National Strategy to Secure Cyberspace. Finally read this over the weekend. One glaring hole I saw was the lack of treatment of vendors of cyberspace equipment as a class separate from enterprises/businesses.
A motivating example: I have, on my Windows XP system, software and hardware created by the following vendors: Microsoft Corp, Award Software, Intel, ATI, Creative, Voxware, DSP Group, Sipro Lab Telecom, Fraunhofer Institut, Radius, Toshiba, HP, Buslogic, SCM Microsystems, Lotus, Adobe, AOL, Macromedia. These are just the vendors I could identify. This is just the software and hardware that comes on the PC as I bought it.
Additionally I have installed software (sometimes downloaded, sometimes purchased at retail) from the following vendors: Microsoft, Symantec, PersonalBrain, Xteq, Panterasoft, Lavasoft, RIM, Caesius, tamosoft, EasyDesk, Macromedia, Paramind, Apple, Dummysoftware, Winzip. Alkonost, Izymail, Groove. And probably two dozen more that I have uninstalled and no longer have a memory of.
In each of these cases, the corporations that created the software may or may not be located in the US, and if outside the US, may be located in countries whose interests are not aligned with those of the US. Even if located in the US, the companies may very well use foreign development offices, or may subcontract development to organizations located in other countries..
How are we insuring that all this software and hardware is performing the functions they are intended to perform, and don?t include some functionality hidden away to be accessed illicitly by some third party? Is there any inspection of this technology before it is made available in our markets? Who is doing the inspecting, do they have adequate access to source code and source design documents? Once inspected, how do we know that changes aren?t made by vendors ? is there any digital signing of executable content to permit detection of changes later?
There are a ton of issues here. Not at all sure what I think the right strategy is. But this is a hole you can drive a truck through.