Bush team lays out cybersecurity plan

PALO ALTO - The Bush administration's cybersecurity plan paints a chilling picture of the threats facing U.S. corporations and offers a series of recommendations for network executives about how best to combat the threats.

---

Gibbs on the plan
"The government needs to get its own house in order and leave the private sector to do what it does best - look out for its own interests."

---

"The National Strategy To Secure Cyberspace" was released last week at an event at Stanford University attended by 600 government and industry officials. Among the speakers were Richard Clarke, chairman of the president's Critical Information Protection Board; Robert Mueller, director of the FBI; Matt DeZee, CIO for the state of South Carolina; and Rhonda MacLean, director of corporate information security at Bank of America.

The 60-page strategy originally was intended to be a final report that summed up 10 months of study by the Critical Information Protection Board. But days before the plan's release, the White House changed its mind and released the strategy as a draft document with a 60-day public comment period before the strategy is finalized. The National Infrastructure Advisory Council, which includes the CEOs of leading high-tech companies and government officials, will review the draft and comments.

Advertisement:

As expected, the strategy recommends voluntary efforts by industry to beef up IT security rather than new government regulations. According to the strategy, 85% of the nation's critical infrastructure facilities are privately owned and operated, and that's why the strategy favors market-based incentives.

"The government cannot dictate, the government cannot mandate, the government cannot regulate cybersecurity," Clarke said at the strategy's unveiling. "The government alone cannot make cyberspace secure."

Met with criticism

The plan was met with criticism because administration officials removed tougher language from earlier drafts that placed more responsibility for Internet security on ISPs and software vendors. And some security experts predicted that the strategy would end up gathering dust because it relies on recommendations rather than mandating action by industry.

However, many network vendors commended the strategy and vowed to contribute comments in the weeks ahead.

"We've stepped up the cooperation between industry and government," says Douglas Sabo, director of government relations at Network Associates. "This is the real beginning of the dialogue."

The strategy's idea of a network operations center supported by industry for information sharing on security threats is "intriguing," says Symantec's CTO Rob Clyde, but he wasn't clear how this would be accomplished.

Citing damage caused by the Nimda and Code Red viruses, the strategy outlines the growing sophistication and destructiveness of cyberattacks. The strategy says the number of attacks reported by Carnegie Mellon University's CERT Coordination Center grew nearly 30-fold in the last four years. CERT reported 3,700 attacks in 1998 and at current rates will report more than 110,000 in 2002, the plan says.

Meanwhile, computer systems and networks are becoming more vulnerable to cyberattacks because of problems with software and hardware that permit unauthorized entry or damage to a network. The number of computer security vulnerabilities that CERT identified more than doubled last year from 1,090 in 2000 to 2,437 in 2001.

The strategy recommends companies take proactive steps to improve the security of their computer systems and networks rather than wait to respond to particular threats. Among the recommendations are regular security audits, virus updates and software patches.

"The worst case [of a cyberattack] has not happened yet," Clarke said. "It's up to all of us in partnership to make sure that the worst case doesn't happen."

The strategy highlights certain kinds of systems that are most vulnerable to attack. These include the digital control systems (DCS) and supervisory control and data acquisition (SCADA) systems that the energy, chemical and other manufacturing industries use. The report recommends that companies examine Internet connections to DCS and SCADA systems and implement secure authentication within 24 months.

Similarly, the strategy identifies new risks and vulnerabilities for mainframes that are connected to the Internet. The strategy recommends increasing the frequency and rigor of audits and improving security policies for mainframes.

Another area of risk is instant-messaging programs, which often bypass firewalls and antivirus scanners. The strategy recommends that companies adjust their computer security policies to address the risks presented by these programs.

The cybersecurity strategy will encourage companies to move "to stronger authentication like [public-key infrastructure] and smart cards," predicts Barry Leffew, vice president of public sector at VeriSign. "Password authentication is not enough to control who has access to information."

Leffew says the strategy also encourages companies to monitor their networks more actively for hacker attacks and create plans for responding to those attacks. "Companies need to have proactive security assessments to identify vulnerabilities," he says.

"We'll see an increased use of managed security services for firewalls and network intrusion detection," he adds.

The National Strategy to Secure Cyberspace can be viewed at www.securecyberspace.gov. Comments are due Nov. 18.

RELATED LINKS