Homeland Security's vague cyber plan
Even though the term appears 148 times in a new report, it's not clear what the Bush administration is planning.
In its 175-page draft of the National Infrastructure Protection Plan (PDF), or NIPP, the department outlines a broad framework for protecting the nation's "critical infrastructure" and "key assets"--bureaucratic argot referring to everything from the power grid to dams to computer systems.
President Bush first commissioned the plan in December 2003, and the Department of Homeland Security released an early version in February. According to a notice announcing the document's availability, the latest version aims to provide greater detail.
The term "cybersecurity" appears 148 times the draft, and a 16-page appendix devoted to the topic offers some suggestions for threat analysis, response readiness and training.
But the rest is worded in terms of generalities. The plan asserts that cybersecurity responsibilities should ultimately lie with the Department of Homeland Security but also calls on state and local governments to come up with information security measures and to be aware of vulnerabilities in their systems. The report charges academia and research institutions with devising "best practices" for IT security and the private sector with ensuring that it is "satisfying cyberprotection standards."
The document suggests that work should be done through a "sector partnership model"--that is, informal advisory bodies composed of private-sector and governmental representatives from the same subject area. It proposes several lists of general actions that various sectors should take (for example, "set sector-specific security goals") and allocates deadlines from the adoption of the plan to accomplish them (in that particular case, 90 days).
The recommendations are often vague. For example, the suggestion that the Department of Homeland Security should lead and develop a "national cybersecurity exercise" to simulate responses to an attack is listed as an "ongoing" project with no deadline. And under a category referring to the steps the government should take to deal with "privacy and constitutional freedoms," the department lists no suggested actions.
"It strengthens the linkages between physical and cyber efforts, but the base plan itself is not intended to provide a detailed protection plan for each critical sector," Kirk Whitworth, a Homeland Security spokesman, said in an e-mail interview. "That is going to come with the sector-specific plans, six months after the NIPP is signed early next year."
The agency plans to accept comments on the proposal through Dec. 5.