Homeland Security's vague cyber plan

A preliminary report released by the Department of Homeland Security seems to scatter cybersecurity responsibilities across the government and the private sector while sticking to generalities about future plans.

In its 175-page draft of the National Infrastructure Protection Plan (PDF), or NIPP, the department outlines a broad framework for protecting the nation's "critical infrastructure" and "key assets"--bureaucratic argot referring to everything from the power grid to dams to computer systems.

President Bush first commissioned the plan in December 2003, and the Department of Homeland Security released an early version in February. According to a notice announcing the document's availability, the latest version aims to provide greater detail.

The term "cybersecurity" appears 148 times the draft, and a 16-page appendix devoted to the topic offers some suggestions for threat analysis, response readiness and training.

But the rest is worded in terms of generalities. The plan asserts that cybersecurity responsibilities should ultimately lie with the Department of Homeland Security but also calls on state and local governments to come up with information security measures and to be aware of vulnerabilities in their systems. The report charges academia and research institutions with devising "best practices" for IT security and the private sector with ensuring that it is "satisfying cyberprotection standards."

The document suggests that work should be done through a "sector partnership model"--that is, informal advisory bodies composed of private-sector and governmental representatives from the same subject area. It proposes several lists of general actions that various sectors should take (for example, "set sector-specific security goals") and allocates deadlines from the adoption of the plan to accomplish them (in that particular case, 90 days).

The recommendations are often vague. For example, the suggestion that the Department of Homeland Security should lead and develop a "national cybersecurity exercise" to simulate responses to an attack is listed as an "ongoing" project with no deadline. And under a category referring to the steps the government should take to deal with "privacy and constitutional freedoms," the department lists no suggested actions.

"It strengthens the linkages between physical and cyber efforts, but the base plan itself is not intended to provide a detailed protection plan for each critical sector," Kirk Whitworth, a Homeland Security spokesman, said in an e-mail interview. "That is going to come with the sector-specific plans, six months after the NIPP is signed early next year."

The agency plans to accept comments on the proposal through Dec. 5.

[Inetsec]

Cyber Security? BAH

In all honesty there is not now, nor will there ever be such a thing as 'cyber security.' They should change the name to something like 'cyber preparedness,' or 'national cyber threat action plan.' Both of which would be a stretch but it would 'sorta convey the premise of the effort.

[rcrusoe]

Practice what they preach

If the DHS wants us to believe they know something about "cyber
security" they better quit buying windows computers.