Clinton seeks $2.03 billion for IT security next year

Clinton seeks $2.03 billion for IT security next year

By Christopher J. Dorobek
GCN Staff

Moving quickly on the momentum of the government's successful year 2000 efforts, the Clinton administration this month issued its long-awaited plan for protecting government systems from cyberattacks.

Administration officials also said President Clinton would propose a 16 percent increase in spending on cybersecurity, to $2.03 billion in fiscal 2001. The White House will propose $9 million for security in its fiscal 2000 supplemental appropriation this spring to jump-start a number of projects, including a program that would pay college tuition in exchange for service in government systems security.







CIAO broke the administration's cybersecurity budget proposal into program areas; system protection takes the largest funding slice.


Although most security experts said they laud the plan's objectives, they voiced doubts about whether the funds represent new money for computer security.

'We just have to make sure we're not robbing Peter to pay Paul,' said retired Army Col. John R. Thomas, vice president of strategic development for information assurance for AverStar Inc. of Burlington, Mass., and a former security chief for the Defense Information Systems Agency.''Does the money come away from other necessary IT projects that offer us some other elements of security?'

One agency information technology executive, who asked not to be named, speculated that the funding might not be enough to get the job done effectively. The government spent $8 billion on year 2000 work, and that problem was relatively easy to quantify compared with systems security, the official noted.

Administration officials said that the 158-page plan, available online at www.ciao.ncr.gov, is only a first draft and that they intend to develop it further. The National Plan for Information Systems Protection, Version 1.0: An Invitation to a Dialogue largely focuses on federal systems. But officials said the overall effectiveness of protecting the nation's critical infrastructures would depend on public-private partnerships.

Clinton called the plan 'the first major element of a more comprehensive effort' that will evolve as vulnerabilities become clearer and threats emerge.

He said the federal government must carry out targeted R&D, educate future computer scientists to defend federal systems and assist the private sector in protecting its systems.

The plan envisions a federal detection network that would be the front line of defense for government systems.

The administration also proposes that agencies share attack data collected through existing intrusion detection operations, such as the Defense Department's Joint Task Force for Computer Network Defense.

'In the immediate term, we need to do a better job with the data that we already have,' according to the plan. Federal systems administrators will be required to send data on anomalies to the Federal Computer Incident Response Capability.

Richard A. Clarke, the national coordinator for security, infrastructure protection and counterterrorism, said the Federal Intrusion Detection Network and other existing detection programs are the burglar alarms of government systems.

The FIDnet proposal has been plagued by privacy challenges, but Clarke reiterated that it would not look to monitor private networks. 'It's designed to protect privacy and enhance privacy,' he said.

'We feel we have this proactive obligation to protect people's privacy,' said Mark Montgomery, the National Security Council's staff director for transnational threats.

Tit for tat

The plan foresees data sharing among government detection systems and the information sharing and analysis centers that are being created. The ISACs let public- and private-sector organizations share security information anonymously.

'We want them to be useful and operational,' said John S. Tritak, director of the administration's Critical Infrastructure Assurance Office.

The plan also proposes development of IT security standards and regulations that would help agencies choose hardware and software. The plan assigns the task of creating the standards to the Defense Department, the General Services Administration, the National Security Agency, the National Institute of Standards and Technology, and the Office of Management and Budget.



Security plan lists 10 to-do items



  • Identify critical infrastructures and shared interdependencies
  • Detect attacks and unauthorized intrusions
  • Develop robust intelligence and law enforcement capabilities
  • Share attack warnings
  • Create capabilities for response, reconstruction and recovery
  • Enhance R&D
  • Train and employ security specialists
  • Conduct outreach programs about the need for general improvements in cybersecurity
  • Adopt legislation to support cybersecurity efforts
  • Ensure protection of civil liberties, privacy and proprietary data







How does plan affect agency IT?

NATIONAL PLAN IMPLEMENTATION


Identify key nodes and critical infrastructure system dependencies within federal government


Identify key national security assets and infrastructure systems


Identify infrastructure system needs, dependencies, and shared threats and vulnerabilities


Identify infrastructure system threats, vulnerabilities; identify where threats and vulnerabilities are shared


Identify and seek coordination with partners in private sector; identify shared infrastructure dependencies, and shared threats and vulnerabilities

IT RESPONSIBILITIES


OMB: Use this information to manage agency vulnerability and risk assessments, as required by OMB Circular A-130


OMB: Use this information to incorporate infrastructure protection into GPRA reports for OMB, as directed by PDD-63


CIOs and CFOs: Use this information to focus budget proposals for critical infrastructure systems


Agencies: Use this information to assess vulnerabilities and risks in agency critical information systems, as required by A-130
Office of Science and Technology Policy and OMB: Use this information to focus on R&D


CIO Council: Use this information to plan private-sector outreach; utilize relationships built under national plan structure






inside gcn

  • Congressman sees broader role for DHS in state and local cyber efforts

    Automating the ATO

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above