In September 2002, the President's Critical Infrastructure Protection Board released a draft of the National Strategy to Secure Cyberspace (the "Strategy"). As its title suggests, the Strategy lays out a grand plan for securing the Internet and its users, which includes home users, small businesses, enterprise corporations, and state and federal government agencies.
The Strategy is the evolving plan to secure cyberspace in light of private, commercial and public security concerns, and is made up of recommendations garnered from cybersecurity expert committees, town hall meetings, and individual contributions. Additional comments to the Strategy have been collected, and the Strategy will be released in final version in 2003.
Although the Strategy is part of a federally initiated program, it does not currently mandate any actions by private entities.
Because security threats evolve as technology evolves, the Strategy's emphasis is on a system's vulnerabilities rather than on methods of attack. The Strategy identifies a collective security responsibility, and it strives to empower all users to secure their portions of Cyberspace.
"Empowerment," a strong theme of the Strategy, is gained through awareness and information, tools and technology, education and training, roles and partnership, federal leadership, and coordination and crisis management.
In order to secure cyberspace, the Strategy urges the nation to acknowledge and act on two security principles:
- the security of the entire cyberspace infrastructure will depend on the security of each component; and
- threats and vulnerabilities will evolve, and security must evolve at an equal or higher rate.
Applying the Strategy to the Practice
While the Strategy does contain some grand rhetoric, it also offers a lot of practical steps that organizations can take to secure their corner of cyberspace. Those directly or indirectly responsible for the information security of a law firm will find several recommended best practices outlined in the Strategy. These recommendations vary depending on the size and systems of the organization.
Small Firm Best Practices
Small firms, small businesses and home users are classified as Level 1 users in the Strategy. These recommended best practices are taken directly from the Strategy:
- Because automated hacking programs scan the Internet for unprotected broadband connections to exploit, those home users and small businesses planning to install a DSL or cable modem should consider installing firewall software first. (Some Internet service providers (ISPs), offer firewall software with DSL or cable modem set up.) Once firewall software is installed, it is important to regularly update it by going to the vendor's web site.
- Because new computer viruses are introduced every week, home users and small businesses should regularly ensure that they are running an up-to-date "antivirus system." (Some antivirus vendors offer automatic updates online. Some Internet service providers scan all incoming email for viruses before the email gets to the user's computer.)
- Because new viruses often come as email, home users should use caution when opening email from unknown senders, particularly those with attachments. To reduce the number of unknown senders, home users should consider using software that controls unsolicited advertisements, called "spam." (Some ISPs offer programs to block spam. Some ISPs also offer to block all incoming email except from those friends and associates that the user selects.)
- Home users should also regularly update their personal computer's operating systems and major applications for security enhancements by going to the vendors web sites or ensure updates are happening online.
- ISPs, antivirus software companies, and operating system/application software developers should consider joint efforts to make it easier for the home user and small business to obtain security software and updates automatically and in a timely manner, including warning messages to home users about updates and new software patches.
Large Firm A.C.T.I.O.N.S. and Best Practices
Large firms and enterprise businesses are classified as Level 2 users in the Strategy. Because large organizations typically have complex, multi-user information systems, maintaining security can be achieved through a range of voluntary initiatives, including:
- Raising the level of responsibility for secure systems;
- Creating corporate security councils for cybersecurity, where appropriate;
- Addressing the challenges of the borderless network, mainframe security, instant messaging and other technologies; and
- Implementing A.C.T.I.O.N.S. (defined below) and best practices.
- Authentication: Implement processes and procedures to authenticate, or verify, the users of the network. This may include techniques such as PKI using smart cards, secure tokens, biometrics, or a combination of efforts.
- Configuration management: Plan enterprise architecture and deployment with security in mind. Manage configurations to know exactly what hardware, operating systems and software are in use, including specific versions and patches applied; create robust access and software change controls, segregate responsibilities; implement best practices; and, do not use default security settings.
- Training: Train all employees on the need for IT security and ensure that security is factored into developing business operations. Foster an enterprise culture of safety and security.
- Incident response: Develop an enterprise capability for responding to incidents, mitigating damage, recovering systems, investigating and capturing forensic evidence, and working with law enforcement.
- Organization network: Organize enterprise security management, IT management, and risk management functions to promote efficient exchange of information and leverage corporate knowledge.
- Network management: Create a regular process to assess, remediate, and monitor the vulnerabilities of the network; consider developing automated processes for vulnerability reporting, patching, and detecting insider threats. Internal and external IT security audits can also supplement these efforts.
- Smart procurement: Ensure that security is embedded in the business operations and the systems that support them. Embedding security is easier than "bolting it on" after the fact.
The National Strategy to Secure Cyberspace holds that the most effective cybersecurity is layered, where each network and each computer is secured with several different types of protection. Legal professionals that use networked information systems and the Internet in their practices should review their security policies in light of the Strategy's recommendations. Easily compromised forms of Internet communication, like AOL Instant Messaging, should be avoided altogether as a means to communicate with clients. There are times, in fact, when an old fashioned face-to-face meeting is the best practice.