Plan of action

The Bush administration will issue a national strategy for cybersecurity this July that will be available to government and industry on the World Wide Web, according to senior administration officials.The strategy will be a "dynamic" document that will be updated regularly, said Paul Kurtz, senior director for national security for the President's Critical Infrastructure Protection Board of the National Security Council. The administration's cybersecurity strategy is being developed in partnership with the private sector. It will address home users and small businesses, government enterprises, industry sectors, national partners and international partners, he said.Kurtz was one of several senior administration officials who spoke about the cybersecurity side of homeland security at the March 19-21 FOSE 2002 trade show in Washington.The Bush administration views cybersecurity as one of the cornerstones of a comprehensive national homeland security strategy. In developing and implementing its cybersecurity strategy, administration officials have said on numerous occasions that the government needs help from the private sector to counter threats from hackers and terrorists who would attack the nation's critical information technology. Recently, high-level government officials involved with homeland security have spoken candidly about the administration's aggressive approach toward information security and critical infrastructure protection.Richard Clarke, the president's cybersecurity adviser, told industry representatives March 19 that 8 percent, or $4.1 billion, of the $52 billion proposed fiscal 2003 IT budget is earmarked for information security. Clarke said the budget request is the result of major changes in the federal budget process. For the first time, the Office of Management and Budget took agencies' IT security needs into account while preparing the president's budget, Clarke said. While developing the budget, those agency budgets that did not address security deficiencies were sent back for revision, he said. Glenn Schlarman, senior director for government services with the President's Critical Infrastructure Protection Board, said that the funds earmarked for information security projects and enhancements will be done almost exclusively through outsourcing to the private sector. Clarke heads the Critical Infrastructure Protection Board, which was established by executive order Oct. 16, 2001. The board comprises civilian agencies, national security agencies and special interagency organizations, such as the National Infrastructure Protection Center, National Communications System and the Critical Infrastructure Assurance Office. The board's mission is to coordinate protection of information infrastructures and the physical assets that protect them. The board has standing committees to address aspects such as outreach to the private sector, incident coordination and crisis response, recruitment and training, research and development, law enforcement coordination and global outreach and coordination. Kurtz said the Bush administration is taking great pains to make sure that interruptions to critical information technology are "infrequent, of minimal duration and manageable." His remarks were made during a separate March 19 FOSE presentation focusing on the collective challenge facing government and industry in improving cybersecurity. Kurtz was joined by Rich Marshall, deputy director of the Critical Infrastructure Assurance Office, and Schlarman. Marshall said it has been "a difficult, uphill battle" to get some parts of the private sector involved in cybersecurity, because companies are sometimes reluctant to make costly security investments. Nevertheless, the administration is determined to enlist the support of the private sector and is pressuring industry in face-to-face meetings with chief executive officers, chief financial officers, auditors and attorneys, Marshall said. "All of this is being done to put pressure on the private sector," he said. A number of technology giants, such as Cisco Systems Inc. of San Jose, Calif.; Microsoft Corp. of Redmond, Wash.; and Oracle Corp. of Redwood Shores, Calif., have responded to the administration's call for assistance and are playing an active role in the burgeoning government-industry partnership for cybersecurity, the government officials said. Schlarman said information security is "a central attribute" of federal agencies' functions. Because of this, it was built into each agency's fiscal 2003 budget, he said. He also said the administration is pushing agencies to make information security an integral part of their enterprise architectures."In the government, we have more leverage to make people do what we want them to do [than with the private sector]," Schlarman said.Clarke said OMB moved money around during the federal budget process as it saw fit. He declined to say which agencies received more funding and which received less. The administration's determination to push for improved security on all fronts may partly be the result of the ferocity of recent cyberattacks. Federal authorities still don't know who is behind the "Code Red" or "Nimda" worm, Kurtz said. Threats to information security can come from a number of directions, including criminal and terrorist organizations as well nation states and companies engaged in espionage. Once unleashed, they can take over home computers and use them as "zombies" to automatically spread worms and viruses through networks and the Internet, he said. nGovernment Computer News Staff Writer