The Right Balance 2The Right Balance 2

The Bush Administration this week is scheduled to unveil its long-awaited strategy to protect the nation's IT infrastructure. Already, however, some IT executives caution that certain proposals in a draft circulated last week among government officials may be ineffective. And they don't want Congress or federal agencies to force measures on them.

The National Strategy to Secure Cyberspace, developed by White House cybersecurity adviser Richard Clarke and being reviewed by President Bush and Homeland Security director Tom Ridge late last week, will call on everyone from the largest businesses to consumers to help the federal government track cyberthreats and prevent attacks, particularly those aimed at financial, government, utility, and other key networks.

President Bush's Critical Infrastructure Board will ask for feedback on 86 proposals contained in the document and issue a final statement in February. Congress and federal agencies then will determine how to fund the proposals and which, if any, will be mandated.

"We're looking to work with the government so we are part of the solution and not being dictated to," says Kenneth Lacy, senior VP and CIO at United Parcel Service Inc. But Andy Purdy, deputy chairman of the Infrastructure Board, says the government may have to intervene if the private sector doesn't do its part to combat threats.

That may include voluntarily sharing security data with a new network operations center, to be developed and owned by the private sector. The center could share with the government information collected from the networks of businesses, government agencies, and other NOCs, letting experts quickly discover threats and issue alerts.

But critics note that private organizations already provide early warnings of threats and vulnerabilities. The SANS Institute's Incidents.org and Internet Storm Center collect information from firewalls and intrusion-detection systems in more than 60 countries. "There's no need to build a huge mechanism to redo all of that," says Lloyd Hession, chief security officer at Radianz, which runs a network for the financial-services industry.

And some IT executives are concerned about sharing sensitive data with the government. "I have a responsibility to this company, its customers, and shareholders to protect such information," says John Hartmann, VP of corporate services for Cardinal Health Inc. "How will they ensure it's not leaked?" The administration intends to address such concerns by encouraging Congress to craft legislation that would shield shared data from the Freedom of Information Act, Purdy says. That's key for Cindy Floyd, technical services manager at Geneva Pharmaceuticals Inc., who doesn't want to provide security data if it's made public. "Then you're just opening yourself up to hackers," she says.

Floyd has concerns about another part of the plan that calls for creating a center to test patches for commercial software, mainly because it seems overwhelming. "I don't think anyone could properly understand the code of a gazillion packages out there," she says. Geneva does its own testing of its 200 apps.

The government's plan also is expected to recommend the development of special secure versions of common operating systems. Some observers fear costs will go up and functionality will suffer if vendors are pressured to invest in developing such systems. "You don't need a special secure operating system," Hession says. "You need people to learn how to secure a regular OS."

The draft also suggests that businesses buy cyberinsurance. Companies would have to undergo a security evaluation before they're eligible for such coverage; the more stringent their efforts, the lower their premiums. If the government encourages companies to buy insurance -- prompting some to upgrade their security -- that could make everyone a bit safer, says Douglas Lewis, executive VP and CIO at Six Continents Hotels, a subsidiary of Six Continents plc, operator of more than 3,000 hotels.

But businesses don't want the government to go too far in forcing security practices that may be costly or unreasonable. For example, it would be inappropriate for the government to mandate that all of Cingular Wireless' systems be continuously available, says Thaddeus Arroyo, Cingular's CIO. Such decisions should be left to the business.

UPS's Lacy concurs: "The government has to understand what businesses we're in and that security can't be one-size-fits-all."

Write to George V. Hulme at [email protected]. Visit our Security Tech Center: information.com/TC/networking/security

Photo of Clarke courtesy of AP.
Photo of Floyd by Ray Ng