Administration Pares Cyber-Security Plan

[InfoSec News <isn () c4i org>]

http://www.washingtonpost.com/wp-dyn/articles/A59168-2002Sep9.html

By Ariana Eunjung Cha
Washington Post Staff Writer
Tuesday, September 10, 2002; Page A04 

As the White House moves to finalize a national plan to better secure
cyberspace, high-tech firms and other companies are continuing a
furious campaign to have some recommendations struck from the
document.

The administration no longer plans to recommend that Internet service
providers such as America Online, MSN and EarthLink bundle firewall
and other security technology with their software. Instead, it will
ask ISPs to "make it easier" for home users to get access to such
protections.

It also does not plan to recommend that a privacy czar be appointed to
oversee how companies make use of their customers' personal
information, according to several people involved in drafting the
document.

A government official said the changes were made in hopes the plan
would be adopted voluntarily by industry and not necessitate another
layer of government regulation.

Several companies have argued that if the government tells people what
to buy and dictates how they should run their businesses, innovation
will be squelched. But others said private industry was more concerned
about the costs involved in carrying out the recommendations.  
Businesses also worry about taking on new legal liability.

"I've been really shocked at how companies have been acting in their
own interest rather than in the national interest," said Allan Paller,
director of the SANS Institute, a computer-security think tank and
education center.

Harris Miller, president of the Information Technology Association of
America, which represents 500 companies, said the private sector is in
no way trying to dilute the plan. It was the industry, in fact, that
first suggested a plan be developed, he said.

"The idea that industry is somehow a reluctant partner is inaccurate,"  
Miller said.

At about 150 pages, the National Strategy to Secure Cyberspace, which
is scheduled to be released Sept. 18, remains a weighty document
outlining about 80 new obligations for the government, companies,
universities and even home computer users.

The most extensive recommendations are for the government. The plan
would restrict federal workers from using certain wireless
technologies and mandate that agencies only purchase software that has
been certified to be secure.

One of the top priorities, according to one draft, is for the
government and the private sector is to make sure computers that
control major systems such as subways, nuclear reactors and dams are
secure.

Also under consideration are recommendations calling for the
establishment of a center that would study computer viruses, worms and
other security threats; an accreditation board that would certify
security personnel; and a private-public program that would help pay
for security enhancements for critical parts of the Internet,
including the routers that direct traffic, as well as operating
systems such as Windows, Linux and the Mac OS.

Some drafts also outline plans for the collection and analysis of
network data that pass through universities -- places often used as
jumping-off points for cyber-attacks. The draft also includes a plan
to educate home users on how to secure their computers.

The national strategy is being compiled and analyzed by Richard A.  
Clarke, director of the Office of Cyberspace Security, with input from
a cross section of industry representatives, computer science experts
and others.

It is scheduled to be delivered to President Bush for his signature in
the next week.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.