Administration tunes plan for cybersecurity
- By Wilson P. Dizard III, William Jackson
- Feb 21, 2003
Homeland Security secretary Tom Ridge says plans released last week to protect the nation's cyberspace and infrastructure would 'serve as road maps to help government and business' work together.
The White House beefed up its demands on agencies in the final version of the cybersecurity protection strategy it released this month.
The original draft of the National Strategy to Secure Cyberspace unveiled last fall was more sweeping and included few specific orders to agencies. The first requirement is for the Homeland Security Department to set up a 24-hour, seven-day contact point for federal interactions with industry and other partners.
Secondly, the plan calls for agencies to conduct exercises to evaluate the effects of cyberattacks and pinpoint areas that need fixing.
'We have had a number of exercises across the Pentagon and in civilian agencies,' Howard Schmidt, acting director of the White House's Critical Infrastructure Protection Board, said at a briefing. He said agencies have begun to simulate cyberattacks with state and local governments as well.
The plan put the Justice Department and a team of other agencies in charge of improving information sharing, investigative tools and cybercrime research. It said the General Services Administration and HSD will continue to cooperate on a federal software patch clearinghouse and work with the private sector on a similar clearinghouse.
The plan instructs agencies to tighten security measures, expand their use of security assessment tools and install applications to check continuously for unauthorized network connections. It said the government will review the National Information Assurance Partnership to assess whether it is properly dealing with security flaws in commercial software.
The strategy has five priorities:
- Create a national cyberspace security response system
- Establish a threat and vulnerability reduction program
- Provide security awareness and training programs
- Set a plan to secure government systems
- Develop a cybersecurity approach for intelligence agencies and international issues.
Seeded throughout the plan are dozens of recommendations to the private sector to raise its awareness of threats, train systems employees, evaluate the security of applications and form ties with the government for joint action.Private-sector help
Federal officials also will consider licensing or certifying private security service providers for government work. Schmidt said such providers need to be shown as trustworthy.
Because cyberattacks can easily cross international boundaries, the plan noted that the U.S. government will not necessarily limit its response to criminal prosecution and it 'reserves the right to respond in an appropriate manner.'
It called for building North America into a 'cyber safe zone' with the cooperation of Canada and Mexico.
Homeland Security secretary Tom Ridge introduced the plan, along with the National Strategy for the Physical Protection of Critical Infrastructures and Key Assets, at a press conference at the department's headquarters in Washington.
Ridge said the strategies would 'serve as road maps to help government and business' work together.
The cybersecurity plan's emphasis on public-private partnership echoed the theme of the draft plan. But the plan has been reorganized along functional lines rather than categories applying to different economic sectors, which was the approach used in the draft.
Federal officials said they might use regulations as well as incentives to boost security among private organizations.
Bill Stephan, special assistant for infrastructure analysis and protection at HSD, said the department might use grants and changes in insurance rates to encourage businesses to secure their facilities, for example.
William Jackson is freelance writer and the author of the CyberEye blog.