U.S. Security Plan Too Top-Heavy?

[InfoSec News <isn () c4i org>]

http://www.wired.com/news/politics/0,1283,45337,00.html

Associated Press 
6:52 a.m. July 18, 2001 PDT  

WASHINGTON -- Critics fear proposed changes to the way the government
protects the nation's technology backbone from terrorism could bog
down the process and remove the accountability of having a single
person in charge.

A draft executive order from President Bush, obtained by The
Associated Press, would abolish the high-profile post of security
chief in favor of a board of about 21 officials from all major federal
agencies.
 
The board would report to National Security Adviser Condoleezza Rice.
Among the agencies that would participate are the departments of
State, Defense, Justice, Energy and Treasury, as well as the National
Security Agency, CIA and FBI. Only 11 agencies had key roles in former
President Clinton's plan.

The White House has briefed several industry groups on the plan and
told executives that Bush is expected to sign the order formalizing
the changes after Labor Day.

Mark Rasch, former head of the Justice Department's computer crimes
division, predicted with so many federal agencies involved in the
advisory panel "it's going to have input from everybody on God's green
earth" before any action is taken.

"The bad news is, nobody will do anything about critical
infrastructure protection until there's a global catastrophic
failure," said Rasch. "The good news is, there will be a global
catastrophic failure."

White House officials on Tuesday declined to discuss the executive
order.

The draft, dated June 26, states Bush's order would abolish the
position of national coordinator for infrastructure protection, which
was created by President Clinton in 1998 when the government created
its first-ever blueprint for combatting threats against critical
facilities that provide Americans access to electricity, water,
banking and the Internet.

National security expert Richard Clarke, who currently hold's the
position of security chief, has pointedly warned Congress, companies
and local agencies about the potential for a "digital Pearl Harbor" in
which a terrorist attack would paralyze computers, electrical grids
and other key infrastructure.

Technology trade group head Harris Miller wanted Bush to keep a single
person in charge, which he called a "one-throat-to-choke approach."
But he called Bush's plan "a good alternative" which elevates more
agencies to decision-making roles.

"The proof will come in seeing how this actually operates in practice,
and making sure that the agencies and departments get out of their
asylum mentality," said Miller, president of the Information
Technology Association of America.

As the United States relies more on computers, the government and
private companies are concentrating on how a computer attack either by
a foreign government, terrorist group, or young hacker could cripple
the nation.

Officials have put forth several possible scenarios that could create
financial havoc or loss of life, such as disruptions to ATM networks,
the air traffic control system or the national power grid. Several
nations, such as the United States, Russia and China, are preparing
its armies for future cyber warfare that would focus more on hacking
than traditional weapons.

The plan makes sharing computer security information with companies a
top priority. Security companies and the General Accounting Office,
the investigative arm of Congress, have criticized the government's
information sharing efforts so far, saying that firms aren't notified
quickly enough about new security holes.

A congressional report earlier this year stated that the National
Infrastructure Protection Center, part of the FBI, is understaffed and
needs more training so it can keep companies up to date.

Rasch said the language used in the draft is vague. For example, while
the plan says the board will "assist in the development of standards,"
it doesn't mention if the board can force companies to abide by them.

"Is the government going to come in and tell whether (Microsoft's
upcoming operating system) Windows XP is secure? And then is it going
to tell people how to secure it?" Rasch asked. "The government is the
one that should be coming up with new vulnerabilities, not the
19-year-old hackers."

Copyright 2001 Associated Press



ISN is hosted by SecurityFocus.com
---
To unsubscribe email isn-unsubscribe () SecurityFocus com.