STANFORD, CALIFORNIA -- The Bush administration's initiative to make
cyberspace safe will affect everyone from SOHO workers to the largest
enterprises and governmental agencies, according to the officials behind the
plan.
Public comment is being solicited on a 65-page
draft
plan of a National Strategy to Secure Cyberspace, presented
here at Stanford University by Richard Clarke, who chairs the President's
Critical Infrastructure Protection Board. Also on hand were members of that
board, which draws from private industry--including tech companies--and
government agencies.
Although the Bush Administration took a year after the September 11
terrorist attacks to
develop and
release its national cybersecurity proposal, the board is
asking members of the public to comment on its work within 60 days. Also, the
board will directly solicit public comment at eight town hall meetings around
the country scheduled to be held before the end of the year.
The draft plan describes the challenges and
recommends
action by a broad sweep of people, from home PC users to
nations. Sections address security concerns of end users, corporate
enterprises, government agencies, higher education, and global
organizations.
Shared Duties"The Internet is operated and secured by private agencies, so we need
you to design the national strategy and implement the national strategy,"
Clarke said, addressing individual Internet users as well as the industries
represented at the introduction. He and other board members repeatedly
emphasized that the plan, even when final, is intended as a strategy of
guidelines and recommendations, and will not be imposed by legislation or
executive order.
"The government cannot alone secure cyberspace," Clarke added. Everyone
should look at their "own part of cyberspace and ask, 'what can I do?'"
The ongoing organization working on the strategy is the National
Infrastructure Advisory Board, composed of about two dozen members from
industry as well as public officials. Technology participants include John
Thompson, chair and chief executive officer of Symantec, and Craig Barrett,
Intel's CEO. A number of Silicon Valley companies also contributed suggestions
to the plan and are expected to work with the government to implement some of
the eventual suggestions.
Although not represented at the presentation, Microsoft helped develop
the draft plan, Clarke said. "I think they've been extremely supportive," he
said of the company, pointing to chair Bill Gates' recent public comments
emphasizing
software security and reliability.
Scrutiny BeginsSome privacy advocates are concerned that the draft plan only touches on
privacy issues. The plan urges industry and government agencies to have chief
privacy officers to assist with security measures, and notes that the strategy
"must be consistent with the core values of [the nation's] open and democratic
society." Privacy principles are noted in several sections, and the plan says
that users should be clearly informed of privacy policies.
"There's nothing strange or revolutionary or unusual about what's
introduced here," said Ari Schwartz, associate director of the
Center for Democracy and
Technology.
Chris Hoofnagle, legislative counsel for the
Electronic Privacy Information
Center said recommendations are a good start. "This version of
the report doesn't make a frontal attack on civil liberties," Hoofnagle
added.
Still, the groups remain hesitant to endorse Bush's plan. The
Electronic Frontier
Foundation, which commented on an earlier draft, said it's
still too vague.
"It's really unclear how much this helps and what kind of signal it is
sending to private industry," said Lee Tien, EFF senior staff attorney. EFF is
disappointed that today's draft does not endorse a cyberprivacy czar, as the
group suggested, Tien said. EFF will likely submit additional comments along
with other privacy groups.
Already At WorkMany of the draft plan's recommendations are already in the works,
participants say. For example, the section on government includes guidelines
for federal agencies to apply new security measures, which include improved
password protection, better oversight for security procedures, cooperative
backup plans for system failures, and more. The Bush administration has asked
for $4.5 billion in funds to secure federal computer network systems, said
Howard Schmidt, vice chair of the board.
"Because of the plan, we are all working together under a national
strategy," said Thomas Noonan, CEO of Internet Security Systems, and another
NIAC member. "We've been focusing on this from a business strategy viewpoint,
but the plan has five levels, across industries and governmental levels. This
is just the beginning of that cooperative effort."
The presentation itself provided a forum for executives in major U.S.
industries and an international representative to describe what security,
backup, and crisis management plans they have implemented, as well as some in
the works.
Among their comments:
The Secret Service has created a nationwide network
of law enforcement agencies through the electronic crimes task force ordered
under the
USA Patriot
Act, noted Brian Stafford, director of the U.S. Secret Service.
Insider security breaches are a major concern to network security, Stafford
said. He also urged customers to report software flaws to the vendor, "not
announce it to the world."
The FBI is also assembling a cybersecurity
task force that stretches across law enforcement agencies. "Federal government
cannot by itself secure [private] networks, and certainly it should not dictate
how families, small businesses, and individuals protect themselves," said
Robert Mueller, FBI director. "But the more weak links in the chain, the more
vulnerable we all are."
America Online, as part of its work with
Stay Safe
Online/Home, a shared public and private venture of the
National Cyber Security Alliance, is launching a media campaign this fall
suggesting "how to be a cybersecure citizen," said Tatiana Gau, an AOL
executive. Home users' responsibilities are as basic as regularly updating
their antivirus software's data files, she said. "Computer security checks
should be as routine as checking the locks on your door or the brakes on your
car."
