• PC World
• » Security

STANFORD, CALIFORNIA -- The Bush administration's initiative to make cyberspace safe will affect everyone from SOHO workers to the largest enterprises and governmental agencies, according to the officials behind the plan.

Public comment is being solicited on a 65-page draft plan of a National Strategy to Secure Cyberspace, presented here at Stanford University by Richard Clarke, who chairs the President's Critical Infrastructure Protection Board. Also on hand were members of that board, which draws from private industry--including tech companies--and government agencies.

Although the Bush Administration took a year after the September 11 terrorist attacks to develop and release its national cybersecurity proposal, the board is asking members of the public to comment on its work within 60 days. Also, the board will directly solicit public comment at eight town hall meetings around the country scheduled to be held before the end of the year.

The draft plan describes the challenges and recommends action by a broad sweep of people, from home PC users to nations. Sections address security concerns of end users, corporate enterprises, government agencies, higher education, and global organizations.

Shared Duties

"The Internet is operated and secured by private agencies, so we need you to design the national strategy and implement the national strategy," Clarke said, addressing individual Internet users as well as the industries represented at the introduction. He and other board members repeatedly emphasized that the plan, even when final, is intended as a strategy of guidelines and recommendations, and will not be imposed by legislation or executive order.

"The government cannot alone secure cyberspace," Clarke added. Everyone should look at their "own part of cyberspace and ask, 'what can I do?'"

The ongoing organization working on the strategy is the National Infrastructure Advisory Board, composed of about two dozen members from industry as well as public officials. Technology participants include John Thompson, chair and chief executive officer of Symantec, and Craig Barrett, Intel's CEO. A number of Silicon Valley companies also contributed suggestions to the plan and are expected to work with the government to implement some of the eventual suggestions.

Although not represented at the presentation, Microsoft helped develop the draft plan, Clarke said. "I think they've been extremely supportive," he said of the company, pointing to chair Bill Gates' recent public comments emphasizing software security and reliability.

Scrutiny Begins

Some privacy advocates are concerned that the draft plan only touches on privacy issues. The plan urges industry and government agencies to have chief privacy officers to assist with security measures, and notes that the strategy "must be consistent with the core values of [the nation's] open and democratic society." Privacy principles are noted in several sections, and the plan says that users should be clearly informed of privacy policies.

"There's nothing strange or revolutionary or unusual about what's introduced here," said Ari Schwartz, associate director of the Center for Democracy and Technology.

Chris Hoofnagle, legislative counsel for the Electronic Privacy Information Center said recommendations are a good start. "This version of the report doesn't make a frontal attack on civil liberties," Hoofnagle added.

Still, the groups remain hesitant to endorse Bush's plan. The Electronic Frontier Foundation, which commented on an earlier draft, said it's still too vague.

"It's really unclear how much this helps and what kind of signal it is sending to private industry," said Lee Tien, EFF senior staff attorney. EFF is disappointed that today's draft does not endorse a cyberprivacy czar, as the group suggested, Tien said. EFF will likely submit additional comments along with other privacy groups.

Already At Work

Many of the draft plan's recommendations are already in the works, participants say. For example, the section on government includes guidelines for federal agencies to apply new security measures, which include improved password protection, better oversight for security procedures, cooperative backup plans for system failures, and more. The Bush administration has asked for $4.5 billion in funds to secure federal computer network systems, said Howard Schmidt, vice chair of the board.

"Because of the plan, we are all working together under a national strategy," said Thomas Noonan, CEO of Internet Security Systems, and another NIAC member. "We've been focusing on this from a business strategy viewpoint, but the plan has five levels, across industries and governmental levels. This is just the beginning of that cooperative effort."

The presentation itself provided a forum for executives in major U.S. industries and an international representative to describe what security, backup, and crisis management plans they have implemented, as well as some in the works.

Among their comments:

• The Secret Service has created a nationwide network of law enforcement agencies through the electronic crimes task force ordered under the USA Patriot Act, noted Brian Stafford, director of the U.S. Secret Service. Insider security breaches are a major concern to network security, Stafford said. He also urged customers to report software flaws to the vendor, "not announce it to the world."
  
  
• The FBI is also assembling a cybersecurity task force that stretches across law enforcement agencies. "Federal government cannot by itself secure [private] networks, and certainly it should not dictate how families, small businesses, and individuals protect themselves," said Robert Mueller, FBI director. "But the more weak links in the chain, the more vulnerable we all are."
  
  
• America Online, as part of its work with Stay Safe Online/Home, a shared public and private venture of the National Cyber Security Alliance, is launching a media campaign this fall suggesting "how to be a cybersecure citizen," said Tatiana Gau, an AOL executive. Home users' responsibilities are as basic as regularly updating their antivirus software's data files, she said. "Computer security checks should be as routine as checking the locks on your door or the brakes on your car."
  
