Tech sector expands infrastructure protection effort

The nation's IT companies are entering a new phase in joint disaster planning that will encourage them to assess risk in at least eight critical functions nationwide, according to Guy Copeland, chairman of the IT Sector Coordinating Council, a group of about 40 companies involved in planning response and recovery for the sector.

"A sector risk assessment has to be conducted," Copeland, who also is vice president of information infrastructure for Computer Sciences Corp., told Washington Technology. "The goal is to assess the robustness and reliability of the critical functions."

The sector coordinating council delivered its sector protection plan to the Homeland Security Department in December 2006, where it is undergoing review. All 17 national sectors, including IT, water, power, financial services and the food industry, developed sector plans that are to be adjuncts to the National Infrastructure Protection Plan.

One of the critical functions is management of domain names on the Internet, Copeland said. He declined to name the other functions because the plan has not been released publicly.

The IT sector council has been meeting regularly under guidance issued in the draft national plan in November 2005. Their work is being overseen by DHS' National Cyber Security Division.

While many other sectors completed a list of physical assets that need to be protected, the IT sector assets are primarily in cyberspace, necessitating a critical function approach, Copeland said.

The next phase of the planning "is taking this to the next levels of detail," Copeland said. It may take six months to a year to develop the next phase, and most of the costs are likely to be funded by the IT industry and no funding provisions are in the plan, he added.

The Government Accountability Office in recent testimony noted that the 17 sector-specific plans represent varying levels of detail and coordination. While the nuclear power industry has been closely working together for decades on disaster planning, other industries have not, GAO said.

The IT sector, while it has been operating an operations and analysis center since 1999, is one of the more recently-organized sectors. "We've been extremely successful at coming together quickly," Copeland said.

Asked if the plan examines certification for best practices in information security, such as the language contained in S.4, "Improving America's Security Act of 2007," Copeland said it does not.