Corporate America is anxiously awaiting a White House report detailing the private sector's responsibility in protecting the country's IT infrastructure from a possible terrorist attack.

by Roy Mark of www.internetnews.com [September 11, 2002]

While the Senate debates a Homeland Security bill that would create a $38 billion, 170,000 employee department aimed at defending the nation's physical borders and securing the government's computer networks from cyber attacks, corporate America is anxiously awaiting a White House report detailing the private sector's responsibility in protecting the country's IT infrastructure from a possible terrorist attack.

At a reported 2,800 pages in length, the "National Strategy for Securing Cyberspace" is sure to send corporate legal departments into overtime billing as lawyers seek to divine the legal ramifications of the IT security strategy that the Bush Administration hopes can be implemented by voluntary compliance. The implied alternative, of course, is a more heavy-handed interventionist government approach.

Since the Homeland Security legislation has been almost a year in the making and still is not likely to reach President Bush's desk until mid-October, no new legislation is likely. It's an important consideration as the government is anxious to have companies running critical systems speed along information to the government about the private sector's network vulnerabilities and system defense measures.

The government considers this information vital since the private sector controls almost 90 percent of the nation's critical IT infrastructure. Even more sobering, a recent Business Software Alliance (BSA) survey of more than 600 IT professionals found that 60 percent of those surveyed who are directly responsible for their company's network security believe U.S. businesses are at risk for a major cyber attack in the next 12 months. The survey concluded that U.S. businesses remain ill-prepared to defend themselves despite increased attention to network security.

"Many people think of cyber attacks as relatively harmless intrusions into websites. The reality is that the country's information networks are intricately linked and run everything from our financial systems to our power grids and emergency communication systems," said Robert Holleyman, president and CEO of BSA. "A major attack into these systems could yield devastating losses in both the physical and cyber worlds."

Although the Bush plan has not been published, the White House has leaked enough advance information about it to know the administration hopes a "market-driven" approach will convince the private sector to support the proposal and speed compliance.

"If we don't have buy-in from the private sector, we can't get anywhere," Paul B. Kurtz, the administration's director of critical infrastructure protection, said earlier this summer.

For public consumption, the private sector has said throughout the summer that it supports Bush's approach but privately many have voiced concerns that anyone whoshares information with the government about network vulnerabilities could find that information made public through a Freedom of Information Act (FOIA) request.

The Bush plan, though, reportedly will call for an FOIA exemption for sharing certain vital information with the government. That, in turn, has prompted the American Civil Liberties Union (ACLU) to raise concerns that the exemption would "drastically" reduce the proposed Department of Homeland Security's "responsibility to answer public questions" about how well the agency is addressing threats to America's IT infrastructure.

The Bush proposal is also expected to come under fire for proposals that largely expand the government's electronic surveillance capabilities, including the establishment of a centralized facility that would collect and examine data traffic for security threats.

Anxious to allay privacy violation fears, a White House leaked earlier this week said that it would recommend the appointment of a federal "privacy czar" as part of its forthcoming plan. This privacy czar, who would be assigned to the proposed Department of Homeland Security, would be charged with vetting all government data gathering and security initiatives for potential privacy issues.

The czar would oversee a privacy advocate posted to each federal agency. Advocates would be responsible for an annual review of each agency's compliance. The draft plan calls for the advocates and privacy czar to collaborate with a national advisory group to "ensure broad input into, and consideration of, privacy issues in implementing the national strategy to achieve solutions that protect privacy while enhancing network and host security."

As for other details of the National Strategy for Securing Cyberspace, Richard Clarke, head of the president's Critical Infrastructure Protection Board, gave a broad preview of the plan in July while speaking at the annual Black Hat Conference of Information Technology Professionals in Las Vegas.

Clarke said the White House proposals would include more rigorous software development practices including input from users to disclose vulnerabilities. Clarke said the government is already urging "white hat" hackers to search for security flaws in software, but also wants them to only pass information about those flaws on to software vendors and the government, not to the rest of the security community as is common practice today.

The initiative is sure to fuel the debate over "full disclosure" that has raged through the security community for years, with many vendors taking the stance that information about security flaws should not be communicated to the world, and many security professionals arguing that such disclosure is essential, especially when vendors are unresponsive and "black hat" hackers are capable of finding flaws on their own.

Clarke also said the White House would call upon wireless LAN (WLAN) developers to assume a greater responsibility to create more easily securable systems for the notoriously unsecure networks. In addition, the administration hopes to apply economic pressure on the wireless LAN industry by urging users to boycott systems that have known security vulnerabilities.

For its part in assuming a leadership role in developing a more secure Internet, Clarke said the White House will mandate that federal agencies use the security products it is encouraging the IT industry to develop, claiming he will recommend massive replacements or upgrades of government systems if developers produce demonstratively more secure products.

— End