President's cyber advisor outlines security plan

US President George Bush's administration is putting together a national strategy for safeguarding computer networks that will...

US President George Bush's administration is putting together a national strategy for safeguarding computer networks that will call on individuals and businesses, as well as the government, to participate in the effort.

Unlike most government initiatives, the National Strategy to Secure Cyberspace will be a working document created by public and private sector groups throughout the country, according to Richard Clarke, special advisor to the president for cyberspace security. Clarke spoke at the Networked Economy Summit hosted by George Mason University in Virginia, USA, on Monday (10 June).

The administration has held meetings in cities including Denver and Chicago to get input on the document, and is planning more events across the country, Clarke said. "We're going to develop a national strategy by people all over the country," he said.

The first edition of the document, which will be a roadmap of what the government, industry, and individuals must do to secure networks, should be ready by mid-September, he said, and will be continuously updated.

The strategy is focuses on two basic ideas. The first says everyone in the country, not just the government, must be responsible to secure their own portion of cyberspace, Clarke said.

"Threats to cyberspace can't be handled exclusively by our military or law enforcement," he told the audience. Universities, different sectors of the economy, and owners of critical infrastructures such as electricity grids and water systems must each secure their own networks.

The second idea behind the strategy is that the nation must move away from the "threat paradigm" it operates under to a "vulnerability paradigm," Clarke said. Before the terrorist attacks on the USA last September, the country looked to the government to tell them of encroaching threats and how to protect themselves. "That kind of dependency on the government to be prescient is not going to be successful," he said.

Instead, businesses must assess the vulnerability of their own systems. Individuals play a part too, Clarke said. For example, home computer users must install security products such as firewalls if they have broadband connections. Broadband services such as cable modems and digital subscriber line links are particularly susceptible to intrusion because computers that employ them are constantly connected to the Internet.

The government's role in securing networks should not be to regulate or dictate, Clarke continued, because agencies move too slowly to keep up with cyberthreats that emerge. Instead, the government should "stimulate the marketplace by raising the awareness of people and businesses," he said.

For example, members of the administration have been meeting with IT customers to question why they buy products from vendors that have security flaws, Clarke said. The administration is also asking insurance companies to write cybersecurity policies, and asking the financial industry to share best practices related to security.

"The government's most important role may be as a nudge," he said.

The government is also responsible for promoting and funding training in cybersecurity, and making sure that related research and development overlooked by the private sector gets funded.

Although Clarke's speech did not address Bush's announcement last week of plans to create a Department of Homeland Security that would coordinate a number of agencies' antiterrorism efforts, a member of the audience asked if the advisor thought this department would facilitate information sharing among government agencies.

The idea that there is tension between government agencies regarding sharing sensitive data is "largely myth," Clarke said, "There has been great cooperation for the last three years in the area of cyberspace." Putting together intelligence officials from organisations such as the US Central Intelligence Agency and the US Immigration and Naturalisation Service under this new department "will help minimise what little [tension] exists," he said.

Read more on IT risk management