White House to unveil initiative for protection against cyberattacks

[InfoSec News <isn () c4i org>]

http://www.siliconvalley.com/mld/siliconvalley/4083736.htm

By Mary Anne Ostrom and Elise Ackerman
Mercury News
Sept. 15, 2002

Using Silicon Valley as the backdrop, the White House this week will
unveil its most comprehensive plan yet to protect the nation's
computer users from cyberattacks.

Industry officials who have seen drafts of the plan and White House
briefing documents describe a strategy that will rely heavily on
voluntary efforts of home computer users and employers and sets new
security standards for government agencies, which have been roundly
criticized for ignoring computer security.

The new blueprint for computer security will be presented Wednesday at
Stanford University by Richard Clarke, the Bush administration's top
cybersecurity officer, and FBI Director Robert Mueller, among others.

The wide-ranging report, months in the works, comes exactly one week
after the first anniversary of the Sept. 11 attacks. It calls on ``all
Americans to secure their portions of cyberspace.''

The effort to raise awareness of online security is praised by
high-tech companies, many of which sell computer security products,
but questioned by some independent security experts who say they are
unconvinced the industry-influenced strategy will significantly shore
up the nation's computer networks. That's partly because the White
House plan seeks to shift responsibility for protecting cyberspace to
ordinary people and away from mandates that require industry to take
action, say skeptics.

More than a dozen valley companies have weighed in with suggestions to
the White House, including Cisco Systems, Sun Microsystems, Oracle,
Network Associates, VeriSign and Symantec. TechNet, the bipartisan
tech lobby group, is hosting a valley reception Tuesday night for
Clarke.

The plan, in the words of one business participant, was ``heavily
vetted'' by the various industries and government sectors affected,
and contains virtually no proposals for new laws among its 86
recommendations and 24 strategic goals.

Proposals

Among the report's themes:

* Encourage home users and small businesses to install and maintain
  anti-virus protections, with some help from their Internet service
  providers.

* Establish more secure standards for government-purchased software
  and products and call on industry to include them in products they
  sell to corporate America.

* Boost security research and training of technologists, including
  creating a national center to detect and counter threats.

Some earlier controversial proposals may not make it into the report
following industry opposition. These include naming a federal privacy
czar to rule on sharing of customer data among businesses and
recommending that major cable and DSL companies bundle firewalls or
other protections with their service.

``In almost every area where it looked like they were going to mandate
things, they dropped back to saying they were going to encourage
them,'' said John Pescatore, research director for Internet security
at Gartner.

Clarke and other government officials would not comment last week in
advance of the release of the ``National Strategy to Secure
Cyberspace.'' But background documents provided by the White House
call the strategy ``a national partnership between private sectors,
government and individuals to vigorously secure, maintain and update
the security of cyberspace.''

In most cases, the report does not say who will pay for the cost of
heightened computer security when America's businesses are cutting
back on overall information technology spending and consumer adoption
of broadband is cost-sensitive. The federal government's own computer
security budget has been increased 65 percent, to $4.5 billion, in the
fiscal year that begins in two weeks.

`Not the holy grail'

But new subsidies, such as tax incentives sought by some tech
companies to boost security spending, likely will not be included.

``This is not the holy grail,'' said Stratton Sclavos, chairman and
CEO of VeriSign, which sells Internet security products. But, he
added, the report should jumpstart at least some government spending.

``Our expectation is no windfall, but it will increase our public
sector business over the next three to five years a couple of
percentage points a quarter or a year,'' he said.

With the government encouraging ordinary computer users to buy
anti-virus and firewall products from companies like Symantec and
Network Associates, the plan could lead to a significant increase in
their sales, some analysts predicted.

Both companies are releasing new versions of Internet security
products to coincide with the White House report.

Security expert Richard M. Smith said the plan's emphasis on action by
home users and small business owners appeared to let the makers of
security programs off the hook. ``Vendors need to take more
responsibility for this problem,'' Smith said. ``They have to ship
products that are more secure.''

Computer attack

Clarke, whom Bush named as his cybersecurity adviser late last year,
has repeatedly warned of a ``digital Pearl Harbor,'' and last month
said the government is now as worried about an attack on vital
computer networks from a hostile nation as from a terrorist group,
citing several suspicious breaches in federal networks.

However, Clarke, who reports to Homeland Security Director Tom Ridge
and National Security Adviser Condoleezza Rice, has also emphasized
that any national strategy would not rely on new regulations.

While heavily involved in its development, industry leaders say they
did not write the report and pointed out that product upgrades and
redesigns the government is encouraging will mean higher costs for
business, even if they generate more sales.

``It's not all motherhood and apple pie and so bland and non-specific
that everyone can say `Amen,' '' said Harris Miller, president of the
Information Technology Association of America. He defended industry's
position that it should not be responsible for consumers installing
anti-virus programs and firewalls.

``The guys who sell you the car isn't going to come around and strap
you in with your seat belt every time.''


--------------------------------------------------------------------
Contact Mary Anne Ostrom at mostrom () sjmercury com or (408) 920-5574. 
Contact Elise Ackerman at eackerman () sjmerucry com or (408) 271-3774.  



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.