Congress to Weigh Web Defense Plan

[InfoSec News <isn () C4I ORG>]

http://www.computerworld.com/cwi/stories/0,1199,NAV47-68-84-91_STO57603,00.html

By DAN VERTON
February 12, 2001

A report that proposes sweeping changes in the way the government
organizes its cyberdefenses is gaining support on Capitol Hill.
Lawmakers are preparing to introduce legislation this week based on
the recommendations in the report, which was issued last month by the
U.S. Commission on National Security.

Rep. Mac Thornberry (R-Texas), a member of the House Armed Services
Committee, plans to introduce a bill this week that would create the
National Homeland Security Agency (NHSA).

If approved, the NHSA will use the Federal Emergency Management Agency
(FEMA) as a building block and will possibly replace FEMA in the long
run.

NHSA would oversee government and private-sector efforts to protect
the nation's critical infrastructure from both cyber and physical
attacks, as called for by the commission's report.

The goal is to create a virtual tripwire that can alert the national
security community to significant cyberthreats without violating the
privacy of U.S. citizens or compromising the proprietary data of
private firms, which own and operate the bulk of the nation's critical
infrastructure.

Not Everyone's Optimistic

However, sources close to the commission, headed by former Sens. Gary
Hart and Warren B. Rudman, said they aren't optimistic that the
report's recommendations will be turned into action anytime soon. They
blame an arthritic federal bureaucracy burdened by Cold War-era
policies, interagency funding rivalries and a Bush administration that
is still trying to figure out what its priorities will be.

"I'm not optimistic at all," said a government source close to the
commission. It's unfortunate, the source said, because the commission
is offering "a neutral model that is not pro-industry and is not
pro-law-enforcement."

The bill would also roll up a half-dozen agencies currently involved
in cyberdefense into the new structure.

Harris Miller, president of the Information Technology Association of
America, an Arlington, Va.-based trade group comprised of thousands of
private firms, said streamlining the critical infrastructure
protection effort in this way would be a welcome development. The
current structure "is very confusing, with many points of entry.
Having a primary source of contact with industry would make it a lot
easier," he said.

Still, not everyone is thrilled with the idea.

"I think the commission may have done a disservice to infrastructure
protection by tying it to the unachievable goal of creating a new
agency," said Steven Aftergood, an analyst at the Federation of
American Scientists in Washington. "In the absence of an actual
crisis, the existing national security bureaucracy is unlikely to
permit the establishment of a major new competitor for authority and
funds," he added.

But Thornberry is committed to ensuring that the three-year study by
the bipartisan commission - the first such comprehensive review of
national security structures since 1947 - doesn't go ignored, said Kim
Kotlar, a member of the Texas Republican's staff.

"You have to do more with this report than stick it on a shelf," she
said.

The proposed critical infrastructure protection (CIP) directorate
within the new agency would be responsible for overseeing critical
networks and coordinating government and private-sector efforts to
address the nation's vulnerability to electronic or physical attacks.
That effort is now done through a maze of federal agencies and private
partnerships.

Kotlar said Thornberry and others are prepared for an onslaught of
criticism similar to Aftergood's. She added that the plan is not to
build additional agencies but to streamline what is already in place.

However, with Congress evenly split by party lines and a profound lack
of consensus about a security policy, any attempt at a sweeping
reorganization right now seems doomed, said Aftergood. "Infrastructure
protection will have to proceed on its own track," he said.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".