Bush Team Still on the Cybersecurity Road

"Dewie the Turtle" may appear slow, but the Federal Trade Commission thinks he can stop quick-fingered hackers and other online villains from getting into home computers.

Just as Smokey Bear helps prevent forest fires and Woodsy Owl teaches people not to litter, Dewie is meant to be a reminder to consumers about how to stay safe online and develop a "culture of security."

"The idea is to have Internet security practices become second nature -- just like looking both ways before crossing the street," FTC Commissioner Orson Swindle said in a statement.

Dewie, whom the FTC rolled out in September, is designed to appeal to kids and their parents and promote responsible online habits, such as installing firewalls and anti-virus software to prevent hackers and avoiding unwanted e-mail, known as "spam."

He is just one incarnation of a cybersecurity plan that the Bush administration is trying to coordinate on the federal and state level.

On Thursday, William Pelgrin, director of New York's Cyber Security and Critical Infrastructure Coordination Initiative, said that kids should be studying topics such as cyber ethics and culture in school, since "they're the ones that are going to have to be dealing with this."

Getting hackers to stop the madness isn't as easy as officials wish it would be. So far this year, over 50,000 hacking or intrusion incidents have been reported nationwide, compared to last year's total of 24,000, industry experts report. And it doesn't take a genius to figure out how to hack.

All one has to do is to type "hacker" into a search engine, said Howard Schmidt, vice president of President Bush's Critical Infrastructure Protection Board, "and someone who doesn't know a floppy disc from a Frisbee" can figure out how to write a hacker computer virus.

"You don't need to be a sophisticated person to do a lot of the things [hackers] do today," Schmidt told participants at a New York luncheon sponsored by the Washington-based Information Technology Association of America.

The Bush administration has been working for nearly a year on a National Strategy to Secure Cyberspace -- a plan to secure networks, reduce intrusions, provide insurance against cyber risks, and audit security measures. The strategy, released for public comment in September after months of delay, contains 80 draft recommendations for all levels of government as well as private groups, companies and other nations.

Comments from industry and state officials are due by Nov. 18. The strategy will then be revised and sent to Bush for his approval by the end of the year.

Schmidt's group has been holding town hall meetings throughout the country since the draft's release to get input from all sectors on how the strategy can be improved. The last meeting is scheduled for Nov. 14 in Phoenix, Ariz.

"Because of the ubiquitous nature of cyberspace … because it's so widespread in everything we do, we felt it was vitally important to talk to everyone," said Schmidt, who previously served as the chief security officer for Microsoft.

Despite industry grumbling about disagreements over cost and voluntary versus forced standards, Schmidt told techies on Thursday that the aim of the strategy is not to impose a ton of new rules on a still infant industry.

"We do not need the heavy hand of government meddling in corporate America anymore than we already do," he said.

But some in the industry say kinks in the strategy still need to be worked out, including making sure that proprietary information shared with the federal government about computer vulnerabilities like breaches, holes and other security flaws is protected from public scrutiny, competitors and lawsuits. It also wants to make sure information sharing is a two-way street between government and the private sector.

"We think government should set a good example in a couple of areas," said Dave McCurdy, executive director of the ISAlliance. "We also thinks government needs to walk the walk too … it can't just be industry giving information to government in a black hole."

Some groups say the strategy likely won't be ready for implementation by the end of the year, particularly when more comments are likely to pour in as the Nov. 18 deadline nears.

"I think they're going to get a lot of comments in the next week … I think the dike will open, they've probably gotten a trickle so far," said Dan Burton, vice president of governmental affairs for computer security company Entrust.

Burton added that government agencies and businesses aren't just sitting idly by waiting for a national strategy. They are securing their own systems in the meantime.

"I think it's a tough timeline, but I don't think it's one that if they don't meet, it would be problematic," said Mario Correa, director of Internet and Network Security Policy at the Business Software Alliance. "We want this to get this document right, and if it takes a little bit of time, that's fine by us."