IT security regulations unlikely, Bush official says

A top official in the Bush administration said the federal government has no present or future plans to issue regulations that would dictate the way state and local governments provide security for information systems.

Howard Schmidt, vice chairman of the President's Critical Infrastructure Protection Board, said April 8 at the midyear meeting of the National Association of State Chief Information Officers in Denver, the administration fully intends to stay with a collaborative approach to national IT security.

"It doesn't look like that will have to be done," Schmidt said, regarding the need for issuing IT security regulations.

Schmidt's remarks were made on the first day of the conference to more than 400 state and local information technology officials. They had gathered for a conference that NASCIO President Rock Regan promised would focus heavily on homeland security. CIOs from 33 states are attending, Regan said.

Schmidt said the administration's national cybersecurity strategy plan will be unveiled in July. The plan will include input from professional organizations, the private sector, federal agencies and state and local governments. Each of these "will have a separate section in the strategy" outlining their positions, he said.

The strategy will include modules that can be updated when there are significant leaps in key technologies, such as wireless communications, Schmidt said.

He said the administration is soliciting input from local government officials in five major metropolitan areas: Atlanta, Chicago, Denver, Los Angeles and Portland, Ore. He said more local governments will be contacted as well.

Schmidt said the administration still doesn't have a formal mechanism in place for getting cybersecurity warnings to the states but is working on developing one. In the meantime, this is being handled by the Commerce Department's Critical Infrastructure Assurance Office, backed up by the Critical Infrastructure Protection Board.

Schmidt called on state chief information officers to move forward quickly with information sharing and assistance centers that will enable state and local governments to install software patches in hours rather than days or weeks.

Remarks by other speakers complimented Schmidt's presentation. Ray Kurzweil, chairman and chief executive officer of Kurzweil Technologies Inc., Waltham, Mass., said state and local governments need to decentralize their IT critical infrastructure by creating redundant or backup systems and facilities to guard against crippling physical attacks.

"When you have centralized [infrastructure] it is very vulnerable to catastrophic disaster," Kurzweil said. By decentralizing IT critical infrastructure, state and local governments can reduce their vulnerabilities, he said.

A national cybersecurity strategy is a business driver, said Gerry Wethington, NASCIO vice president and Missouri CIO, who spoke about the role of architecture in IT security.

NASCIO's three-year effort on architecture has produced the Enterprise Architecture Development Tool Kit, which has been validated by several state and local governments, he said. NASCIO is seeking pilot projects in which the tool kit can be used to standardize architecture and enhance information sharing between state and local governments, Wethington said.