White House Releases Cyber-Security Plan

The Bush administration has released its strategy for protecting the nation's computer systems from attack after months of delay due to disagreements over cost and which standards should be voluntary and which should be forced.

The National Strategy to Secure Cyberspace, released in Silicon Valley by President Bush's chief cyber-security adviser Richard Clarke, contains nearly 60 draft recommendations for government at all levels, as well as private groups, companies and other nations.

Acknowledging that no cyber-security plan will be 100 percent reliable, the strategy "strives to ensure that any interruptions will be infrequent, brief, manageable, geographically isolated, and minimally detrimental to the welfare of the United States," the draft reads.

Clarke has faced criticism that the report does not go far enough, and that the administration has yielded too much to lobbying by the high-tech industry.

On Tuesday, he refuted as "vast exaggeration" published reports that influential companies have lobbied aggressively in recent weeks to strip or change proposals that would have raised their business costs.

"We have not been changing things up to now under pressure from anybody outside the government," Clarke said.

The plan lays out six tools to be used to help private citizens and groups protect the nation's networks.

They include: educating on cyber risks and how to mitigate them; producing new security technologies; training a well-educated, cyber-security workforce; making people and companies responsible for regulating themselves, and using regulation or legislation as a last resort; improving federal cyber security so it can be a model for accountability; and developing early warning and crisis management plans.

To read the National Strategy to Secure Cyberspace, click here.

"Each American who depends on cyberspace, the network of information networks, must secure that part that they own for which they are responsible," the draft states.

Federal information security programs will be reviewed to determine if they are cost effective under the new guidelines. The government will also make sure private security providers meet minimum standards, work with state and local governments to establish security programs and expand training programs in computer crime.

The plan also makes recommendations to private users to install firewall software and regularly update anti-virus systems. E-mail users should use caution when opening attachments from unknown senders and should control spam, or unsolicited commercial e-mail, the recommendations say.

The plan calls for CEOs to form company-wide corporate security councils to integrate all aspects of security — physical and cyber; hire security auditors, set up reward programs for tech security employees and work with the insurance industry on ways to use insurance for managing cyber risks.

The Bush administration may ask Congress to enact legislation to put more aspects of the strategy into play.

Tech industry folks hailed the plan as a great first step, but said it is a work in progress — a work they said in which private industry must be involved.

"We hope this plan advances the nation's cyber-security agenda and continues the long-standing dialogue between industry and government on how to combat cyber attacks and strengthen our key infrastructures," said Robert Holleyman, president of the Business Software Alliance.

"As industry and government alike strive to bring the utility of the Internet to every citizen, we must also demonstrate leadership in making the Internet secure," said Dave McCurdy, executive director of the ISAlliance.

Bill Conner, CEO of Entrust computer security company, called the strategy a "significant step" in enhancing Internet security but said it falls short on some policy issues relating to private industry.

One issue is that companies currently do not often report security breaches, an issue that should concern government, industry says, because 85 percent of the nation's computer systems and networks are owned by private industry.

"That is woefully lacking in this plan," Conner said. "We've got to find a way to bridge the gap between government and private industry.

"We're not moving at battle speed but at least we're moving at battle precision and we're moving," on cyber security, he said.

Comments on the draft are due by Nov. 18. The strategy will be revised and sent to Bush for his approval by the end of the year.