[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[infowar.de] mehr zum geplanten Cyber-Security Plan der USA
Diesmal ein etwas kritischerer Artikel dazu.
eWeek, August 26, 2002
Bush to Call for Fed NOC
By Caron Carlson and Dennis Fisher
The Bush administration has plans to create a centralized facility for
collecting and examining security-related e-mail and data traffic and
will push private network operators to expand their data-gathering
initiatives, according to an unreleased draft of the plan.
The proposed cyber-security Network Operations Center is included in a
draft of the National Strategy to Secure Cyberspace, which was developed
by the President's Critical Infrastructure Protection Board and is due
for release Sept. 18.
The call for expanded data collection and analysis results from
administration concerns that efforts to secure cyberspace are hampered
by the lack of a single data-collection point to detect cyber-security
incidents and issue warnings, according to a draft of the plan, which
was obtained by eWeek.
Critics, however, worry that such a system would be expensive,
difficult to manage and allow government agencies to expand their
Other recommendations include requiring corporations to disclose their
IT security practices, establishing a test bed for multivendor patches,
creating a certification program for security personnel and mandating
certifications for all federal IT purchases. (See chart for other
According to the draft, the government's "forward-looking analysis"
capabilities are considered sparse because of a shortage of information.
The proposed center would improve capabilities for predicting
cyber-security incidents as well as responding to hacker or terrorist
Howard Schmidt, vice chairman of the CIPB, said the center would
consolidate threat data from the country's collection end points, such
as the FBI's National Infrastructure Protection Center, the Critical
Infrastructure Assurance Office, the Department of Energy and commercial
Private companies would also be encouraged to increase the amount of
data collected and share it with the government. "Major companies
generally report this information internally," Schmidt told eWeek.
"We're looking for that to come back to a central location."
According to the draft strategy, the public/private initiative would
involve the major ISPs, hardware and software vendors, and IT security
companies, in addition to law enforcement agencies.
Some said they believe the government's interdepartmental rivalries
and information-sharing rules will hamstring any attempt at centralized
collection and analysis. "There are such high barriers in government to
being able to disseminate information and react to threats, I don't
think it will have much impact," said William Harrod, director of
investigative response at TruSecure Corp., in Herndon, Va., and a former
FBI computer forensics specialist. "They'll have different information
coming in from different analysts, and they'll have to weed through it."
The proposed strategy recommends that the center be partially
federally funded, but critics charge it would inevitably impose new
costs on the private sector without commensurate benefit in addition to
duplicating similar efforts.
"Government doesn't have a good track record when it comes to
collecting and disseminating massive volumes of data," said Kevin
Baradet, network systems director at Cornell University's Johnson
Graduate School of Management, in Ithaca, N.Y., and an eWeek Corporate
Partner. "We could be drowning in data, most of it noise."
Above all, users said, there are the privacy concerns.
"Whatever the federal government wants to do with its own data is OK
with me, as long as it doesn't waste my personal and corporate tax
dollars," said Karl Keller, president of custom software developer IS
Power Inc., in Thousand Oaks, Calif. "The privacy aspects, however,
concern me greatly. This sounds like a dramatic and evil expansion of
Echelon and Carnivore."
The strategy calls on the FBI, Secret Service and Federal Trade
Commission to establish a single system for corporations to report
Internet fraud and extortion, illegal hacking, and unauthorized network
intrusions. It recommends that the federal government systematically
collect data on cyber-crime victims and cyber- intrusions from
However, most CIOs are loath to report any network breach, even in
confidence. The Bush administration is seeking to assuage industry fears
by recommending legislative changes, including exemptions from Freedom
of Information Act requirements and exemption from antitrust laws, that
would reduce liability for turning over data to law enforcement.
Of the more than 80 proposals in the draft of The National Strategy to
Secure Cyberspace, among the most worrisome to corporations is a
recommendation that they publicly disclose the identity of their IT
security audit companies and the scope of their activities annually. The
draft strategy recommends that businesses report incident and tracking
data, the effectiveness of remediation measures, and the steps they take
to secure their systems. In addition, they should reveal corporate and
governance systems for IT security in a standardized form.
"I don't see us turning over any logs to the government," said a
security administrator at a major East Coast financial company, who
asked not to be named. "It's too risky."
Proponents say that as the number of attacks continues to increase,
more communication and information exchange between the government and
private sector can only help.
"There's no doubt in my mind that [sharing information] will help.
This goes beyond just the corporate world," said George Samenuk, CEO of
Network Associates Inc., in Santa Clara, Calif., who consulted with CIPB
Chairman Richard Clarke on the national strategy. "We've accelerated our
efforts in providing information to the government and giving them early
notification of problems. I see all the barriers being broken down."
Mail an infowar -
- infopeace -
de mit "unsubscribe" im Text.