• PC World
• »Security

The Bush administration's plan to secure cyberspace sees a leading role for the U.S. government and calls upon all users to take action, but does not force action through increased regulation, according to a draft of the plan published late Tuesday.

All users should take responsibility to "protect the parts of cyberspace on which they rely," to create a "secure, trusted, robust, reliable, and available infrastructure" that will support the U.S. economy, national security, and critical services for the foreseeable future, reads the draft of the National Strategy to Secure Cyberspace.

The strategy is not meant to be a static document when it is finally done, but will be "dynamic and continually refreshed" to adapt to the changing environment, according to Richard Clarke, the President's special adviser for cyberspace security, in a letter accompanying the draft strategy.

Securing cyberspace is a shared but voluntary effort; the U.S. government won't craft laws to force private companies to act, according to the draft of the strategy. However, the government could turn to regulation "in the face of material failure of the market to protect the health, safety, or wellbeing of the American people," according to the document.

Making Recommendations

The 65-page draft document, scheduled to be officially presented at Stanford University later Wednesday by Richard Clarke, the President's special adviser for cyberspace security, lists recommendations for several audiences, including home and small business users, large enterprises, and government and educational users.

Federal cyberspace security has to be a model for the nation, according to the document. The government should, among other measures, lead in the adoption of secure network protocols, possibly certify IT vendors, expand use of security assessment and policy tools, and consider a security and contingency preparedness exercise, according to the document drafted by the President's Critical Infrastructure Protection Board, chaired by Clarke.

The recommendations for common users seem no-brainers; install security software, be on guard when opening e-mail, apply security patches, and use a tough password.

Other suggestions aren't as obvious. Publicly traded companies, for example, are asked to consider publishing independently audited security reports, much like earnings are reported, because cybersecurity is "an integral part of a company's operations."

Furthermore, enterprises are advised to form corporate security councils, regularly review and exercise business continuity plans, and use multiple vendors to reduce risk.

Scrapped from the current draft strategy are earlier revealed plans for a cybersecurity fund that companies would have to contribute to, tight restrictions on government use of 802.11b wireless LAN, and mandatory firewall software for always-on Internet connections.

Colleges and universities, which in the past have been a hotbed for cyberattacks, should establish a 24-hour contact for Internet service providers and law enforcement in the event that a school network is involved in an attack.

Power plants, water-treatment facilities and other utilities should closely examine the risks of connecting their systems to the Internet and take action, such as implementing secure authentication within two years, the plan advises.

Sharing Information

Overall, information exchange is seen as key. The President's Critical Infrastructure Protection Board, which drafted the document, advises the creation of a Cyberspace Network Operations Center (Cyberspace NOC). This new organization should include the IT industry, computer emergency response teams, and the information sharing and analysis centers that large enterprises should establish.

To help the effort, the public needs to be better informed by both government and the industry, according to the draft strategy. It recommends that the software industry, for example, should promote security features in software, and establish a clearinghouse for more effective delivery of security patches. Also, the risks of using wireless technologies, especially 802.11b wireless LAN, should be clearly explained, according to the document. Government agencies can use WLAN, but should continuously check for unauthorized connections to their network and use all available risk reduction measures, according to the document.

U.S. states should create or expand Cyber Corps scholarship-for-service programs to get more IT security experts in government service. And the federal government should review the training level of law enforcement officials working the cybercrime beat.

The Critical Infrastructure Protection Board recognizes that securing a network does not mean it can never succumb to an attack. Securing a network should instead make it resilient and difficult to permanently disable.

In January 2001, the Bush administration began a review of the role of information systems and cybersecurity. Clarke was subsequently appointed by U.S. President George W. Bush in October to coordinate the administration's Internet security efforts. The appointment came in the wake of the September 11 attacks and after Code Red and Nimda worms caused headaches for many system administrators by successfully attacking many Internet connected computers.

The plan is the product of extensive collaboration between the U.S. federal government, security experts, and industry leaders and has been taking shape over the past year. Comments on the draft document are welcomed.

• See more like this:
• federal government,
• President Bush,
• National Strategy to Secure Cyberspace,
• Richard Clarke,
• law,
• regulation,
• private,
• company,
• university