 | |
| |
TechnologyDaily Mobile
National Cyber Security, Version 2.0
by Bara Vaida
While the Bush administration last week hailed the release of its strategy for protecting cyber security as the first of its kind, there was a previous attempt to craft such an initiative -- by President Clinton in January 2000. And the chief architect of both plans, Richard Clarke, is a self-described civil servant who worried about the vulnerability of computer systems long before most others.
When Clarke, who was the White House national coordinator for security, infrastructure protection and counter terrorism under Clinton, introduced the "National Plan for Information Systems Protection" in 2000, he called it "version 1.0" and stressed that it was open to change based on input from the private sector, which owns most critical infrastructure. Clarke repeated that idea last week when he introduced the "National Strategy to Secure Cyberspace."
The new plan faced criticism from some observers who said such reliance on private-sector input made the plan too weak to affect change within corporate America's computer networks. Two years before, civil liberties groups attacked the first plan for being too strong in giving the government expanded surveillance powers, while last week, at least one civil liberties group largely expressed satisfaction with the 2002 plan.
So while the plan has evolved over the past two-and-a-half years, it continues to please some watchers and not others. Most of the officials involved in the drafting of the 2002 plan, meanwhile, say that it is much more comprehensive than the strategy proposed two years ago.
The Bigger Picture
The two biggest differences between the plans is that the 2000 proposal placed a greater emphasis on what the federal government should do to secure its systems and provided specific timelines for implementing certain policies implemented. It set a goal of May 2003 for overall implementation, while the 2002 plan has no such specific timeline.
The plan introduced last week also emphasizes recommendations for what home users and small businesses can do to protect cyberspace, something absent in 2000. Further, the 2002 plan focuses more on working with international governments on cyber security, an issue that merited only a brief mention two years ago.
"In 2000, the White House released a [strategy] that was an enormous step forward because it recognized the first attempt by any national government to come up with a plan to protect cyberspace," said Ron Dick, director of the FBI's National Infrastructure Protection Center. "But that document was limited to domestic efforts undertaken by the federal government to protect the cyber infrastructure. It did not incorporate the broader concerns or roles the private sector would play to protect [computer networks.] This national strategy is really far more demanding."
In terms of the federal role, the 2000 plan provided the chief information officers and inspector generals of government agencies, and the White House Office of Management and Budget, with specific budgeting goals for computer security. It also called for the creation of the Federal Intrusion Detection Network (FIDNet) in an effort to slow malicious computer intrusions into government agencies. FIDNet proved to be controversial with privacy advocates and is not mentioned in the 2002 plan.
Still, the new strategy recommends that the law enforcement and national security community develop a system to detect cyber attacks and plan for immediate responses. It also recommends that Internet service providers, hardware and software vendors, security-related technology companies, computer-emergency response teams, and industry coordinating groups called information sharing and analysis centers (ISACs) consider establishing a Cyberspace Network Operations Center. The facility would share information and serve as a coordinator to ensure the health and reliability of the Internet in the United States.
The plan also suggests the creation of a federal telecommunications and information systems infrastructure. Clarke suggested the idea last year and called it GovNet -- a term that itself does not appear in the strategy. Neither the idea nor the term was included in the 2000 proposal.
The 2000 plan, furthermore, suggests that civilian agencies protect their infrastructures by developing public-key infrastructure (PKI) technology. No specific technology is mentioned in the 2002 plan. The previous plan outlined a Defense Department strategy this is not included in the new strategy. And the 2002 plan suggests that universities play a role in the national cyber security plan, an idea not present in the 2000 plan.
A New Plan With Familiar Themes
The biggest consistent theme in both plans is the recognition that 85 percent of nation's critical infrastructure, from computer networks related to electricity grids to the Internet, is owned by the private sector. "We cannot mandate our goals through government regulation," Clinton wrote at the front of the first report. "Each sector must decide for itself what practices, procedures and standards are necessary for it to protect its key systems."
The 2002 plan utilizes similar language. "To encourage maximum participation by the private sector in this partnership, the U.S. government, to the extent feasible, has sought to avoid outcomes that increase government regulation or expand unfunded government mandates to the private sector ... and would turn to regulation only in the face of a material failure of the market," the strategy states.
In 2000, the Clinton administration was helping the private sector form ISACs to provide a mechanism for the federal government and private sector to share data on computer threats. By 2000, the financial, telecommunications and electricity industries already created either ISACs or organizations to represent them, such as the North American Electric Reliability Council and the National Security Telecommunications Advisory Committee, but no formal alliances existed in many other sectors. In last week's plan, the role of the ISACs is emphasized, and all sectors have moved to create such sharing environments.
But information sharing remains a problem in 2002. Many businesses have been reluctant to share computer-security information out of fear that it could become public and hurt stock prices.
In the 2000 plan, the administration offered to help businesses become more legally comfortable with the idea of sharing the information with the government. The administration sought reforms to the Freedom of Information Act (FOIA), liability and antitrust laws. The 2002 strategy again urges the federal government to identify and remove barriers to public-private information sharing and promote the exchange of cyber-security data.
Both plans also emphasize the growing number of malicious attacks and manipulation of computer-security vulnerabilities, the focus on the need for more research and development on computer-security technology, and the need to the increase training of cyber-security specialists.
Michael Aisenberg, director of public policy at Verisign and someone who provided input in the drafting of the 2002 plan, said during the process some ideas were floated and then removed when officials decided that certain recommendations were not needed for the general public.
"Those who say the strategy is watered down or doesn't do enough are missing the point," Aisenberg said. "This is a manifesto for companies like Verisign because it provides every industry and consumers ... with a wake-up call to the importance of security if they want to continue to use the Internet."
NEW FEATURE
-Advertisement-
-Advertisement-
-Advertisement-
