White House rewriting core security policy document

[InfoSec News <isn () c4i org>]

http://www.computerworld.com/securitytopics/security/story/0,10801,86956,00.html

Story by Dan Verton 
NOVEMBER 07, 2003 
COMPUTERWORLD

WASHINGTON -- The Bush administration is rewriting the document that
signaled the beginning of the federal government's efforts to deal
with critical-infrastructure protection and cybersecurity to take into
account post-Sept. 11 homeland security requirements.

Signed by President Bill Clinton on May 22, 1998, Presidential
Decision Directive-63 (PDD-63) made it the policy of the U.S.  
government to lead a public/private partnership aimed at eliminating
all major vulnerabilities to the nation's critical physical and cyber
infrastructures. In addition to setting a 2003 deadline for the
establishment of a defense against intentional cyberattacks aimed at
critical infrastructure, PDD-63 also created the FBI's National
Infrastructure Protection Center (NIPC) -- now part of the Department
of Homeland Security -- and encouraged private-sector participation
through information sharing and analysis centers (ISAC).

Now the Bush administration is poised to release a version of that
document that will be recast under the title Homeland Security
Presidential Directive (HSPD).

"The idea was to reflect the changes in the bureaucracy at the
Department of Homeland Security [and to give] more importance to the
ISACs," said Roger Cressey, former chief of staff at the President's
Critical Infrastructure Protection Board. The document has already
been reviewed by a committee of deputy agency secretaries, he said.

It focuses on terrorist threats to the nation's vital economic
infrastructures as a way to weaken the U.S. economy and damage public
confidence. It also recognizes the DHS as the main agency at the
federal level for critical-infrastructure protection and the need to
coordinate security efforts with the private entities that own and
operate more than 85% of the nation's critical infrastructures.

The original document assigned private-sector liaison duties to eight
federal agencies. The new one adds to that list the Department of
Agriculture, the Nuclear Regulatory Commission and a yet-to-be
determined position at the Transportation Security Administration to
cover the transportation of hazardous materials.

The rewrite also emphasizes identifying, cataloging and prioritizing
the nation's critical systems with respect to how vital they are to
the nation's economy and national security, as well as how vulnerable
they are to terrorist attack.

The revamped document also calls for the development by next March of
a system to aid information sharing between federal, state and local
government agencies and the private sector. The White House has also
directed the DHS to establish a national indications and warning
architecture to detect incidents that could point to a larger,
coordinated attack against critical infrastructures.

In a Nov. 6 letter to Paul Kurtz, special assistant to the president
and senior director for critical-infrastructure protection at the
White House, Harris Miller, president of the Arlington, Va.-based
Information Technology Association of America, underscored the need
for the new directive to "provide for an explicit role for the federal
government as a supporter of industry's 'first responder' status."

Miller also stressed the need for specific information-sharing
controls so private-sector data is protected from inadvertent
disclosure. And he called on the government to help provide security
clearances for private-sector officials if government information on
threats must remain classified.

The draft of the new policy document has been circulating throughout
the halls of government for more than six months. It wasn't clear
whether the concerns of the ITAA and other industry groups will lead
to major changes before the final document is released.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.