US government to unveil cyber defence strategy

The US government will launch its national cyber defence strategy today (18 September), and give private companies and IT...

The US government will launch its national cyber defence strategy today (18 September), and give private companies and IT providers two months to review and recommend changes to the plan.

Richard Clarke, chairman of the US Critical National Infrastructure Protection Board, will unveil the strategy, which is likely to propose a five-pronged approach toward building a national public/private partnership to guard against cyber attacks.

The plan will focus on the private companies that own and operate 90% of the critical infrastructure of the US and the government agencies responsible for critical government services. In addition, it will make proposals for home users and small businesses on national issues in research and development and education, and on global co-operation.

The discussion period "gives people more time to get comfortable with the plan and offer feedback", an administration official said.

Joe Magee, chief security officer at Top Layer Networks, welcomed the additional time to review the plan. "Who knows more about denial-of-service attacks, for example, than the private sector? I'm all for this," he said.

The Bush administration's cyber security strategy has undergone major revisions in recent weeks, including the removal of various provisions that administration officials decided were either premature or politically untenable.

Two provisions that remain up in the air are the concept of establishing a chief privacy officer at the executive branch level of government, and calling on Internet service providers to offer customers, including home users, bundled security services and devices such as firewalls.

Russ Cooper, surgeon general of TruSecure, one of the few Internet security experts to have seen the entire plan, was unhappy with the extension or with the strategy as it stands.

"I hope that Clarke uses the time to put back in things that have been washed out of the document," said Cooper. In particular, he said the administration has removed language that would have offered a definition of liability and assignment of responsibility for Internet security.

"It's time that the government mandates some action be taken," said Cooper. "I'd like ISPs be told that it is illegal to carry identified Internet attack traffic. But I don't see anything similar or at that level in what they're proposing."

Read more on IT risk management