White House rewrites core security policy

The Bush administration is rewriting the document that signalled the start of US government efforts to deal with...

The Bush administration is rewriting the document that signalled the start of US government efforts to deal with critical-infrastructure protection and cybersecurity to take into account post-11 September homeland security requirements.

The directive, which was signed by the then-president Bill Clinton in 1998, made it the policy of the US government to lead a public/private partnership aimed at eliminating all major vulnerabilities to the nation's critical physical and cyber infrastructures.

In addition to setting a 2003 deadline for the establishment of a defence against intentional cyberattacks, the directive also created the US Federal Bureau of Investigation's National Infrastructure Protection Center (NIPC) - now part of the Department of Homeland Security - and encouraged private-sector participation through information sharing and analysis centres (ISAC). 

The Bush version of that document that will be recast under the title Homeland Security Presidential Directive (HSPD). 

"The idea was to reflect the changes in the bureaucracy at the Department of Homeland Security and to give more importance to the ISACs," said Roger Cressey, former chief of staff at the President's Critical Infrastructure Protection Board.

The document, which has already been reviewed by a committee of deputy agency secretaries, focuses on terrorist threats to the nation's vital economic infrastructures as a way to weaken the economy and damage public confidence.

It also recognises the Depertment of Homeland Security as the main agency at the federal level for critical-infrastructure protection and the need to co-ordinate security efforts with the private entities that own and operate more than 85% of the nation's critical infrastructures. 

The original document assigned private-sector liaison duties to eight federal agencies. The new one adds to that list the Department of Agriculture, the Nuclear Regulatory Commission and a yet-to-be determined position at the Transportation Security Administration to cover the transportation of hazardous materials. 

The rewrite also emphasises identifying, cataloging and prioritising the nation's critical systems with respect to how vital they are to the nation's economy and national security, as well as how vulnerable they are to terrorist attack. 

The revamped document also calls for the development of a system to aid information sharing between federal, state and local government agencies and the private sector, and the establishing of a national indications and warning architecture to detect incidents that could point to a larger, co-ordinated attack against critical infrastructures. 

Dan Verton writes for Computerworld

Read more on IT risk management