White House unveils US IT security code of practice

The US took the wraps off its first national strategy for computer security, this week. The code of practice aims to improve...

The US took the wraps off its first national strategy for computer security, this week. The code of practice aims to improve computer security in government, business, academia and among home users.

The 150-page document, which lists 80 obligations for government agencies and the private sector, forms part of the US administration's response to the terrorist attacks in September 2001.

Computer Weekly revealed earlier this year that the UK is working on its own national IT security strategy, which although taking a different approach to the US strategy, is likely to have much in common.

The US strategy places a strong emphasis on making sure that computers that control critical systems, such as transport and nuclear power plants are secure.

One of its most important provisions encourages government agencies to only buy software that has been certified as being secure, a move that is likely to encourage suppliers to improve the security of their products.

The strategy is also expected to call for the creation of a centre to study computer viruses and other security threats and a private-public programme to improve the security of critical parts of the Internet.

The strategy document was compiled by Richard Clarke, the White House's director of cyberspace security, with input from industry and computer experts.

Security experts said the threat of cyber attacks as part of a war was a real one.

Peter Sommer, an independent security expert at the London School of Economics, said, "Cyber attacks are very likely to increase. It does not require many hackers to have an impact."

According to security analyst firm mi2g the digital confrontation has already begun with an anti-war hacking group launching a substantial digital attack on three online computer systems hosted by AOL Time Warner, earlier this month.

However, Ross Anderson, leader of the IT security group at Cambridge University, sounded a note of caution. "Cyber security is enormously over-hyped," he said. "There are institutional pressures from vendors, government agencies, insurance companies and some academics to talk up the threat."

Read more on Hackers and cybercrime prevention