Bush making new plans for cybersecurity
Bush making new plans for cybersecurity
- By William Jackson
- Sep 14, 2001
About the time two hijacked airplanes crashed into the World Trade Center towers in New York last week, Richard Clarke of the National Security Council was outlining the president's plan for better coordination of the nation's information resources.
And a Washington attorney and former general counsel to the Senate Committee on Governmental Affairs said at the same conference that he expects President Bush to soon replace Presidential Decision Directive 63, President Clinton's 1998 mandate to secure the nation's critical infrastructure.
Clarke's plans call for greater coordination, but not centralization, of security activities.
'We reject the idea that there should be an IT czar,' said Clarke, NSC's coordinator for security, infrastructure protection and counterterrorism. 'We don't want to create an agency that assumes responsibility' for overseeing security of each agency's information.
But Clarke, speaking at a recent information assurance conference sponsored by
E-Gov in Washington, said there is a need for a central organization to coordinate analysis and sharing of information.
Some at the conference suggested that Clarke himself might head the organization.
'In the government we have numerous participants with no one person in charge,' said Dan Burton, vice president of government affairs for Entrust Inc. of Dallas.
Government and private-sector experts said putting someone in charge is the key to improving government cybersecurity.
'Right now the government is a model of how not to secure IT systems,' Clarke said.
The General Accounting Office has issued more than 100 reports on federal information security, said Joel C. Willemssen, GAO's managing director of IT issues. 'We are seeing some improvement, but overall the message is still discouraging,' he said.
Lack of leadership and lack of accountability were at the top of GAO's list of problems.
'We think it is extremely important to have strong central leadership,' Willemssen said.
Clarke, who joined NSC in 1993 and is one of its longest-serving members, said the Bush administration has made IT security a national priority. He said the president ordered a review of the government's cybersecurity organization.
'That review is nearing completion,' he said. 'Stay tuned for further announcements.'
Although he gave no specifics, Clarke said that in addition to better government coordination, the strategy also would call for better cooperation with the private sector.
Clarke also suggested that some government activities might be moved off public networks.
'We should think about whether some government functions should be air-gapped, physically separated from the IT cloud, using the fiber optics that are already out there,' he said.
The amount of money available for improving cybersecurity depends on how much pressure the president puts on Congress, said Stephen M. Ryan, an attorney with Manatt, Phelps & Phillips LLP.
'Congress will have to put its money where its mouth is,' Ryan said, adding that it is more likely that unfunded requirements will be imposed on agencies. 'Executive leadership may be the only antidote.'Security spending
Ryan said the Bush rewrite of PDD 63 will change the approach to securing critical infrastructure.
'There is a Bush draft to replace PDD 63,' he said. 'We think that it is going to take a little different approach than Clinton did,' with more authority given to NSC.
Security spending already is getting more scrutiny from the Office of Management and Budget, which now requires agency budget proposals to include an assessment of its effects on information security.
'You cannot have a discussion about funds if you have not answered the questions about security,' said William D. Hadesty, the Agriculture Department's associate chief information officer for cybersecurity.
William Jackson is freelance writer and the author of the CyberEye blog.