President  |  Vice President  |  First Lady  |  Mrs. Cheney  |  News & Policies 
History & ToursKids  |  Your Government  |  Appointments  |  ContactGraphic version

Email Updates  |  Español  |  Accessibility  |  Search  |  Privacy Policy  |  Help

53 Questions for Developing the National Strategy to Secure Cyberspace

What will the National Strategy to Secure Cyberspace be?
Your Opportunity to Comment on the National Strategy to Secure Cyberspace to

The Board has identified 53 questions to be used in developing the National Strategy.

The Questions are divided into five levels:
Level 1 - The Home User and Small Business
Level 2 - Major Enterprises
Level 3 - Sectors of the National Information Infrastructure
Level 4 - National Level Institutions and Policies
Level 5 - Global

Level 1 - The Home User and Small Business

1.1. Awareness: What kind of awareness program and assistance should be available to help the home user and small businesses learn about and deal with their cybersecurity needs?

1.2. Assistance: What can be done to make it easier for home users and small businesses to safe guard their systems? Should internet service providers (ISPs) perform more of the cybersecurity functions for the home user and small business?

1.3. Disclosure: What disclosure of risk should ISPs, software vendors, and hardware vendors make to home users and small businesses?

1.4. Emerging Technology: What emerging technologies (e.g. wireless area networks for the home, wireless connectivity of the home to the internet, broadband connectivity to the home) pose additional security risks to the home users and small business; what can be done to address those risks?

1.5. Broadband Initiative: If the Federal Government acts to facilitate more rapid deployment of broadband connectivity to the home user and small business, what cyberspace security requirements should be a condition of Federal support?

Back To Levels ^ | Back To Top ^

Level 2 - Major Enterprises

2.1. Responsibility: Who in an enterprise should be responsible for IT security? How often should that person brief the CEO? What role should the Board of Directors play in oversight of IT security? Should the Board require an outside audit and, if so, how often and from whom?

2.2. Best Practices: Where should the CEO, Board and/or auditors obtain guidance on best practices or standards to use in IT security self-evaluations and IT security policy development?

2.3. Disclosure: What information about IT security should the corporation disclose to its stockholders, to its creditors, to its auditors, to its Board

2.4. Enterprise Wide It Security Policy: Should enterprises be required by their Boards of Directors or Auditors to have a regularly updated policy statement on IT security practices? Should enterprises be required by Boards and Auditors to employ software to enforce their IT policy?

2.5. Awareness: Should enterprises require employee participation in regular IT security awareness training? Where should enterprises obtain assistance in developing such training?

2.6. Insider Threats: How can a balance be struck between preventing insiders from damaging the enterprise by mis-using its IT systems, and respecting the legitimate privacy concerns of employees?

2.7. Partners and Supply Chain: What IT security risks does an enterprise run from its relationships with its partners and supply chain? How can those relationships enhance or degrade IT security?

2.8. Event Reporting: What IT security events should an enterprise report and to whom?

2.9. Threat and Vulnerability Information: How should an enterprise learn about and decide how to react to IT security threats and vulnerabilities? How can an enterprise evaluate the numerous software "patches" distributed to it by its IT vendors?

2.10 . IT Vendors: To what extent should an enterprise "out source" its IT security functions? How can IT security vendors be evaluated? How can an enterprise act to improve the security of the IT products and services it procures?

2.11. Risk Management and Insurance: How can an enterprise evaluate the appropriate level of IT security spending or the return on investment in IT security? What role can insurance play in IT security for an enterprise?

Back To Levels ^ | Back To Top ^

Level 3 - Sectors of the National Information Infrastructure

3.A. The Federal Government

3.A.1. Best Practices and Standards: Should there be a set of IT security best practices, policies, and/or standards for various types of agencies and/or various types of functions supported by IT systems? How should they be developed, how detailed should they be, and should compliance with some of them be required by law or regulation?

3.A.2. Accountability, Responsibility, and Oversight: What regular auditing of Federal agencies' IT security should be performed? By whom? To whom should it be reported? What should be done with the results? How can appropriate levels of timely remediation be best linked to such audits? How can sustain interest by senior levels of department management be best achieved?

