X

White House preps cybersecurity plan

The White House's cyberspace security plan, scheduled to be released Wednesday, envisions a broad new role for the federal government in maintaining Internet security.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
4 min read
Read more about online and software security

While couching many concepts as mere suggestions, a draft of the plan seen by CNET News.com says the government should improve the security of key Internet protocols and spend tens of millions of dollars on centers to recognize and respond to "cyberattacks."

The draft report, however, is still in flux. As of late Monday, one controversial section that appears to have been deleted would have required companies to contribute money to a fund to secure computer networks.

Richard Clarke, President Bush's special adviser for cyberspace security, has said that his office would actively seek more comment on the plan before submitting it to Bush 60 days after the rollout.

The draft, which Clarke prepared, says changes "will be needed" in key Internet protocols and endorses "trustworthy computing" technologies such as Microsoft's proposed system. Also under consideration are a "cyber emergency response plan" that would be activated during Internet crises and a National Cyberspace Academy to "advance research in cybersecurity education."

It says the executive branch should consult with privacy groups and attempt to preserve civil liberties, but concludes that in some cases, privacy could be limited. "Allowing completely anonymous communications on a wide-scale basis, with no possibility of determining the source, could shelter criminal, or even terrorist communications," the draft says.

Because the report is simply a set of recommendations prepared by the Bush administration, there is no compulsion for private firms to follow its recommendations. But because it is backed by the White House during a time of heightened security consciousness, it likely will be taken seriously by legislators when they consider new laws.

In October 2001, in the wake of the Sept. 11 terrorist attacks, President Bush appointed Clarke to coordinate the administration's Internet security efforts.

Harris Miller, president of the Information Technology Association of America, said he believes any remaining disagreements that industry groups have with the White House report will be worked out before Wednesday's scheduled release.

"The issues that we're focusing on are on the margins," Miller said. "There weren't any fundamental concerns...Assuming the final draft is close to the draft we've seen, we generally support it."

Government-crafted protocols
One Internet protocol the draft singles out for criticism is the Border Gateway Protocol (BGP), which is used to exchange routing information among interconnected networks. The report concludes that "changes in BGP will be needed" because of current security vulnerabilities.

Another point of criticism is the Domain Name System (DNS), which translates domain names such as cnet.com into numeric addresses such as 206.16.0.148. "The accuracy of the data in the DNS databases needs to be improved and stronger mechanisms are needed to ensure the authentication of the DNS database along with changes to the database," the report concludes.


Special report
E-terrorism
Have digital myths diverted
attention from true threats?


The draft suggests that it's time for the federal government to become more involved in the development of Internet protocols, security and standards--a role currently assumed by the Internet Engineering Task Force.

Government, it says, must "conduct research and development for the collective good. This is a role that the government played during the founding of the Internet...The federal government, without regulating or controlling the Internet, should systematically ensure that necessary research and similar activities are conducted to insure the security and reliability of the Internet."

Brad Jansen, an adjunct fellow at the free-market Competitive Enterprise Institute who is familiar with the report, said: "I found it encouraging that the report recognized the importance of training and implementation beyond just grand plans. There are systems within the government's sphere that it should not ignore. But there's little recognition of cost-benefit analysis throughout the report, and much emphasis on how we can spend money."

Future directions
One section, part of the "National Priorities" chapter, is forward-looking. It says that the government should closely monitor progress in quantum computing, intelligent agents and nanotechnology: "For example, the development of intelligent nanodevices could cause massive growth in the numbers of connected devices on the Internet and the locations and uses in which these devices are deployed."

Quantum computing, which could bring systems so powerful that they could render current encryption technologies obsolete, poses a threat as well. "Backup planning for the unexpected--the secret breakthrough by an unfriendly country--should be considered. How would such an advance be used against us? How would we detect if our cryptography is compromised? A watchful eye should also be kept on foreign research."

The White House is also worried about attackers employing intelligent agents, smart computer programs that can search for information or carry out tasks on their own. "Adversaries using agents would have the distinct advantage of being able to attempt many variations on many themes either over a very short period of time, since they can operate at digital speeds, or over an extended period of time without losing focus, since they are computer programs."