Bush rewriting US IT protection plan

Bush administration officials today said they've started rewriting the federal government's plan for protecting critical...

Bush administration officials today said they've started rewriting the federal government's plan for protecting critical technology infrastructures in the US, claiming that the existing plan is flawed and offers little help to companies seeking to strengthen their IT security defences.

The administration hopes to strengthen the infrastructure protection plan by relying heavily on input from the private sector, according to officials. The White House also wants to avoid creating new security regulations, but warned that Congress could take regulatory action if US companies fail to protect themselves.

"The preferred approach is to promote market [actions] rather than regulatory solutions," said Kenneth I. Juster, undersecretary for export administration at the US Department of Commerce.

The Clinton administration released a national plan for protecting critical IT infrastructure two years ago. A key part of the plan was a call for private sector co-operation through a series of industry-specific Information Sharing and Analysis Centers (ISACs), which companies can use to share incident reports and information about security trends. ISACs have so far been set up in the banking, electricity, telecommunications and technology industries.

But Juster contended at a US Chamber of Commerce forum that the Clinton plan "could not be translated into business terms that corporate boards and senior management could understand, such as shareholder value, operational survivability, customer relations and public confidence in the company.

"Only when infrastructure concerns are translated into tangible business concerns will [companies] respond effectively," Juster said. Richard Clarke, national co-ordinator for security, infrastructure protection and counterterrorism, added that the Clinton plan "lacked the reservoir of knowledge" that private sector executives could provide.

Bush administration officials said they've already begun talking to companies in industries such as financial services, oil and gas, electricity and transport, and to technology vendors to seek help in preparing a new national plan. They intend to complete the new plan by the end of the year.

Some attendees at the conference welcomed the new approach, but there were some caveats. "The biggest challenge is that things change so fast," said William Mair, president of Information Assurance Associates, a consultancy based in Illinois. "What is an effective solution one month is less reliable six months later."

Sharon Lee Thompson, director of IT auditing at the AARP in Washington, said she agrees with the administration's goal of getting more corporate users involved in formulating a technology protection plan. But, she added, the new plan's value will depend on how it's put together and whether it has possible use "as a model for my organisation."

Read more on IT legislation and regulation