The National Strategy to Secure Cyberspace
General Comments
--------
-- The report lacks any attempt to determine what the most important problems
are within the domain of
"securing cyberspace". They should do an analysis of what the threats are (e.g.
some quantitative
study of types of attacks in recent years). They should attempt to determine
what sets of systems
the US can least afford to have compromised (e.g. maybe systems supporting the
power grid).
-- The section regarding securing consumer systems is operates under the
assumption that people have
the time and expertise to secure their systems. In general, this not true.
Offering tips on a
government website will likely have little impact.
-- The report makes no effort to define what a secure system is. The report
recommends people and institutions
make their systems safer, but their suggested actions generally just consist of
running anti-virus
software and running a firewall. In our view, no one knows how to build secure
systems. The report
should make some contribution towards that end.
-- The group also discussed the ethics of publishing security vulnerabilities.
We think that one should
allow software vendors a chance for a patch before publishing.
Answers to some specific discussion questions:
--
D1-1: SBA loans: What would you force them to do? The report lacks technical
content regarding
how to make things safe. In theory, the market should force businesses to secure
their
systems, not the government.
D1-2: Consumers lack the technical expertise & time. How is government supposed
to help
parents talk to children about filters? Software & infrastructure must be more
secure and
prevent to users from compromising systems.
D3-1: Yes
D3-2: Yes
D3-3: Yes
<Evaluation result> *
Strong Accept - 0
Accept - 0
Reject - 0
Strong Reject - 5