The White House Cyberspace Policy Review [PDF] is criticized as lacking specific and dramatic measures. [Gadi Evron, Andrew Storms] and “Recommends Response Over Prevention” (John Pescatore of Gartner). It is true. The study recommends education, further study, and the involvement of private enterprise.
It is a policy. It is not a practice. It is the policy statement of a government. It emphasizes top down support, education and personal responsibility. Specific measures issued by a government are known as “laws.”
The Cyberspace policy lacks preventative measures. What preventative measures would be appropriate for a government to implement? A fire wall? An anti-virus package? Patch management? What measures would we wish a government to take, beyond studying the possible threats, sharing the results of these studies and encouraging the implementation of measures to reduce these threats?
The Cyberspace Security Act of 2009 [PDF] is where you would find measures. A controversial measure is in Sec. 18 (2)
(The President) may declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal government or United States critical infrastructure information system or network;
This is often summarized as “Obama wants to be able to shut down the Internet.” Actually, I would be surprised if one or more departments within the Executive Branch did not already operate under the assumption that it had that power, if necessary. After all, the FTC worked with upstream providers to remove Triple Fiber Network (3FN.net) from the Internet. I would be more concerned about multiple departments assuming such powers without formal guidelines than I would be with recognizing that such measures are sometimes necessary.