Deadline Nears for White House IT Security Plan

Share it on Twitter  
Share it on Facebook  
Share it on Google+
Share it on Linked in  

Monday is the deadline for individuals and businesses to submit comments on the White House's draft version of the National Strategy for Securing Cyber Security. Written by a White House panel headed by Bush cyber security advisor Richard A. Clarke, the plan proposes that businesses and private citizens, not the government, become protectors of the Internet.

The "recommendations, strategic goals, programs, discussion items and guidance" are aimed at five levels: the home user and small business; large enterprise; sectors of the economy; national issues and; global issues.

Since unveiling the plan in September, Clarke and his team held a series of town hall meetings throughout the country to promote the initiative and seek public comment.

The 65-page proposed plan incorporates more than 60 separate things that people can do to better protect themselves against online attack, such as changing passwords periodically and using firewalls and virus security software.

"We've never done it in this way before," Clarke told a gathering wireless executives in Washington last week. "We (the government) don't own cyber space and we don't regulate it. This is all a part of the process to get people and the various private sectors to think about how to secure the Internet."

"If we just come up with a government strategy and announce it without participation from the people who have to implement it, we aren't going to get the level of cooperation and buy-in we need," Clarke said when introducing the plan.

Companies such as AOL , VeriSign and Symantec Corp. have embraced the proposal.

"There is no perfect plan to assure absolute information security, just as there is no strategy short of grounding the nation's air fleet to assure absolute airport security," Information Technology Association of America (ITAA) President Harris Miller has said.

Notably absent with its support for the plan has been Microsoft , whose software continues to be at the center of the majority of cyber attacks. Clarke said his office was relieved that the company admitted it had a problem and seemed to be taking steps to correct itself.

"I've been tough on Microsoft," said Clarke. "Recently, they issued a 30-day stand down and went back and looked back at their code. Mr. Gates has said point blank that security is job one at his company. They've also been advocating their Palladium initiative as a better solution. While I can't say that I've seen it, it strikes us as something that is helping solve the problem."

Clarke's much ballyhooed September event originally aimed to be the culmination of almost a year of work by the President's Critical Infrastructure Protection Board, but then the panel decided to issue its recommendations for a 60-day public comment period.

It's certainly not the first time the panel changed its mind. Throughout the summer, the White House leaked various trial balloons of the plan and then floated new versions of its proposals in response to the feedback.

Internetnews.com and other media outlets reported the plan would call for an exemption to the Freedom of Information Act that would allow private corporations to share certain vital information with the government, a privacy czar would be appointed, an Internet fund financed by the private sector and by tax dollars would be established to improve national computer security and restrictions would be imposed on government use of emerging wireless networks.

A broad preview of the plan was released in July during a keynote address by Clarke at the annual Black Hat Conference of Information Technology Professionals in Las Vegas, saying the White House would urge more rigorous software development practices including input from users to disclose vulnerabilities. He said the government is already urging "white hat" hackers to search for security flaws in software, but also wants them to only pass information about those flaws on to software vendors and the government, not to the rest of the security community as is common practice today.

Clarke also said the White House would call upon wireless LAN developers to assume a greater responsibility to create more easily securable systems for the notoriously unsecure networks. In addition, the administration hopes to apply economic pressure on the wireless LAN industry by urging users to boycott systems that have known security vulnerabilities.

For its part in assuming a leadership role in developing a more secure Internet, Clarke said the White House will mandate that federal agencies use the security products it is encouraging the IT industry to develop, claiming he will recommend massive replacements or upgrades of government systems if developers produce demonstratively more secure products.

Paramount to the White House is for the plan to rally both the private sector and consumers to voluntary compliance. Since the Homeland Security legislation has been almost a year in the making and is still being debated in Congress, no new legislation is an important consideration in light of the fact that approximately 85 percent of the nation's IT infrastructure is in private hands.

Even more sobering, a recent Business Software Alliance (BSA) survey of more than 600 IT professionals found that 60 percent of those surveyed who are directly responsible for their company's network security believe U.S. businesses are at risk for a major cyber attack in the next 12 months.

The BSA survey concluded that U.S. businesses remain ill-prepared to defend themselves despite increased attention to network security.

Submit a Comment

Loading Comments...