  
• "We need to develop a culture of security online," not unlike teaching children to look both ways before we cross the street, said Orson Swindle, an FTC commissioner. "In our schools, we're teaching kids about computers; I'm not sure we're teaching them about security."
  
  
• Educause, a cooperative of more than 4000 public and private institutions nationwide, is already drafting a cybersecurity plan for higher education, said Mark Luker, vice president of the organization. Use of the Internet for research functions makes security an ongoing concern, he noted. The draft plan [and cooperative forums] "gives us a place to communicate, a reason to do it now and not next week, and helps us to get our own task force energized."
  
  
• Margaret Purdy, associate deputy minister of the Canadian Department of National Defense, noted that the countries share much critical infrastructure, from railways and roads to networks. "No country can address cybersecurity threats alone. The Internet is borderless," she said.
  
  

Shared Efforts

Most of the presenters emphasized cooperative efforts across industries and agencies.

• Because 80 percent of the Internet infrastructure is privately maintained, "collaboration, not confrontation, is an essential ingredient" in cybersecurity, said Kenneth Juster, U.S. undersecretary of commerce. "Leadership must come from the government and corporate America as well as academic leaders."
  
  
• Kenneth Watson, manager of Cisco's critical infrastructure assurance group, pointed to an existing cooperative across industries, the Partnership for Critical Infrastructure Security. The organization, founded in 1999, unites dozens of companies and federal agencies for cooperation on infrastructure services, and has found a new mission in dealing with emerging risks, he noted. The organization is mentioned in the draft plan as an example of cooperation among public and private organizations.
  
  
• State government is the single largest user of information technology within the country, said Matt DeZee, representing the National Association of State Chief Information Officers. Last fall, the group held a forum on cybersecurity and is calling on private sector CIOs to address various security concerns, (such as clamping down on violations), to share ideas and resources when appropriate, and to implement security in new technology such as wireless LANs.
  
  
• Nearly one out of every fourteen people in the United States has a job related to information technology, noted Harris Miller, representing the Information Technology Association of America. "There is no silver bullet solution; protecting our infrastructure is a collective responsibility," he said. "This is going to be a long campaign." He also noted that the IT industry strongly supports its voluntary nature: "We're not looking for big government subsidies to solve this problem. We think government should spend money on its own systems because they are vulnerable. But we don't expect handouts."
  
  
• Dennis Eyre, CEO of the Western Electricity Coordinating Council, cited the cooperation already implemented through the North American Electric Reliability Council, formed after the New York power outage more than a decade ago. Already in place are systems to share reports of threats, problem alerts, and communications, and the organization is scrutinizing its computing systems in particular, with attention to their security and access via the Internet.
  
  
• "Common sense approaches to protect systems" are key, said Jim McDonnell, representing the U.S. Department of Energy. He said he hopes the draft document "will raise awareness of our country's vulnerability."
  
  
• Bank of America is working with the Treasury Department on security and reevaluating its own infrastructure protection, said Rhonda MacLean, a senior vice president. Financial services have long recognized the need for industry cooperation, she added, pointing to the 1999 founding of the Financial Services Information Sharing and Analysis Center, which disseminates alerts about security threats such as viruses.
  
  

Addressing potential threats

• Water agencies across the country are reassessing the security of access to their automated systems, said Diane VanDe Hei, representing the Association of Metropolitan Water Agencies. "While the physical threats to our water systems are apparent...our automated systems could be susceptible to intrusion, causing threats to water quality," VanDe Hei said.
  
  
• Law enforcement agencies have established a forum for sharing information through the Emergency Law Enforcement Services, said Col. David Christler of the New York State Police. "Imagine an enemy that could enter cyberspace and disrupt communications of emergency response organizations," he said. "Each advancement in electronics becomes a vulnerability."
  
  
• Railroads are likewise sharing information through a 6-month-old task force intended to focus on cyberspace issues but dealing also with physical threats, said Edward Hamberger, CEO of the Association of American Railroads. The co-op conducts vulnerability analysis and has established an around-the-clock alert system. "The transportation sector and railroads in particular are vigilant," he said.
  
  
• Cybersecurity is as important as physical security for the oil and gas industry, said Bobby Gillham, manager of global security for Conoco. "We are highly depending on electronic commerce, especially with our global customers," Gillham said. "Many of our operations are managed by automated control systems," sometimes accessed over the Internet. A trade organization had completed a vulnerability study just months before last September's attacks, and the threat continues to be assessed.
  
  
• The chemical industry has also already implemented new safeguards for its online transactions, said David Kepler, a Dow vice president, representing the chemical industry on the board.
  
  

• See more like this:
• cybersecurity,
• cyberspace,
• security,
• privacy,
• national strategy to secure cyberspace,
• bush,
• clarke,
• National Infrastructure Advisory Board,
• NIAC,
• Partnership for Critical Infrastructure Security,
• PCIS