Government Creates Its Own Private Cyber Network

The federal government's massive private computer network is trickling toward completion as bureaucrats set up operations centers for various industries to insulate themselves from any major cyber attack launched against the United States.

The Cyber Warning Information Network, based on an already-existing platform, is trying to bring together private sector businesses and groups, as well as cyber-security experts, to build portions of the network, including the Information Sharing and Analysis Centers.

But there's doubt within industry corners about whether there's enough interest at the upper echelons of the executive branch to push the project forward.

"This is still evolving," a White House source told "This is the kind of thing we're going to be expanding over the next year or so."

Five ISACs — first devised in the Clinton administration and designed to let groups share data on critical infrastructure sectors — currently exist in the financial, telecommunications, chemical, energy and information technology sectors. Others are in the works for water, transportation, aviation and food.

Under construction since early 2001, CWIN, a key element of President Bush's National Strategy to Secure Cyberspace, will be used as an information center where technology and government sectors can share information and keep in touch in case of a huge cyber attack.

Bush's fiscal 2003 budget request included $30 million for CWIN.

Other branches that could be included in CWIN will be the CERT Coordination Center at Carnegie Mellon University. CERT is a well-respected clearinghouse for cyber-security information for government and businesses. Various anti-virus software vendors and telecommunications providers like AT&T may also join the network.

But to date, there still lacks a quick way to share critical information, industry experts say.

So far, many private groups and businesses have been slow to provide vulnerability information to these centers out of fear that it could be made public through Freedom of Information Act laws. They also want to be exempted from antitrust laws if they provide security information to the government.

"There's always challenges with information sharing in dealing with this issue — it's not an issue just of antitrust exemption or FOIA exemption," said Dave McCurdy — president of the Electronics Industry Alliance and executive director of ISAlliance, which has been privy to White House meetings on CWIN.

"There's still a reluctance on the part of industry to divulge a lot of information that's developed from their proprietary enterprise," McCurdy said.

The bill authorizing the creation of the new Department of Homeland Security safeguarded industry information from these FOIA laws, but specific regulations have yet to be issued. That will help foster the government-industry relationship, technology policy experts said.

"We've supported the industry's cyberspace security strategy as one that's founded on industry and government — we think that's the only right approach," said David Peyton, director of technology policy for the National Association of Manufacturers.

Of the FOIA policy, Peyton said: "We think that's the right thing — we want to see the regulations come through with that."

Many say industry needs to step up to the plate when it comes to securing its own networks.

"The public part can only go so far — the private part has to step up," said Tom Patterson, senior partner with Deloitte & Touche Security Services Group. "I think a lot of the rest of the companies that really make up the economy — the critical infrastructure of the economy — don't yet understand their role in all this."

McCurdy said he does not have specific information on when CWIN will be fully implemented.

But without Richard Clarke, former cyber-security adviser in the White House, the industry is rumbling about the lack of a strong point-person in the administration to deal with cyber-security issues, and that may slow down the implementation of CWIN, Clarke's brainchild.

Clarke resigned early last month as head of the president's Critical Infrastructure Protection Board. The CIPB coordinates government agencies on protecting critical infrastructures — including computer systems. With the creation of DHS, the CIPB was eliminated and its responsibilities were moved to an information assessment and infrastructure quadrant within the new department.

Some of Clarke's presidential advisory responsibilities will be designated to someone in the White House, most likely Paul Kurtz, who currently holds a high-level critical infrastructure protection position in the White House.

On March 13, the White House announced that Bush would tap Coca-Cola executive and a former CIA official Robert Liscouski to lead cyber-security efforts as the assistant secretary of infrastructure protection at DHS. Paul Redmond, former chief of CIA counter intelligence, would be appointed assistant secretary for information analysis.

Bush said last week that he plans to nominate Frank Libutti, deputy commissioner of counter terrorism for the New York City Police Department, as undersecretary of the information analysis and infrastructure protection.

But with organization at DHS slow in coming, there's concern that something — including interest in CWIN — may get lost in the shuffle.

"We've vocalized to the White House that we think it's important to retain the position that Clarke held" in his presidential advisory role "and that there needs to be a senior person at the White House to do that," said Mario Correa, director of Internet and network security policy for the Business Software Alliance.

"I think the administration is serious about putting these steps in place. But because of the difficulty of getting DHS up and running, this all takes some time," Correa said.

"The White House is definitely keeping its finger on the pulse of this issue," he added.

Howard Schmidt, a former security experts at Microsoft who took over Clarke's position as chairman of the CIPB after Clarke left, would be the right person to move into a more senior position at DHS on these issues, experts say, particularly since he helped craft the national cyber-security strategy.

Homeland Security Director Tom Ridge has talked to Schmidt about assuming a role such as Ridge's own cyber-security adviser, Correa said.

"I think Ridge has extended him that offer. We want that position to be one with substance to it."