DHS moves on infrastructure plan

IT industry leaders see improvements in the National Infrastructure Protection Plan released earlier this month, but they remain worried that they may be left out of the loop in the Homeland Security Department's policies and actions for IT sector security.

The plan advises private-sector owners and operators in each of 17 critical sectors, including IT, water, energy, food, banking, medical care, and transportation, to organize themselves and create sector coordinating councils to share information with a lead government agency. For IT, that agency is Homeland Security.

The 175-page plan also has hundreds of references to cybersecurity, which is treated as a cross-sector asset and also is under Homeland Security's purview. The wide-ranging cybersecurity protection goals include fostering awareness in the public and among state and local officials, as well as in all 17 sectors.

"Compared with previous drafts we've seen, it's an improvement," said Greg Garcia, vice president of information security for industry trade group Information Technology Association of America, Arlington, Va.

"The new draft is better than the previous ones, but the process is imperfect," said Michael Aisenberg, vice president of government affairs for Mountain View, Calif.-based VeriSign Inc., which manages domain names for the Internet.

Despite positive initial reviews, many concerns linger about communications between the department and the IT industry, and about DHS' approach to the IT sector. There are many questions about how and when government consults IT leaders when putting together national anti-terrorism plans.

A plan feature that Aisenberg has flagged as a concern is a reference to DHS creating a methodology to identify critical IT assets. He said he hopes that VeriSign and major IT companies will have an opportunity to consult with DHS official before those methods are made final.

"My company has hundreds of millions of dollars invested in servers, but we haven't had a discussion with DHS about those assets and how they are used," Aisenberg said. "As a company, we have a huge stake in getting this done right."

Garcia shares similar concerns. DHS' initial approach to create an inventory of IT assets was to list major IT company headquarters, such as Microsoft Corp.'s in Redmond, Wash., and Intel Corp.'s in Santa Clara, Calif., he said. That was the wrong approach, because it doesn't take into account that IT assets are distributed nationwide, and that there are many layers of assets underpinning the economy, he said.

"In IT, they missed the mark," Garcia said. "What we've been trying to tell DHS is you really need to be concerned about IT assets in a horizontal application, not as a vertical asset."

Partly as a result of such issues, IT executives may seek more time in which to comment on the infrastructure protection plan.

Public comments are due by Dec. 5, but several IT industry leaders are asking for an extension to Feb. 5, 2006, according to Larry Clinton, chief operating officer of the Internet Security Alliance, a non-profit organization fostering IT security.

Many IT executives have been frustrated by DHS' handling of their industry and of cybersecurity. The department, created in March 2003, has had high turnover among its top cybersecurity leaders. The most recent cyberczar, Amit Yoran, left in September 2004 and has not been replaced.

IT leaders said prospects have brightened in recent months as Secretary Michael Chertoff said in July that he intends to elevate DHS' top cybersecurity post to assistant secretary. IT executives also said Bob Stephan, assistant secretary for infrastructure protection, and Andrew Purdy, director of the National Cyber Security Division, in recent months have maintained good access with the industry.

However, some anxieties remain. DHS typically has not sought IT industry input in important policies until late in the process, VeriSign's Aisenberg said.

"We need to be part of the policy development before Draft No. 10," he said. However, he said , under Stephan's guidance, the IT industry executives are being consulted earlier than before.

"We need to be treated as fuller partners and be brought in at an earlier stage," said Clinton of the Internet Security Alliance. "What the national infrastructure protection plan has brought forward is that they [DHS] need to better engage industry."

The next major document in development is a sector-specific, critical infrastructure protection plan for IT, due to be completed by DHS 180 days after final approval of the national plan.

Meanwhile, to comply with the national plan, a newly formed IT sector coordinating council was preparing to debut last week. Following the instructions of the national plan, the group organized itself to represent owners and operators of critical IT infrastructures in interactions with DHS. Its mission is to work with Homeland Security to protect the IT sector from terrorist attack.

IT industry leaders for several months have been organizing the group under the guidance of Homeland Security Presidential Directive 7 and DHS. The group was expected to announce soon an interim advisory board that will develop bylaws and a formal structure for the group within 90 days, according to industry sources.

DHS was informed by industry sources that the IT sector council agreed to form, but the bylaws were still in development. Council members include representatives of major IT companies, IT industry groups and a telecommunications industry representative.

Many IT industry leaders also are involved in the National Cyber Security Alliance, a non-profit group that has worked with DHS to foster cybersecurity goals.

Staff Writer Alice Lipowicz can be reached at alipowicz@postnewsweektech.com.