"We need to develop a culture of security online," not unlike
teaching children to look both ways before we cross the street, said Orson
Swindle, an FTC commissioner. "In our schools, we're teaching kids about
computers; I'm not sure we're teaching them about security."
Educause, a cooperative of more than 4000 public and private institutions
nationwide, is already drafting a cybersecurity plan for higher education, said
Mark Luker, vice president of the organization. Use of the Internet for
research functions makes security an ongoing concern, he noted. The draft plan
[and cooperative forums] "gives us a place to communicate, a reason to do it
now and not next week, and helps us to get our own task force energized."
Margaret Purdy, associate deputy minister of the Canadian Department of
National Defense, noted that the countries share much critical infrastructure,
from railways and roads to networks. "No country can address cybersecurity
threats alone. The Internet is borderless," she said.
Shared EffortsMost of the presenters emphasized cooperative efforts across industries
and agencies.
Because 80 percent of the Internet infrastructure is
privately maintained, "collaboration, not confrontation, is an essential
ingredient" in cybersecurity, said Kenneth Juster, U.S. undersecretary of
commerce. "Leadership must come from the government and corporate America as
well as academic leaders."
Kenneth Watson, manager of Cisco's critical
infrastructure assurance group, pointed to an existing cooperative across
industries, the
Partnership for Critical
Infrastructure Security. The organization, founded in 1999,
unites dozens of companies and federal agencies for cooperation on
infrastructure services, and has found a new mission in dealing with emerging
risks, he noted. The organization is mentioned in the draft plan as an example
of cooperation among public and private organizations.
State
government is the single largest user of information technology within the
country, said Matt DeZee, representing the National Association of State Chief
Information Officers. Last fall, the group held a forum on cybersecurity and is
calling on private sector CIOs to address various security concerns, (such as
clamping down on violations), to share ideas and resources when appropriate,
and to implement security in new technology such as wireless LANs.
Nearly one out of every fourteen people in the United States has a job
related to information technology, noted Harris Miller, representing the
Information Technology Association of America. "There is no silver bullet
solution; protecting our infrastructure is a collective responsibility," he
said. "This is going to be a long campaign." He also noted that the IT industry
strongly supports its voluntary nature: "We're not looking for big government
subsidies to solve this problem. We think government should spend money on its
own systems because they are vulnerable. But we don't expect handouts."
Dennis Eyre, CEO of the Western Electricity Coordinating Council, cited the
cooperation already implemented through the North American Electric Reliability
Council, formed after the New York power outage more than a decade ago. Already
in place are systems to share reports of threats, problem alerts, and
communications, and the organization is scrutinizing its computing systems in
particular, with attention to their security and access via the Internet.
"Common sense approaches to protect systems" are key, said Jim McDonnell,
representing the U.S. Department of Energy. He said he hopes the draft document
"will raise awareness of our country's vulnerability."
Bank of America
is working with the Treasury Department on security and reevaluating its own
infrastructure protection, said Rhonda MacLean, a senior vice president.
Financial services have long recognized the need for industry cooperation, she
added, pointing to the 1999 founding of the Financial Services Information
Sharing and Analysis Center, which disseminates alerts about security threats
such as viruses.
Addressing potential threats
Water agencies across the country are reassessing
the security of access to their automated systems, said Diane VanDe Hei,
representing the Association of Metropolitan Water Agencies. "While the
physical threats to our water systems are apparent...our automated systems
could be susceptible to intrusion, causing threats to water quality," VanDe Hei
said.
Law enforcement agencies have established a forum for sharing
information through the Emergency Law Enforcement Services, said Col. David
Christler of the New York State Police. "Imagine an enemy that could enter
cyberspace and disrupt communications of emergency response organizations," he
said. "Each advancement in electronics becomes a vulnerability."
Railroads are likewise sharing information through a 6-month-old task force
intended to focus on cyberspace issues but dealing also with physical threats,
said Edward Hamberger, CEO of the Association of American Railroads. The co-op
conducts vulnerability analysis and has established an around-the-clock alert
system. "The transportation sector and railroads in particular are vigilant,"
he said.
Cybersecurity is as important as physical security for the
oil and gas industry, said Bobby Gillham, manager of global security for
Conoco. "We are highly depending on electronic commerce, especially with our
global customers," Gillham said. "Many of our operations are managed by
automated control systems," sometimes accessed over the Internet. A trade
organization had completed a vulnerability study just months before last
September's attacks, and the threat continues to be assessed.
The
chemical industry has also already implemented new safeguards for its online
transactions, said David Kepler, a Dow vice president, representing the
chemical industry on the board.
Stephen Chiger contributed to this report.
