[ISN] Bush's Cyber-Security Plan Targets E-Mail

From: InfoSec News (isnat_private)
Date: Sun Aug 25 2002 - 23:25:08 PDT

  • Next message: InfoSec News: "[ISN] Linux Advisory Watch - August 24th 2002"

    August 23, 2002 
    By Caron Carlson and Dennis Fisher 
    In an effort to bolster the nation's cyber-security, the Bush
    administration has plans to create a centralized facility for
    collecting and examining security-related e-mail and data and will
    push private network operators to expand their own data gathering,
    according to an unreleased draft of the plan.
    The proposed cyber-security Network Operations Center is included in a
    draft of The National Strategy to Secure Cyberspace, which was
    developed by the president's Critical Infrastructure Protection Board
    with input from the private sector and is due to be released Sept. 18.
    The call for expanded data collection and analysis results from
    administration concerns that efforts to secure cyber-space are
    hampered by the lack of a single point of data collection to detect
    cyber-security incidents and issue rapid warnings, according to the
    draft strategy, obtained by eWEEK. Critics, however, worry that such a
    system would be expensive and difficult to manage, and would allow
    government agencies to expand their surveillance powers.
    Other recommendations include restricting the use of wireless
    technologies by government agencies; requiring corporations to
    disclose their IT security practices; establishing a "test bed" for
    multivendor patches; creating a certification program for security
    personnel; and mandating certifications for all federal IT purchases.
    Howard Schmidt, vice chairman of the PCIPB, said that the center would
    consolidate threat data from the country's collection end points, such
    as the FBI's National Infrastructure Protection Center, the Critical
    Infrastructure Assurance Office, the Department of Energy and
    commercial networks. Private companies would be encouraged to increase
    the amount of data collected and share it with the government.
    "Major companies generally report this information internally,"  
    Schmidt told eWEEK. "We're looking for that to come back to a central
    According to the draft strategy, the public/private initiative would
    involve the major ISPs, hardware and software vendors, IT security
    companies, and Computer Emergency Response Teams, in addition to law
    enforcement and other agencies.
    Some feel that the government's internecine rivalries and
    information-sharing rules will hamstring any attempt at centralized
    collection and analysis.
    "There are such high barriers in government to being able to
    disseminate information and adjusting the environment to react to
    threats, I don't think it will have much impact," said William Harrod,
    director of investigative response at TruSecure Corp. in Herndon, Va.,
    and a former FBI computer forensic specialist. "They'll have different
    information coming in from different analysts, and they'll have to
    weed through it."
    The proposed strategy recommends that the center be partially
    federally funded, but it would inevitably impose new costs on the
    private sector without commensurate benefits, critics charged.
    "Government doesn't have a good track record when it comes to
    collecting and disseminating massive volumes of data," said Kevin
    Baradet, network systems director at Cornell University's Johnson
    Graduate School of Management in Ithaca, N.Y. "We could be drowning in
    data, most of it noise."
    Then there are the privacy concerns.
    "Whatever the federal government wants to do with its own data is OK
    with me as long as it doesn't waste my personal and corporate tax
    dollars," said Karl Keller, president of custom software developer IS
    Power Inc., in Thousand Oaks, Calif. "The privacy aspects, however,
    concern me greatly. This sounds like a dramatic and evil expansion of
    Echelon and Carnivore."
    The strategy also calls on the FBI, Secret Service and Federal Trade
    Commission to establish a single system for corporations to report
    Internet fraud and extortion, illegal hacking, and unauthorized
    network intrusions. It recommends that the federal government
    systematically collect data on cybercrime victims and cyber-intrusions
    from businesses. The administration hopes to assuage industry fears by
    recommending legislative changes--including exemptions from Freedom of
    Information Act requirements and exemption from antitrust laws--that
    would reduce liability for companies turning over communications to
    law enforcement.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Mon Aug 26 2002 - 02:05:42 PDT