Schmidt lays out cyberprotection board agenda

Six months after the September 11 terrorist attacks, Howard Schmidt, vice-chairman of the US president's Critical Infrastructure...

Six months after the September 11 terrorist attacks, Howard Schmidt, vice-chairman of the US president's Critical Infrastructure Protection Board, has said the US government is close to releasing an updated plan for protecting the nation's most critical systems and networks.

Schmidt, formerly chief security officer at Microsoft, said a new national plan for information systems protection will be published this summer. The document would supercede an earlier plan released by the Clinton administration in 2000 and will be based largely on input from private companies, according to Schmidt and earlier statements made by Richard Clarke, the president's principal adviser for cybersecurity.

National Security Council experts are poring through more than 127 questions and issues raised by private companies which operate the bulk of the nation's critical infrastructure, including the telecommunications grid, power stations and banking and finance networks, said Schmidt.

In addition to delivering the national plan to the president, Schmidt outlined three other priorities that have taken shape since the presidential advisory board was established in the wake of the September 11 attacks. One of those priorities is establishing the Cyber Warning Information Network (CWIN), which would enable authorities to "short-circuit viruses" and other attacks at the boundaries of critical networks, said Schmidt. The government also wants to focus more on research and development to increase the lead-time on identifying future threats. A third priority is to improve education at primary grade level, with particular focus on ethical principles and computer use.

Although terrorists have primarily used the Internet to conduct command, control and communications, there are fears that future attacks could be accompanied by cyber-based incidents. "We never know whose fingers are on the keyboard on the other end," said Schmidt. The Bush administration is working with G8 member countries to establish treaties to facilitate prosecutions for international cybercrimes, said Schmidt.

While Schmidt said he is satisfied that progress has been made by the private companies responsible for protecting the US' critical systems, Schmidt said the administration has a "particular concern" about the telecommunications grid and banking and finance systems that people rely on for day-to-day living.

Peggy Weigle, CEO of security consulting firm Sanctum, said her firm has conducted security audits at more than 300 companies across all sectors and found that 97% of them were vulnerable to potentially crippling attacks through the Web-based applications they use to conduct business on the Internet .

Sanctum conducted an audit for an electric power company and was able to compromise the utility's maintenance schedules, Weigle said.

Weigle said the government may need to pass additional legislation "to make things happen" because corporate executives are not devoting enough attention to cybersecurity.

Schmidt said the level of vulnerability "varies from sector to sector" but that overall, "we've not had a very integrated approach".

Read more on IT risk management