The US government will launch its national cyber defence strategy
today (18 September), and give private companies and IT providers
two months to review and recommend changes to the plan.
Richard Clarke, chairman of the US Critical National Infrastructure
Protection Board, will unveil the strategy, which is likely to
propose a five-pronged approach toward building a national
public/private partnership to guard against cyber attacks.
The plan will focus on the private companies that own and operate
90% of the critical infrastructure of the US and the government
agencies responsible for critical government services. In addition,
it will make proposals for home users and small businesses on
national issues in research and development and education, and on
global co-operation.
The discussion period "gives people more time to get comfortable
with the plan and offer feedback", an administration official said.
Joe Magee, chief security officer at Top Layer Networks, welcomed
the additional time to review the plan. "Who knows more about
denial-of-service attacks, for example, than the private sector?
I'm all for this," he said.
The Bush administration's cyber security strategy has undergone
major revisions in recent weeks, including the removal of various
provisions that administration officials decided were either
premature or politically untenable.
Two provisions that remain up in the air are the concept of
establishing a chief privacy officer at the executive branch level
of government, and calling on Internet service providers to offer
customers, including home users, bundled security services and
devices such as firewalls.
Russ Cooper, surgeon general of TruSecure, one of the few Internet
security experts to have seen the entire plan, was unhappy with the
extension or with the strategy as it stands.
"I hope that Clarke uses the time to put back in things that have
been washed out of the document," said Cooper. In particular, he
said the administration has removed language that would have
offered a definition of liability and assignment of responsibility
for Internet security.
"It's time that the government mandates some action be taken," said
Cooper. "I'd like ISPs be told that it is illegal to carry
identified Internet attack traffic. But I don't see anything
similar or at that level in what they're proposing."