The corporate alliance complements security plans being prepared by President Bill Clinton's Commission on Critical Infrastructure Protection. The Arlington, Va., commission was established in June 1996 to sketch a plan for the defense of the nation's critical computer networks, which top officials say are vulnerable to wartime attack by foreign computer hackers.
In a May 27 interim report, the commission said it is considering possible changes to insurance rules, the drafting of national standards for corporate information-security policies, and also recommending increases in federal investment in computer security technology.
The commission will hold the last of a series of public and closed-door discussions June 19, after which "it's pretty much 'shut the doors and start writing the [final] report,'" due at the White House by Oct. 13, said Nelson McCouch, a spokesman for the commission. The 18-person commission is headed by Robert Marsh, a former Air Force general.
However, industry officials and civil libertarians are reluctant to see the government mandate security solutions for the private companies that operate these critical networks. Such government-imposed solutions could cost companies more money than they want to spend, and give the government too much information on the activities of companies and citizens, say opponents.
On June 2, commission members met at the Washington-based Council on Competitiveness, an industry-funded think tank that promotes free-market policies, to hear suggestions and criticism of several proposed solutions.
One proposal would create a nationwide standard for information security. If a company decided to meet this standard, its directors and stockholders would receive some legal protection from lawsuits in the event of a financially costly hacker attack, and they also could buy cheaper disaster insurance policies, suggested Kenneth Cutler, vice president of the Information Security Institute, a division of Framingham, Mass.-based MIS Training Institute.
Also, the government should give the National Institute of Standards and Technology of Gaithersburg, Md., the authority to select companies to accredit security technology developed by industry, said Cutler, who attended the June 2 meeting. That task could be accomplished by the Washington-area subsidiaries of companies such as Computer Sciences Corp. of El Segundo, Calif., and Science Applications International Corp. of San Diego, he said.