By Jonathan Krim
Washington Post Staff Writer
February 15, 2003
The Bush administration yesterday announced its strategy for
protecting computer systems from attacks by hackers or terrorists, but
it backed away from proposals by several security experts for
government requirements and funding.
Instead, the plan suggests how individuals, businesses and governments
can meet the growing threat of cyber-attacks on computer networks.
"Of primary concern is the threat of organized cyber attacks capable
of causing debilitating disruption to our nation's critical
infrastructures, economy or national security," said the plan,
released by the Department of Homeland Security.
The plan encourages companies to regularly review their technology
security plans, and individuals who use the Internet to add firewalls
and anti-virus software to their systems. It calls for a single
federal center to help detect, monitor and analyze attacks, and for
expanded cyber-security research and improved government-industry
The report is markedly different from early drafts that included
proposals championed by Richard A. Clarke, who recently resigned as
President Bush's adviser on cyberspace security. Among them were
suspending wireless Internet service until security holes were
addressed, requiring Internet service providers to include firewall
software and recommending that government agencies use their power as
major purchasers of computer programs to push software makers to
improve the security of their products.
"Leaving it to the vendors is basically the path we've been following
. . . and the whole reason we have the problems that we have," said
Eugene H. Spafford, a security expert and professor at Purdue
University who frequently consults with the government.
Clarke could not be reached for comment.
Peter G. Neumann, chief computer scientist with SRI International, a
nonprofit research group in Silicon Valley, said the recommendations
were like saying, "If you put duct tape around your computer, you'll
Technology and telecommunications companies lobbied hard against
regulation, arguing that the private sector is better qualified to
develop the most effective security.
The report was scheduled for release last September but the government
said more input from industry was needed.
"It's a wonderful statement of the problem," said Allan Paller,
director of the SANS Institute, a computer security think-tank and
education center. "But it's missing some of the best ideas that people
Paller said that through the various drafts the report went from
"companies should do something, to companies should consider," and in
some cases to no recommendations at all.
Democrats, too, were disappointed.
"When it comes to cyber-security, we're running at a punch-card pace
when we need Pentium speed," said Sen. Charles E. Schumer (D-N.Y.),
who is the Senate Democrats' point man on homeland security. "The
administration has been working on this proposal for months and should
have come out with a specific plan of action, not a vague set of broad
principles that has no money backing it up."
Of particular concern to computer specialists is pushing the
technology industry to develop more secure products. "You need much
stronger stuff, and you can't get it," Neumann said. "There's no
Among the ideas that were discussed were financial incentives for
improving security and legal liability for failing to meet basic
Technology companies supported the report yesterday.
"The national strategy challenges our traditional focus on technology
as the 'silver bullet,' and highlights more fundamental behavioral
matters -- like IT training and certification -- that can make
America's computer networks safer," said Michael Wendy, policy counsel
for CompTIA, a technology trade association.
Sources familiar with discussions between the industry and the
administration said some tech companies would have supported a more
concrete plan. But White House advisers held fast to their
philosophical reluctance to regulate free markets or to impose
industry standards that might favor one sector over another, the
Mark D. Rasch, chief security counsel for Solutionary Inc., a computer
services firm, said the report was an important first step. But
critical industries such as banking and utilities should be subject to
mandatory security audits, he said.
ISN is currently hosted by Attrition.org
To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn'
in the BODY of the mail.