[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[infowar.de] mehr zum Cybersicherheits-Plan des Weissen Hauses
Infowar.de, http://userpage.fu-berlin.de/~bendrath/liste.html
-------------------------------------------------------------
Er soll morgen veröffentlicht werden. Erwartet also noch mehr Traffic
dazu in den nächsten Tagen.
RB
http://www.informationweek.com/story/IWK20020913S0038
The Right Balance
Sept. 16, 2002
National cybersecurity plan takes shape but raises questions about
expectations
By George V. Hulme, Martin J. Garvey, and John Rendleman
The Bush Administration this week is scheduled to unveil its
long-awaited strategy to protect the nation's IT infrastructure.
Already, however, some IT executives caution that certain proposals in a
draft circulated last week among government officials may be
ineffective. And they don't want Congress or federal agencies to force
measures on them.
The National Strategy to Secure Cyberspace, developed by White House
cybersecurity adviser Richard Clarke and being reviewed by President
Bush and Homeland Security director Tom Ridge late last week, will call
on everyone from the largest businesses to consumers to help the federal
government track cyberthreats and prevent attacks, particularly those
aimed at financial, government, utility, and other key networks.
President Bush's Critical Infrastructure Board will ask for feedback on
86 proposals contained in the document and issue a final statement in
February. Congress and federal agencies then will determine how to fund
the proposals and which, if any, will be mandated.
"We're looking to work with the government so we are part of the
solution and not being dictated to," says Kenneth Lacy, senior VP and
CIO at United Parcel Service Inc. But Andy Purdy, deputy chairman of the
Infrastructure Board, says the government may have to intervene if the
private sector doesn't do its part to combat threats.
That may include voluntarily sharing security data with a new network
operations center, to be developed and owned by the private sector. The
center could share with the government information collected from the
networks of businesses, government agencies, and other NOCs, letting
experts quickly discover threats and issue alerts.
But critics note that private organizations already provide early
warnings of threats and vulnerabilities. The SANS Institute's
Incidents.org and Internet Storm Center collect information from
firewalls and intrusion-detection systems in more than 60 countries.
"There's no need to build a huge mechanism to redo all of that," says
Lloyd Hession, chief security officer at Radianz, which runs a network
for the financial-services industry.
And some IT executives are concerned about sharing sensitive data with
the government. "I have a responsibility to this company, its customers,
and shareholders to protect such information," says John Hartmann, VP of
corporate services for Cardinal Health Inc. "How will they ensure it's
not leaked?" The administration intends to address such concerns by
encouraging Congress to craft legislation that would shield shared data
from the Freedom of Information Act, Purdy says. That's key for Cindy
Floyd, technical services manager at Geneva Pharmaceuticals Inc., who
doesn't want to provide security data if it's made public. "Then you're
just opening yourself up to hackers," she says.
Floyd has concerns about another part of the plan that calls for
creating a center to test patches for commercial software, mainly
because it seems overwhelming. "I don't think anyone could properly
understand the code of a gazillion packages out there," she says. Geneva
does its own testing of its 200 apps.
The government's plan also is expected to recommend the development of
special secure versions of common operating systems. Some observers fear
costs will go up and functionality will suffer if vendors are pressured
to invest in developing such systems. "You don't need a special secure
operating system," Hession says. "You need people to learn how to secure
a regular OS."
The draft also suggests that businesses buy cyberinsurance. Companies
would have to undergo a security evaluation before they're eligible for
such coverage; the more stringent their efforts, the lower their
premiums. If the government encourages companies to buy insurance --
prompting some to upgrade their security -- that could make everyone a
bit safer, says Douglas Lewis, executive VP and CIO at Six Continents
Hotels, a subsidiary of Six Continents plc, operator of more than 3,000
hotels.
But businesses don't want the government to go too far in forcing
security practices that may be costly or unreasonable. For example, it
would be inappropriate for the government to mandate that all of
Cingular Wireless' systems be continuously available, says Thaddeus
Arroyo, Cingular's CIO. Such decisions should be left to the business.
UPS's Lacy concurs: "The government has to understand what businesses
we're in and that security can't be one-size-fits-all."
Write to George V. Hulme at ghulme -!
- cmp -
com -
Visit our Security Tech
Center: informationweek.com/TC/networking/security
---------------------------------------------------------------
Liste verlassen:
Mail an infowar -
de-request -!
- infopeace -
de mit "unsubscribe" im Text.