The National Strategy to Secure Cyberspace

General Comments
--------

-- The report lacks any attempt to determine what the most important problems are within the domain of
"securing cyberspace". They should do an analysis of what the threats are (e.g. some quantitative
study of types of attacks in recent years). They should attempt to determine what sets of systems
the US can least afford to have compromised (e.g. maybe systems supporting the power grid).

-- The section regarding securing consumer systems is operates under the assumption that people have
the time and expertise to secure their systems. In general, this not true. Offering tips on a
government website will likely have little impact.

-- The report makes no effort to define what a secure system is. The report recommends people and institutions
make their systems safer, but their suggested actions generally just consist of running anti-virus
software and running a firewall. In our view, no one knows how to build secure systems. The report
should make some contribution towards that end.

-- The group also discussed the ethics of publishing security vulnerabilities. We think that one should
allow software vendors a chance for a patch before publishing.


Answers to some specific discussion questions:
--

D1-1: SBA loans: What would you force them to do? The report lacks technical content regarding
how to make things safe. In theory, the market should force businesses to secure their
systems, not the government.


D1-2: Consumers lack the technical expertise & time. How is government supposed to help
parents talk to children about filters? Software & infrastructure must be more secure and
prevent to users from compromising systems.

D3-1: Yes

D3-2: Yes

D3-3: Yes

<Evaluation result> *
Strong Accept - 0
Accept - 0
Reject - 0
Strong Reject - 5