Six months after the September 11 terrorist attacks, Howard
Schmidt, vice-chairman of the US president's Critical
Infrastructure Protection Board, has said the US government is
close to releasing an updated plan for protecting the nation's most
critical systems and networks.
Schmidt, formerly chief security officer at Microsoft, said a new
national plan for information systems protection will be published
this summer. The document would supercede an earlier plan released
by the Clinton administration in 2000 and will be based largely on
input from private companies, according to Schmidt and earlier
statements made by Richard Clarke, the president's principal
adviser for cybersecurity.
National Security Council experts are poring through more than 127
questions and issues raised by private companies which operate the
bulk of the nation's critical infrastructure, including the
telecommunications grid, power stations and banking and finance
networks, said Schmidt.
In addition to delivering the national plan to the president,
Schmidt outlined three other priorities that have taken shape since
the presidential advisory board was established in the wake of the
September 11 attacks. One of those priorities is establishing the
Cyber Warning Information Network (CWIN), which would enable
authorities to "short-circuit viruses" and other attacks at the
boundaries of critical networks, said Schmidt. The government also
wants to focus more on research and development to increase the
lead-time on identifying future threats. A third priority is to
improve education at primary grade level, with particular focus on
ethical principles and computer use.
Although terrorists have primarily used the Internet to conduct
command, control and communications, there are fears that future
attacks could be accompanied by cyber-based incidents. "We never
know whose fingers are on the keyboard on the other end," said
Schmidt. The Bush administration is working with G8 member
countries to establish treaties to facilitate prosecutions for
international cybercrimes, said Schmidt.
While Schmidt said he is satisfied that progress has been made by
the private companies responsible for protecting the US' critical
systems, Schmidt said the administration has a "particular concern"
about the telecommunications grid and banking and finance systems
that people rely on for day-to-day living.
Peggy Weigle, CEO of security consulting firm Sanctum, said her
firm has conducted security audits at more than 300 companies
across all sectors and found that 97% of them were vulnerable to
potentially crippling attacks through the Web-based applications
they use to conduct business on the Internet .
Sanctum conducted an audit for an electric power company and was
able to compromise the utility's maintenance schedules, Weigle
said.
Weigle said the government may need to pass additional legislation
"to make things happen" because corporate executives are not
devoting enough attention to cybersecurity.
Schmidt said the level of vulnerability "varies from sector to
sector" but that overall, "we've not had a very integrated
approach".