3.A.3. Funding: Is the IT security performance level of many Federal agencies such that many agencies will be unable to adequately remedy their performance within normal annual budgetary practices? Is a funding initiative similar to the approach used in Federal Government Y2k remediation required and, if so, how would that work?

3.A.4. Cross-Department Activity: What IT security functions should be performed at the departmental level and what should be performed centrally? How could there be greater collaboration among agencies and departments to achieve economies of scale in operating some IT security related functions?

3.A.5. Connecting Critical Functions to the Internet: How should we best address the security risks arising from critical Federal functions being performed on networks that have routers and other systems vulnerable to denial of service and other cyber attacks from the internet?

3.A.6. IT Security Personnel: What is the extent of the Federal Government's shortfalls in qualified IT security personnel? How can the Federal government improve its recruitment, education, in-service training, and retention of qualified IT security personnel?

3.A.7. Procurement: What role should procurement policy have in improving Federal IT security?

3.A.8. Awareness: How should IT security awareness training be addressed for most Federal employees?

3.A.9. Event Reporting: How can the Federal government achieve better compliance with the requirement that departments and agencies report malicious activity on their cyber networks and systems? What should be done with such reporting?

3.A.10. Warning, Analysis, Incident Response and Recovery: What system and capabilities should the Federal government have and what should individual agencies have to warn, perform analysis, and respond to IT security incidents?

3.A.11. Organization: What, if any, further organizational changes are required to improve Federal IT security?

3.A.12. National Security: Are there additional IT security programs, structures, or capabilities required especially for national security related departments or agencies?

3.B. The Private Sector

3.B.1. Sectors: What IT security roles should be performed by similar enterprises acting together on a sectoral level? How should such sectoral activities be organized?

3.B.2. Information Sharing: What is the role of the Information Sharing and Analysis Centers (ISACs) and how can their performance be enhanced? How can the Federal government improve IT security information sharing with the private sector concerning vulnerabilities, threats, warnings, and analysis?

3.B.3. Best Practices and Standards: What should be the role of best practices and standards at the sectoral level?

3.B.4. Incident Response and Recovery: What sectoral level cooperation mechanisms should exist for incident response and recovery?

3.B.5. Digital Control Systems: What unique security threats are related to digital control systems and SCADA systems and how should they be addressed?

3.B.6. Connecting Critical Functions to the Internet: Are there sectors that perform critical functions which could achieve greater security and reliability by operating networks unconnected to the internet and other public switch, open systems?

3.B.7 There will be individual sections at this point in the strategy dealing with the unique issues and plans arising in specific sectors, including:

3.C. State and Local Government

3.C.1. Organization: Should state governments organize IT security organizations for information sharing and incident management at a state level? If so, should such organizations include state agencies and departments? city and county agencies? critical infrastructure related private sector entities in the state? Should state and local governments have a national mechanism to partner on IT security related activities? What should be the Federal role with such organizations?

3.C.2. Law Enforcement and Emergency Services: In addition to other state and local government IT security requirements and activities, what unique problems and requirements do law enforcement and emergency services agencies confront and how should they be best addressed?

3.D. Higher Education

3.D.1. Preventing attacks from Universities: How can academic freedom of inquiry be maintained while at the same time preventing the large scale computing power of universities from being hijacked for denial of service attacks and other malicious activity directed at other sites?

3.D.2. Preventing attacks within Universities: What functions on a university system require high levels of IT security (e.g. medical records, research trials, patents) and how is that best achieved within the context of an academic setting?

3.D.3. Organization: How can universities best organize to address the IT security questions they face in common? Should best practices or standards be agreed on a national level? Should there be a mechanism for information sharing on threats and vulnerabilities among university CIOs and systems administrators?

Back To Levels ^ | Back To Top ^

Level 4 - National Level Institutions and Policies

4.1. Training and Education: How should the nation deal with the lack of trained IT security personnel? What are adequate numbers of personnel with various levels of training and how do we achieve those levels? Is the H-1B visa program part of the overall solution or are there roles that must be performed by UIS citizens?

4.2. Highly Secure /Trustworthy Computing: In addition to addressing the vulnerabilities in currently deployed software and hardware, should greater research emphasis be placed on developing entirely new and significantly more secure approaches to operating system software, computer hardware and the interface between the two? How should such efforts be funded? How should procurement of such systems be encouraged?

