While the document falls short of calling for government regulation of security, it hands a substantial coordinating role to the newly formed Department of Homeland Security (DHS) and raises the possibility of government influence via purchasing decisions.
In general, the private sector is best equipped and structured to respond to an evolving cyber threat, the report says. There are specific instances, however, where federal government response is most appropriate and justified.
The plan proposes a National Cyberspace Security Response System as a public-private cooperation, coordinated by the DHS, for analyzing, preventing and responding to threats of potentially national significance.
The DHS becomes a focal point for managing cyberspace incidents that could impact the federal government. The system would coordinate federal departments and private bodies such as ISACs (information sharing and analysis centers).
The report also says the government will review the National Information Assurance Partnership (NIAP, which runs Common Criteria testing in the US) to see if it is adequately addressing the continuing problem of security flaws in commercial software products.
This review follows the Department of Defense’s decision to only buy security products that are certified by NIAP. Common Criteria is regarded by many as the strictest (not to mention most expensive and time-consuming) evaluation software can undergo.
The government will evaluate the cost effectiveness of expanding the [NIAP] program to cover all federal agencies, the report says. It could both improve government security and leverage the government’s significant purchasing power to influence the market.
In total, the plan has 47 items requiring action. However it remains to be seen how influential the government’s strategy will be over the private sector, which almost by definition is often far from altruistic when it comes to securing its corner of the internet.
Source: Computerwire