Securing the homeland

WITH HOMELAND security a hot topic and computer security always on the minds of IT professionals, "The National Strategy to Secure Cyberspace," recently released by the President's Critical Infrastructure Protection Board and introduced by President Bush's special adviser for cyberspace security Richard Clarke, comes as no surprise.

I'll admit I was skeptical about any real technical value in a government report that might simply be used as a political tool. For one thing, I still giggle at the term "cyberspace" for some reason. (Can someone please come up with a term that reflects the reality IT professionals deal with every day?) Despite the use of "cyberspace" in the title, there actually are some worthwhile suggestions in the document for both the average citizen running a home network and the CTO of a large enterprise.

I don't have enough space to summarize the entire 65-page report, but there are a few interesting items of note. First of all, the fact that the executive branch has integrated network security into its general thoughts about homeland security while offering fairly detailed suggestions is noteworthy in itself:

"Cyberspace is essential to both homeland security and national security; its security and reliability support the economy, critical infrastructures, and national defense. Accordingly, "The National Strategy to Secure Cyberspace" is an implementing [emphasis mine] strategy."

The document describes the five levels on which the national strategy will be applied: the home user, the enterprise, critical sectors, the nation, and the "global community." It then offers recommendations, references programs, and includes open points for discussion. Although the entire document is worth reading, I'll focus on the home user and enterprise because most of us deal with those every day. With many home-office users on VPN software to access corporate networks, it's important to understand their challenges.

The report rightfully notes that attention must be paid to Internet users in homes and small businesses because their machines and networks can be used individually or in aggregate to attack larger targets -- think grid computing at its worst. In a nutshell, the strategy for home users recommends that they use "tough" passwords, maintain an updated virus program, update security patches regularly, leverage filtering software provided by many ISPs for browsing the Web and receiving e-mail, and set up a hardware or software firewall for persistent connections such as DSL and cable modems. Finally, the writers of the report suggest that ISPs, anti-virus software companies, and operating system/application developers work to make these complex tasks easier for average users. Listen up, Microsoft, AOL, Symantec, and EarthLink.

On the enterprise side, the home-user recommendations still apply. But a sound managerial approach is critical. Large enterprises should coordinate their people and processes from the CEO down to create and manage effective security policies. Technology security within the enterprise should be recognized as a priority by the CEOs and the boards of large companies, and upper management should work with CTOs to make sure that best practices are employed. Rather than fan the flames of worry about outside attacks, the report notes that in reality, 70 percent of attacks are perpetuated by trusted "insiders."

In true democratic fashion, the report invites your feedback and input. I urge you to read the report and send e-mail to feedback@cybersecurity.gov. This is a battle for all of us.