White House Releases Cyber Security Plan

Composed of interconnected computers, servers, routers, switches and fiber-optic cables that allow thousands of electronic networks to communicate, "the healthy functioning of cyberspace is essential to the U.S. economy and national security," the White House said Friday as it released its long-awaited national cyber security plan.

The plan aims to protect the central nervous system of U.S. infrastructure and prevent hackers from implanting viruses that can wipe out networks.

The strategy is similar to the cyber objectives outlined in the Bush administration's homeland security strategy. The Department of Homeland Security will be largely responsible for implementing the cyber plan.

But already, some in the high-tech industry say it doesn't quite go far enough in protecting the nation's digital assets.

"At a time when our nation is giving heightened attention to securing our homeland, it is important to emphasize that without cyber security, there is no physical security," said Robert Holleyman, president and CEO of the Business Software Alliance.

The president's strategy pinpoints five national cyber security priorities: a national security response system; a security threat and vulnerability reduction program; an awareness and training program; a government cyberspace security program; and national security and international cyberspace security cooperation.

The first priority focuses on improving the U.S. response to cyber incidents and reducing the potential damage of an attack. The second, third and fourth aim to reduce threats from, and U.S. vulnerabilities to, cyber attacks. The fifth priority is to prevent cyber attacks that could impact national security assets and to improve international response to such attacks.

Homeland Security is the first point of contact for the federal government's dialogue with industry and others on digital dilemmas. It calls on corporations and universities to regularly review and exercise information-technology emergency plans and for companies to take part in industry-wide programs to share information on IT security and cyber vulnerabilities.

The strategy calls on all sectors — government and private — to have emergency plans in case of cyber-catastrophe.

Some tech gurus say that while the strategy proves that the Bush administration means business when it comes to cyber protection, the industry itself has to step up to the plate more when it comes to a national cyber security effort.

"Now it's time to execute — this strategy will only be as good as its implementation," said Dan Burton, vice president of government affairs for computer security company Entrust, Inc.

Private industry owns about 90 percent of the nation's critical infrastructures, such as waterways, computer networks and electricity grids.

"We don't need the information equivalent of the Manhattan Project, where there's labs and mandates for industry," Burton said. "But what we do need now is for industry to stand up and demonstrate that they're putting place very solid, IT governance programs."

If industry makes itself a role model for security, other tech experts say, that will give government less of a reason to pass more burdensome regulations.

"The Internet is not like a seat belt — the Internet inherently and constantly changes," said Larry Clinton, deputy executive director of the Internet Security Alliance. "If you tried to come out with a ton of government mandates, they would become a ceiling, not a floor" and could "drag back the technology."

"The problem is much harder than can be solved in a bureaucracy in Washington."

Mario Correa, director of Internet and network security policy for BSA, said that the White House made a smart move by making DHS the main overseer of the strategy, since it ensures someone will be held responsible.

"It's our role to lead and be a real key part of the solution," he said. "But there's no doubt that having DHS there gives us a focal point."

Correa said that the national strategy, however, could focus more on the individual responsibilities citizens and businesses have to contribute to the country's overall Web safety.

The Bush strategy says the United States will prosecute cyber attacks to the fullest extent of the law and will work through various international organizations and with industry to promote a global "culture of security."

A "Safe Cyber Zone" will also be created with the Untied States, Mexico and Canada to secure common networks that underpin telecommunications, energy, transportation, banking and finance systems, emergency services, food, public health and water systems.

This White House will also urge others to build on the experience gained during the Y2K computer bug threat and appoint a contact person to serve as a liaison between domestic and global cyber security efforts.

"The problem calls for industry to work together internationally, across sectors, sharing information and working on solutions in common with their best security minds," Clinton said. "It's not an easy task but it is the only practical way to solve the problem."