategy. CCIA also called for a greater emphasis on the use of “heterogeneous” networks and software, rather than networks built around a single, monopoly operating system and dominant PC software applications. Since computer viruses, worms, Trojan horses and other system threats seldom run on more than one kind of operating system, they do the least damage when a given network has computers running a variety of platforms.
“Security is about technology, but more than anything else, it’s about people,” CCIA President Ed Black said. “The computers we buy, the rules we follow and the responsibility we take for our own actions determine how safe we all will be.”
In addition to emphasizing on the use of competitive technologies and better security standards, CCIA called on the Administration to support a rewrite of the 1998 Digital Millennium Copyright Act (DMCA). The DMCA has harmed security by restricting what researchers may disclose about the computer security work they do. CCIA commended Board Chairman Richard Clarke for his recent statements supporting a reexamination of the DMCA and its chilling effects on security research and disclosure.
CCIA officials praised the Draft Strategy’s market-driven approach to security, but urged the government to take a tougher line on enforcing its own security regulations. The association also said the Administration should enforce aggressively the Government Information Security Reform Act (GISRA), which governs computer security throughout the Federal government. CCIA praised the prominent role open source software has played in securing government networks, as well as its contribution to a safer, heterogeneous network.
The association cautioned the government not to rush towards so-called “secure computing” initiatives. Among other things, some proposals would sacrifice user control over their own computers in order to bestow upon copyright holders the power to determine how consumers could use and manage digital content. Others have noted that, depending on their design, trusted computing schemes could effectively ban open source software or other operating systems from PCs altogether. Significantly, CCIA, said, every reference to such initiatives used the term “Trustworthy Computing,” Microsoft’s terminology for what others call “trusted computing.” Trusted computing, if mismanaged, could greatly strengthen the hand of a monopolist like Microsoft, which has repeatedly been found liable for its efforts to maintain its monopoly over the PC operating system market.
“Words matter in Washington, likely more than anywhere else,” CCIA’s Black said. “We support this document as whole and think it’s heading in the right direction. But seeing Microsoft sloganeering in national strategy documents gives us pause. We hope that national computer security policies will not reflect the vision of a single, dominant company, but that of the broader public interest.”