Bush cybersecurity strategy to be a living document

Howard Schmidt, vice chairman of the president’s Critical Infrastructure Protection Board, attended the fourth and final White House-sponsored “town hall meeting” on cybersecurity last night in Atlanta before the release in September of the next version of the National Strategy to Secure Cyberspace.

During his presentation to a packed auditorium of local Atlanta security administrators, CIOs, educators and legal professionals, Schmidt described what he characterized as the unique aspects of the Bush plan. Unlike other government planning documents, including a previous version of the national cybersecurity strategy released in 2000 by the Clinton administration, the Bush plan “is intended to be an online version,” said Schmidt.

“It’s designed to be a plug-and-play type document,” he said. “If we make mistakes, we can pull that piece out and replace it in Internet time.”

In addition, the Bush strategy will be to reach beyond corporate and government users to include home users. Responding to questions from the audience, Schmidt said that home users will be able to tap into the flow of information about IT vulnerabilities. The document will also include specific sections by experts from various critical sectors of the economy, such as banking and finance, electric power, telecommunications and emergency services.

Tom Noonan, CEO of Internet Security Systems Inc. and a panel member at the town hall meeting, said the session lasted well beyond the two hours originally scheduled. He noted a “genuine, albeit skeptical, interest in participating in a public/private partnership.”

Noonan said legal issues surrounding the Freedom of Information Act and the threat of inadvertent disclosure of proprietary information remains a major obstacle to getting most companies to work with the government. “That’s a structural issue we have to address,” said Noonan. “The law has to be fundamentally rethought. And that doesn’t happen in Washington overnight.”

“This goes beyond a department of defense issue or an FBI issue,” Schmidt said last night. “We’ve seen an ever-increasing number of attacks on our critical infrastructure.” If the national strategy is to succeed, “it will take the coordinated efforts of [government, military and private-sector companies], as well as the state and local [agencies],” he said.

Schmidt reiterated what Richard Clarke, chairman of the Critical Infrastructure Protection Board, has said repeatedly: that the administration does not plan to impose more regulations on companies to improve Internet security. “We believe the market will drive itself,” said Schmidt.

Mary Guzman, senior vice president and regional e-business practice manager at Marsh Inc., a New York-based insurance firm, attended the meeting and pointed to drawbacks with the administration’s approach to the industry.

“The federal government is trying very hard not to regulate anything,” Guzman said. “They want the market to drive the process. But there are inherent problems with that. There still seems to be an unwillingness in industry to put your money where your mouth is.

“The only thing that is going to change that is when there is some pain in the pocketbook from liability lawsuits,” she said. However, “it’s hard to hold somebody liable for not meeting a standard when there is no standard.”

Although the Bush administration is encouraging the private sector to allow market forces to drive better security practices, Guzman said only the health care and financial services industries have so far shown a willingness to spend more on security and purchasing cyber insurance.

“And, interestingly enough, those two industries are regulated,” she said.

However, Harris Miller, president of the Arlington, Va.-based Information Technology Association of America, said the Defense Department is a good example of how an influential user can force software and hardware vendors to deliver more secure products.

Next month, the Pentagon will put a new policy into effect requiring all IT products to be tested by an independent third party for security, said Miller. “That will change the marketplace,” he said.