Government unveils cybersecurity plan

PALO ALTO, Calif.-- Sounding a call for all companies and individuals to secure their piece of the Internet, the White House unveiled its long-awaited cybersecurity strategy at Stanford University on Wednesday.

Speaking to a crowd made up of information technology CEOs, the media and representatives of the nation's "critical infrastructure" assets, Richard Clarke, the president's special adviser for cybersecurity, called for private industry to work with the government to toughen the nation's defenses against cyberattack.

"We rely on cyberspace, and it is not yet secure," Clarke said. "We know the vulnerabilities, and we know the solutions. Let us all work together."

The Bush administration's plan, a 64-page document called the "National Strategy to Secure Cyberspace," outlines a mainly hands-off approach to securing cyberspace, giving primary responsibility for Internet security to individuals and corporations, rather than the government.

For example, the calls for ISPs (Internet service providers), computer hardware and software makers, computer emergency response teams, and the Information Sharing and Analysis Centers (ISACs), to set up a Cyberspace Network Operations Center. Whether it is set up as a physical center or a virtual information system, the Cyberspace NOC will be charged with keeping the Internet healthy.

In addition, the plan calls for law enforcement and national security agencies to create a system to detect a cyberattack leveled against the nation. In the past, a Federal Intrusion Detection Network (FIDNet) was proposed but raised fears that privacy might be compromised.

The plan supplements the

		PDF document WhiteHouse.gov Read a draft of the "National Strategy to Secure Cyberspace" in PDF format.

nation's strategies for homeland defense and national security.

The "National Strategy to Secure Cyberspace" uses the definition of "critical infrastructure" contained in the USA Patriot Act, which describes these as "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of (them) would have a debilitating impact on security, national economic security, public health or safety, or any combination of those matters." Examples include software infrastructure such as Microsoft Windows and a particular 30,000 miles of railway line.

With nearly 85 percent of such critical infrastructure owned and operated by private industry, Clarke has repeatedly talked about the task of securing cyberspace as requiring a public-private partnership.

"The government cannot dictate. The government cannot mandate. The government cannot alone secure cyberspace," he said at the event.

Work in progress
Originally, the Bush administration had hoped to release a final version of the plan by Sept. 18. However, the final document carries the words "Draft" and "For Comment," the remnants of ongoing negotiations between some companies--which have reportedly complained about onerous security measures that previous drafts had required--and the government.

Yet the need for industry cooperation seems to have caused the plan to become more of an educational tool than a policy blueprint.

The decision to release the draft didn't come as a surprise. Clarke has repeatedly called the national strategy a "process." The introduction to the National Strategy document reiterates the idea: "The Strategy is not written in stone," read the draft released Wednesday. "The President's Critical Infrastructure Protection Board (PCIPB) plans to periodically issue, online, new releases of the strategy as it evolves."

While officials at the event disputed claims that the plan has backed off from many prescriptions at the behest of industry, a few of the plan's recommendations fall short of previous comments by Clarke.

Two months ago, Clarke lambasted the lack of security in wireless LANs (local area networks) as a major vulnerability in the nation's Internet infrastructure, but in the draft released Wednesday, the plan recommends only that federal agencies "be mindful of the security risks when using wireless technologies."

President Bush Clarke in October 2001 as the lead coordinator for the administration's Internet security efforts. Clarke had served as National Coordinator for Security, Infrastructure Protection, and Counter-terrorism during the Clinton administration from May 1998.

As part of Clarke's investiture, President Bush also signed Executive Order 13231, authorizing a program for the continuous protection of critical infrastructure.

To showcase the progress made so far toward organizing the government and industry's response to cyberattack, the government brought out the 11 leaders of the information sharing and analysis centers (ISACs) for each critical infrastructure. Such infrastructures include electricity, oil and gas, surface transportation and information technology.

The directors of both the FBI and the Secret Service also spoke for the need to secure the nation's infrastructure. They pointed out that Sept. 18 is not the anniversary of the terrorist attacks on the World Trade Center and the Pentagon but the anniversary of the economically painful Nimda virus.

Robert Mueller, director of the FBI, said that the virus attack is an indication of what may come if efforts aren't made to secure cyberspace.

"Computer networks do more than connect systems; they run the business of our daily lives," he said. "Entrepreneurs and engineers aren't the only ones that recognize the potential of the Internet; criminals do as well."

To that end, the directors announced that their agencies would be working more closely together, by sharing information and by having the FBI take more of a role in the Electronic Crimes Task Force, a quarterly meeting held in various U.S. cities to help train local computer security personnel.

Howard Schmidt, vice chairman of the President's Critical Infrastructure Protection Board, also announced the creation of the National Infrastructure Advisory Council, a group of industry leaders that will advise the CIPB on security issues. Executives from 40 companies, including Intel, Symantec, Akamai Technologies, Nasdaq, American Airlines, eBay and Pfizer Global, will have a seat on the council.

Industry plaudits
In statements sent to reporters on Wednesday afternoon, tech companies expressed general support for the White House strategy.

"This plan recognizes that everyone who uses a computer has a role and a stake in securing the networks that drive nearly every aspect of our daily lives and the world's economy," said Robert Holleyman, president of the , which represents large software companies like Adobe Systems, Apple Computer and Microsoft. "It also recognizes the need to give everyone a voice in developing the very complex solutions."

said the strategy was timely. "Today marked a significant step in our nation's efforts to establish enhanced Internet security," said Bill Conner, the company's chairman and CEO. "The White House Strategy underscores the serious nature that cybersecurity threats pose, not only to our critical infrastructures, but ultimately to our economy and our citizens. More importantly, today's demonstration represents a critical step within the federal government to secure cross-agency information sharing."

CEO Stratton Sclavos called it a good start. "The Bush administration has laid out the beginnings of a comprehensive plan for government, industry and citizens to work together in an unparalleled manner to ensure that the digital commerce and communications we rely on every day can be trusted," Sclavos said. "The White House has set the direction--now it is time for industry leaders, policymakers, concerned groups and individuals to work together to ensure that progress is made."

, a hawkish think tank in Washington with close ties to the military, called the report flawed because it did not demand new laws or regulations aimed at Internet companies. CSIS is headed by John Hamre, defense secretary under President Clinton, who spent years of "the future electronic Pearl Harbor that might happen to the United States" if extreme measures were not taken.

"Cybersecurity is too tough a problem for a solely voluntary approach to fix," said James Lewis, director of the CSIS Council on Technology and Public Policy. "Companies will only change their behavior when there are both market forces and legislation that cover security failures. Until the U.S. has more than just voluntary solutions, we'll continue to see slow progress in improving cybersecurity."

CSIS analyst , a former editor-in-chief of the Washington Times and United Press International, warned that a "cyberattack" was just around the corner.

"It is later than we think. The next generation of transnational terrorists understands that a hand on a mouse can be more lethal than a finger on the trigger," said de Borchgrave, who co-authored a that concluded: "Cyberattacks now arise whenever disputes occur anywhere in the world...Can cyberterrorism and cyberwar be far behind?"

News.com's Declan McCullagh contributed to this report.