Bush Security Chief Lays Out Cyber Security Agenda

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  
The federal government should work with industry, academia, government agencies and other nations to come up with a means of protecting critical infrastructures and punishing those who commit cyber crimes, according to Howard Schmidt, the recently appointed vice chair of the President's Critical Infrastructure Board.

The board, created in the wake of the September 11 attacks, reports to the National Security Advisor and the Director of Homeland Security. This summer, Schmidt says, it will present a plan for protecting critical infrastructures from cyber attack.

That plan will include some form of "early warning system," according to Schmidt, who spoke as part of a panel discussion in a Webcast sponsored by the trade newspaper Network World. He envisions the center would track security threats such as virus outbreaks in an attempt to predict when a problem is starting to occur.

Such centers already exist in the private sector. SecurityFocus, for example, has a service called the ARIS Threat Management System that is intended to predict when attacks will hit by monitoring events occurring at hundreds of subscriber sites around the world.

Schmidt, the former chief security officer at Microsoft, says the administration favors dealing with security issues by raising awareness rather than creating legislation. "The government role is using the bully pulpit we have to educate and get people energized," he says.

Toward that end, the government intends to work with industry and the academic community to come up with best practices and various programs to ensure security. Schmidt also advocates a service for scholarship program, where the government pays for students to become educated in cyber security in exchange for the students using their skills in the public sector for a period of time.

While the panelists agreed that cooperation between the private sector and government is desirable, not all thought it was enough.

"We need some legislation," said Peggy Weigle, CEO of Sanctum, Inc., an application security tool vendor. She noted that legislation such as the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act have succeeded in getting insurance companies and financial institutions, respectively, to focus on security issues. "We need a little bit more of a push along with guidelines to make things happen. It's not happening by itself."On the international front, Schmidt said the Bush administration has held bilateral negotiations with other countries, notably the G8 countries (Britain, Canada, France, Germany, Italy, Japan, Russia and the U.S.) on cybercrime issues.

The idea is to get an agreement that the U.S., for example, can prosecute the perpetrator of a crime against a U.S. entity even if the perpetrator lives in a country where the act is not considered a crime. "So we don't have to worry about going through onerous extradition issues to hold someone accountable for their actions," Schmidt said.