4.3. Securing the Mechanics of the Internet: Can the traffic control systems of the internet (Domain Name Servers, Border Gateway Protocols) be made more secure? Can routers be made more secure by separating control functions from the general traffic channel? How can major denial of service attacks be mitigated? What problems arise in deploying more secure systems, how should they be overcome, and how should such improvements be funded?

4.4. Securing Emerging Systems: What types of information technologies and systems will increase in numbers and complexity in the next three to five years and how can their vulnerabilities be predicted in advance and avoided? How can enhanced security measures be widely incorporated into wireless networks and wireless internet connections? What security problems arise from significant growth in the number and functionality of wireless, internet enabled, semi-autonomous devices? What security problems arise from "ad hoc networks" that use multiple wireless connections to reach the internet?

4.5. Privacy: What risks to privacy could arise from some approaches to achieving IT security? How can those risks be eliminated?

4.6. Interdependency: How can we determine in what ways the various critical infrastructures are dependent upon one another and what vulnerabilities in one infrastructure could pose major problems for another? How should the burdens of addressing interdependency vulnerabilities be apportioned?

4.7. Regulation and Market Forces: What is the role of state and federal regulation in achieving IT security? How can market forces be further stimulated to achieve improved IT security as an alternative to regulation? What role can be played by corporate disclosures policies, by internal and external auditors, by Boards of Directors, by the insurance industry, by liability law, by tax policy?

4.8. Research: What should be the national IT security research priorities? How can those priorities best be addressed between and among corporate research departments, universities, national laboratories, and federally funded research and development centers? How should the research costs be apportioned?

4.9. Information Sharing: What additional IT security information sharing should occur among and between federal government agencies, state and local governments, corporations, and the public? What are the barriers to such greater sharing and how can greater sharing best be achieved? How can data about attempted unauthorized penetrations and other malicious activity best be aggregated and analyzed? What system or systems should exist for issuing IT security warnings?

4.10. Vulnerability Remediation: What role should individuals and corporations have in identifying IT security vulnerabilities? To whom should they report such vulnerabilities? How and when should users be informed? How could vendors or large scale enterprise users distribute "patches" in such a way as to insure their rapid utilization? How should critical infrastructure operators and the government identify and remove logic bombs, Trojan horses, and other malicious code that may have already been covertly installed on systems and networks?

4.11. Certification: Should software, hardware, and IT security consultants be certified, and if so, how and by whom?

4.12. Continuity of Operations, Recovery, and Reconstitution: What plans, capabilities, and arrangements should exist at a national level to respond to the wide spread outage of IT systems in one or more sectors?

4.13. Crime: What role should the criminal justice system play in achieving IT security in government and in critical infrastructures? Are current state/local or federal criminal justice capabilities adequate? Are current legal prohibitions and penalties adequate to deter?

4.14. National Security: What policy and operational differences arise if the source of malicious activity in cyberspace is a nation state?

Back To Levels ^ | Back To Top ^

Level 5 - Global

5.1. Information Sharing: What arrangements should exist for sharing information about vulnerabilities and malicious activity among institutions in various nations?

5.2. Cooperation Standards: Should there be internationally accepted standards about what malicious activity in cyberspace should be considered criminal, what the penalties should be, and what investigatory cooperation should be mutually afforded participating nations?

Back To Levels ^ | Back To Top ^

Policies in Focus America Responds to Terrorism   |   Homeland Security Economy & Budget Education Reform Medicare Social Security More Issues   |   En Español   |   News Current News Press Briefings Proclamations   |   Nominations   |   Executive Orders   |   Radio Addresses   |   Discurso Radial(en Español)      |   News by Date   |   August 2002   |   July 2002   |   June 2002   |   May 2002   |   April 2002   |   March 2002   |   February 2002   |   January 2002   |   December 2001   |   November 2001   |   October 2001   |   September 2001   |   August 2001   |   July 2001   |   June 2001   |   May 2001   |   April 2001   |   March 2001   |   February 2001   |   January 2001   |   Appointments Application      |   Federal Facts   |   Federal Statistics      |   West Wing   |   History