The White House contends that the existing plan is not helping businesses strengthen their IT security defences.
Administration officials began selling their new approach to businesses last week with what appeared to be a good cop/bad cop routine: The good-cop administration says it will oppose new regulations forcing businesses to upgrade IT security, but it warned that the bad-cop Congress will act if a major cyberincident damages or cripples part of the nation's infrastructure.
"The fact that new laws and regulations might be ill-conceived or ill-advised may not be a bar to their passage, especially if lawmakers and regulators conclude that industry is incapable of self-governance in this area," said Kenneth Juster, undersecretary for export administration at the US Department of Commerce.
White House officials said the Clinton administration's 1999 national plan for critical infrastructure protection is flawed because it could not be translated into business concerns. The Clinton plan "lacked the reservoir of knowledge" that private-sector executives can provide, said Richard Clarke, national co-ordinator for security, infrastructure protection and counterterrorism. Clarke was among the administration officials at a national infrastructure security conference held here last week that was and sponsored by The Institute of Internal Auditors.
In recent weeks, the Bush administration has embarked on two efforts aimed at gaining greater business involvement. Firstly, it is examining whether the present multi-agency approach can effectively protect critical infrastructure. Secondly, it has begun meeting with businesses in industries such as oil and gas, telecommunications, transportation and finance to draft a new protection plan, which it wants finalised by the end of the year.
The new plan is likely to retain some of the recommendations of the Clinton administration. Those include funding for security research and development, regulatory relief and continued strengthening of Information Sharing and Analysis Centers (ISAC), which companies can use to share incident reports and information about trends in security. ISACs have been set up thus far in the banking, electricity, telecommunications and technology industries.
Rhonda MacLean, chief information security officer at Bank of America, said the ISACs have delivered real business value. "What I have found through information sharing, I don't believe I would have got from any other source," she said. "That, I think, really gives us a leg up in being aware of what is actually happening out there."
MacLean suggested that the industry-specific ISACs should include mechanisms for sharing information across industrial sectors, adding that "there is commonality" among sectors.
She also urged the strengthening of federal research and development efforts on security. "Too many vendors are really delivering us poorly developed products," MacLean said. "Not only are they full of operational problems, but they lack basic security controls."