[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[infowar.de] Informationweek 16.09.02 National cybersecurity plan takes shape but raises questions about expectations
Kontroverse Diskussion des Cybersecurityplans der morgen veröffentlicht
The Right Balance National cybersecurity plan takes shape but raises
questions about expectations
By George V. Hulme, Martin J. Garvey, and John Rendleman,
Sep 16, 2002 (12:00 AM)
The Bush Administration this week is scheduled to unveil its
long-awaited strategy to protect the nation's IT infrastructure.
Already, however, some IT executives
caution that certain proposals in a draft circulated last week among
government officials may be ineffective. And they don't want Congress or
federal agencies to
force measures on them.
The National Strategy to Secure Cyberspace, developed by White House
cybersecurity adviser Richard Clarke and being reviewed by President
Homeland Security director Tom Ridge late last week, will call on
everyone from the largest businesses to consumers to help the federal
cyberthreats and prevent attacks, particularly those aimed at financial,
government, utility, and other key networks.
President Bush's Critical Infrastructure Board will ask for feedback on
86 proposals contained in the document and issue a final statement in
February. Congress and
federal agencies then will determine how to fund the proposals and
which, if any, will be mandated.
"We're looking to work with the government so we are part of the
solution and not being dictated to," says Kenneth Lacy, senior VP and
CIO at United Parcel
Service Inc. But Andy Purdy, deputy chairman of the Infrastructure
Board, says the government may have to intervene if the private sector
doesn't do its part to
That may include voluntarily sharing security data with a new network
operations center, to be developed and owned by the private
sector. The center could share with the government information collected
from the networks of businesses, government agencies, and
other NOCs, letting experts quickly discover threats and issue alerts.
But critics note that private organizations already provide early
warnings of threats and vulnerabilities. The SANS Institute's
and Internet Storm Center collect information from firewalls and
intrusion-detection systems in more than 60 countries. "There's no need
to build a huge mechanism to redo all of that," says Lloyd Hession,
chief security officer at Radianz, which runs a network for the
And some IT executives are concerned about sharing sensitive data with
the government. "I have a responsibility to this company, its
customers, and shareholders to protect such information," says John
Hartmann, VP of corporate services for Cardinal Health Inc. "How
will they ensure it's not leaked?" The administration intends to address
such concerns by encouraging Congress to craft legislation that
would shield shared data from the Freedom of Information Act, Purdy
says. That's key for Cindy Floyd, technical services manager at
Geneva Pharmaceuticals Inc., who doesn't want to provide security data
if it's made public. "Then you're just opening yourself up to hackers,"
Floyd has concerns about another part of the plan that calls for
creating a center to test patches for commercial software, mainly
because it seems overwhelming. "I
don't think anyone could properly understand the code of a gazillion
packages out there," she says. Geneva does its own testing of its 200
The government's plan also is expected to recommend the development of
special secure versions of common operating systems. Some
observers fear costs will go up and functionality will suffer if vendors
are pressured to invest in developing such systems. "You don't need
a special secure operating system," Hession says. "You need people to
learn how to secure a regular OS."
The draft also suggests that businesses buy cyberinsurance. Companies
would have to undergo a security evaluation before they're eligible
for such coverage; the more stringent their efforts, the lower their
premiums. If the government encourages companies to buy insurance --
prompting some to upgrade their security -- that could make everyone a
bit safer, says Douglas Lewis, executive VP and CIO at Six
Continents Hotels, a subsidiary of Six Continents plc, operator of more
than 3,000 hotels.
But businesses don't want the government to go too far in forcing
security practices that may be costly or unreasonable. For example, it
would be inappropriate for the government to mandate that all of
Cingular Wireless' systems be continuously available, says Thaddeus
Arroyo, Cingular's CIO. Such decisions should be left to the business.
UPS's Lacy concurs: "The government has to understand what businesses
we're in and that security can't be one-size-fits-all."
Write to George V. Hulme at ghulme -!
- cmp -
Visit our Security Tech
Photo of Clarke courtesy of AP.
Photo of Floyd by Ray Ng
Copyright ©2001 CMP Media LLC
HSFK Hessische Stiftung für Friedens- und Konfliktforschung
PRIF Peace Research Institute Frankfurt
Leimenrode 29 60322 Frankfurt a/M Germany
Tel +49 (0)69 9591 0422 Fax +49 (0)69 5584 81
- hsfk -
Mail an infowar -
- infopeace -
de mit "unsubscribe" im Text.