Bush Administration Rewriting Cyber
COMPUTERWORLD May 15, 2001
By Patrick Thibodeau
WASHINGTON Bush administration
officials today said they've started rewriting the federal
government's plan for protecting critical technology
infrastructures in the U.S., claiming that the existing plan
is flawed and offers little help to companies seeking to
strengthen their IT security defenses.
The administration hopes to strengthen the infrastructure
protection plan by relying heavily on input from the private
sector, according to the officials. The White House added that
it wants to avoid new security-related regulations, but warned
that Congress could take regulatory action if U.S. companies
fail to protect themselves.
"The preferred approach is to promote market [actions] rather
than regulatory solutions," said Kenneth I. Juster,
undersecretary for export administration at the U.S.
Department of Commerce.
The Clinton administration released a national plan for
protecting critical IT infrastructure two years ago. A key
part of the plan was a call for private sector cooperation
through a series of industry-specific Information Sharing and
Analysis Centers (ISACs), which companies can use to share
incident reports and information about security trends. ISACs
have been set up thus far in the banking, electricity,
telecommunications and technology industries.
But Juster contended at a forum sponsored by The Institute of
Internal Auditors at the U.S. Chamber of Commerce today that
the Clinton plan was written mainly by bureaucrats and "could
not be translated into business terms that corporate boards
and senior management could understand, such as shareholder
value, operational survivability, customer relations and
public confidence in the company."
"Only when infrastructure concerns are translated into
tangible business concerns will [companies] respond
effectively," Juster said. Richard Clarke, national
coordinator for security, infrastructure protection and
counter terrorism, added that the Clinton plan "lacked the
reservoir of knowledge" that private sector executives could
Juster, Clarke and other Bush administration officials said
they've already begun talking to companies in industries such
as financial services, oil and gas, electricity and
transportation and to technology vendors to seek help in
preparing a new national plan. Their goal is to complete the
new plan by the end of this year, they added.
Some attendees at the conference said they welcomed the new
approach, but there were some caveats. "The biggest challenge
is that things change so fast," said William Mair, president
of Information Assurance Associates, a consultancy in St.
Charles, Ill. "What is an effective solution one month is less
reliable six months later."
Sharon Lee Thompson, director of IT auditing at the AARP in
Washington, said she agrees with administration's goal of
getting more corporate users involved in formulating a
technology protection plan. But, she added, the new plan's
value will depend on how it's put together and whether it has
possible use "as a model for my organization."