National Cybersecurity Plan to Debut

The Bush administration is presenting Wednesday a draft of its much-anticipated cybersecurity plan, which calls on consumers as well as private industry and government agencies to help secure cyberspace.

The plan, which is the product of extensive collaboration between the U.S. federal government, security experts, and industry leaders, has been taking shape in discussions over the past year. It is intended to provide a comprehensive but flexible plan to secure the nation's private and public technology infrastructure.

Although the plan is strategic, with few details, the Bush administration is apparently calling on individual home and business users of PCs to assist with cybersecurity. Users will be asked to be aware and alert about viruses spread online, as well as simple security measures like firewalls, according to some who have helped craft the strategy. The plan also will have roles for academic institutions and industry, as well as governmental agencies.

Richard Clarke, the President's special adviser for cyberspace security, will present the draft document at Stanford University on Wednesday.

More Comment Sought

The document is being presented in draft form, as opposed to a final version, to allow more time for input on the details of the plan from the private sector, according to a White House spokesperson who requested anonymity. Comments are being requested from members of the National Infrastructure Advisory Council, whose members include high-level representatives from state and local governments as well as the private sector. President George W. Bush is expected to announce his appointments to the NIAC on Wednesday, the spokesperson says.

"Consistent with the participatory process of town meetings and cooperation with the private sector, [the White House] wanted to seek additional comment before releasing the cybersecurity plan," the spokesperson says.

The White House denies that any particular issue or proposal is causing a delay in the release of the final report.

"I don't think it's fair to say that particular aspects of the plan are hanging up the process. It's a fairly comprehensive plan, and [the White House] just wants to make sure that there's opportunity for full input," the White House representative said.

After Clarke's presentation at Stanford, which will include introduction of a "for comment" draft of the plan, the administration will seek feedback from the private sector. A statement from the President's Critical Infrastructure Protection Board says comments will be accepted until November 18. Also, eight town hall meetings are scheduled around the country before the end of the year. Sites of the meeting include Philadelphia, Boston, San Antonio, Pittsburgh, New York, Phoenix, and San Diego.

Ongoing Effort

Despite the government's efforts to solicit input and ideas from the private sector, few details are known about the shape of the administration's plan to protect the nation's technology and information infrastructure.

"We don't have any inkling of what the plan will look like. We're not aware of what's in it," says Steve Trilling, senior director of research at Symantec. The security products vendor submitted ideas to the government, and participates in the National Cyber Security Alliance.

Likewise, representatives of rival security firm Network Associates, as well as other technology companies including Oracle, made suggestions to Clarke's office as the government began its research.

"Richard Clarke, since his appointment as a special adviser to the president for cyberspace security, has been an advocate of industry playing a role in this," says Douglas Sabo, director of government relations at Network Associates. "Within days of his appointment, he came to Silicon Valley."

Unveiling of the National Strategy to Secure Cyberspace at Stanford, in Silicon Valley, may underscore that commitment to a partnership with industry, Sabo adds. He expects industry and academic representatives will be asked to continue to develop the plan.

"This is not meant to be another government publication on how to solve a problem in 500 pages or less," Sabo adds. "It's meant to be a living, breathing document, that will be posted online and constantly updated."

Cooperation Urged

Oracle issued a statement of its support for the plan and ongoing effort, noting that it particularly endorses a new Defense Department policy setting higher standards for security in information technology. The company also indicates it will participate in "more effective, timely information-sharing between private industry and the federal government on cyber threats and vulnerabilities."

The cyberspace security plan and Wednesday's event is an opportunity to shine a light on the problem of securing the nation's technological infrastructure, Symantec's Trilling says.

"This conference is raising awareness and the level of discourse," he says. "It supports the reality that one needs private and public cooperation to make it happen. The plan is clearly a good instance of (that) cooperative effort."

Sabo, of Network Associates, says he expects vendors will work with rivals, partners, and customers to raise awareness of threats to cybersecurity. Some of the work will continue to be done through industry organizations, while other efforts may be more direct.

"Already, the level of partnership with public and private participation is impressive," Sabo says.

Strategy Highlights

A draft of recommendations notes these national priorities:

• Mechanisms of the Internet: Foster the development of secure and robust mechanisms that will enable the Internet to support the nation's needs now and in the future.
  
  
• Digital control systems/supervisory control and data acquisition systems: Facilitate the remote operation and management of energy, communications, transportation, water, and manufacturing, and many other systems.
  
  
• National cyberspace Research and Development agenda: Coordinate technological development to counter threats, reduce vulnerabilities, and foster a resilient, secure cyberspace.
  
  
• Secure emerging systems: Address new vulnerabilities and eliminate, mitigate, or manage their potential risk.
  
  
• Vulnerability remediation: Significantly improve its speed, coverage and effectiveness; in the longer term, reduce vulnerabilities at their source.
  
  
• Information sharing: Increase voluntary sharing of information about cybersecurity among public and private organizations.
  
  
• Cybercrime: Prevent, deter, and significantly reduce cyberattacks.
  
  
• Market forces: Stimulate and leverage market forces to promote and increase cybersecurity.
  
  
• Privacy and civil liberties: Achieve security in cyberspace without infringing on individual privacy and civil liberties.
  
  
• Analysis and warning: Major ISPs, vendors, and other experts in private industry are asked to consider creating a cyberspace network operations center to provide a focal point for identifying Internet attacks.
  
  
• Continuity of operations, reconstitution, and recovery: Develop a national plan for continuity of operations during a widespread outage of technical systems.
  
  
• Interdependency and physical security: Mitigate potential disruptions through linked systems, and stem troubles from spreading across the infrastructure.
  
  
• Global: Work with the international community to ensure integrity of global information networks.
  
  

Peggy Watt of PCWorld.com and Paul Roberts of the IDG News Service contributed to this report.