[ISN] U.S. Security Plan Too Top-Heavy?

From: InfoSec News (isnat_private)
Date: Wed Jul 18 2001 - 19:44:25 PDT

  • Next message: InfoSec News: "[ISN] "Code Red" worm claims 12,000 servers"

    http://www.wired.com/news/politics/0,1283,45337,00.html
    
    Associated Press 
    6:52 a.m. July 18, 2001 PDT  
    
    WASHINGTON -- Critics fear proposed changes to the way the government
    protects the nation's technology backbone from terrorism could bog
    down the process and remove the accountability of having a single
    person in charge.
    
    A draft executive order from President Bush, obtained by The
    Associated Press, would abolish the high-profile post of security
    chief in favor of a board of about 21 officials from all major federal
    agencies.
     
    The board would report to National Security Adviser Condoleezza Rice.
    Among the agencies that would participate are the departments of
    State, Defense, Justice, Energy and Treasury, as well as the National
    Security Agency, CIA and FBI. Only 11 agencies had key roles in former
    President Clinton's plan.
    
    The White House has briefed several industry groups on the plan and
    told executives that Bush is expected to sign the order formalizing
    the changes after Labor Day.
    
    Mark Rasch, former head of the Justice Department's computer crimes
    division, predicted with so many federal agencies involved in the
    advisory panel "it's going to have input from everybody on God's green
    earth" before any action is taken.
    
    "The bad news is, nobody will do anything about critical
    infrastructure protection until there's a global catastrophic
    failure," said Rasch. "The good news is, there will be a global
    catastrophic failure."
    
    White House officials on Tuesday declined to discuss the executive
    order.
    
    The draft, dated June 26, states Bush's order would abolish the
    position of national coordinator for infrastructure protection, which
    was created by President Clinton in 1998 when the government created
    its first-ever blueprint for combatting threats against critical
    facilities that provide Americans access to electricity, water,
    banking and the Internet.
    
    National security expert Richard Clarke, who currently hold's the
    position of security chief, has pointedly warned Congress, companies
    and local agencies about the potential for a "digital Pearl Harbor" in
    which a terrorist attack would paralyze computers, electrical grids
    and other key infrastructure.
    
    Technology trade group head Harris Miller wanted Bush to keep a single
    person in charge, which he called a "one-throat-to-choke approach."
    But he called Bush's plan "a good alternative" which elevates more
    agencies to decision-making roles.
    
    "The proof will come in seeing how this actually operates in practice,
    and making sure that the agencies and departments get out of their
    asylum mentality," said Miller, president of the Information
    Technology Association of America.
    
    As the United States relies more on computers, the government and
    private companies are concentrating on how a computer attack either by
    a foreign government, terrorist group, or young hacker could cripple
    the nation.
    
    Officials have put forth several possible scenarios that could create
    financial havoc or loss of life, such as disruptions to ATM networks,
    the air traffic control system or the national power grid. Several
    nations, such as the United States, Russia and China, are preparing
    its armies for future cyber warfare that would focus more on hacking
    than traditional weapons.
    
    The plan makes sharing computer security information with companies a
    top priority. Security companies and the General Accounting Office,
    the investigative arm of Congress, have criticized the government's
    information sharing efforts so far, saying that firms aren't notified
    quickly enough about new security holes.
    
    A congressional report earlier this year stated that the National
    Infrastructure Protection Center, part of the FBI, is understaffed and
    needs more training so it can keep companies up to date.
    
    Rasch said the language used in the draft is vague. For example, while
    the plan says the board will "assist in the development of standards,"
    it doesn't mention if the board can force companies to abide by them.
    
    "Is the government going to come in and tell whether (Microsoft's
    upcoming operating system) Windows XP is secure? And then is it going
    to tell people how to secure it?" Rasch asked. "The government is the
    one that should be coming up with new vulnerabilities, not the
    19-year-old hackers."
    
    Copyright 2001 Associated Press
    
    
    
    ISN is hosted by SecurityFocus.com
    ---
    To unsubscribe email isn-unsubscribeat_private
    



    This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 02:38:02 PDT