BUSH plans different approach to cyberprotection
Wednesday, July 18th 2001, 12:00 am
By: News On 6
WASHINGTON (AP) _ Critics fear proposed changes to the way the government protects the nation's technology backbone from terrorism could bog down the process and remove the accountability of having a single person in charge.
A draft executive order from President Bush, obtained by The Associated Press, would abolish the high-profile post of security chief in favor of a board of about 21 officials from all major federal agencies.
The board would report to National Security Adviser Condoleezza Rice. Among the agencies that would participate are the departments of State, Defense, Justice, Energy and Treasury, as well as the National Security Agency, CIA and FBI. Only 11 agencies had key roles in former President Clinton's plan.
The White House has briefed several industry groups on the plan and told executives that Bush is expected to sign the order formalizing the changes after Labor Day.
Mark Rasch, former head of the Justice Department's computer crimes division, predicted with so many federal agencies involved in the advisory panel ``it's going to have input from everybody on God's green earth'' before any action is taken.
``The bad news is, nobody will do anything about critical infrastructure protection until there's a global catastrophic failure,'' said Rasch. ``The good news is, there will be a global catastrophic failure.''
White House officials on Tuesday declined to discuss the executive order.
The draft dated June 26 states Bush's order would abolish the position of national coordinator for infrastructure protection, which was created by President Clinton in 1998 when the government created its first ever blueprint for combatting threats against critical facilities that provide Americans access to electricity, water, banking and the Internet.
National security expert Richard Clarke, who currently hold's the position of security chief, has pointedly warned Congress, companies and local agencies about the potential for a ``digital Pearl Harbor'' in which a terrorist attack would paralyze computers, electrical grids and other key infrastructure.
Technology trade group head Harris Miller wanted Bush to keep a single person in charge, which he called a ``one-throat-to-choke approach.'' But he called Bush's plan ``a good alternative'' which elevates more agencies to decision-making roles.
``The proof will come in seeing how this actually operates in practice, and making sure that the agencies and departments get out of their asylum mentality,'' said Miller, president of the Information Technology Association of America.
As the United States relies more on computers, the government and private companies are concentrating on how a computer attack _ either by a foreign government, terrorist group, or young hackers _ could cripple the nation.
Officials have put forth several possible scenarios that could create financial havoc or loss of life, such as disruptions to ATM networks, the air traffic control system or the national power grid. Several nations, such as the United States, Russia and China, are preparing its armies for future cyber warfare that would focus more on hacking than traditional weapons.
The plan makes sharing computer security information with companies a top priority. Security companies and the General Accounting Office, the investigative arm of Congress, have criticized the government's information sharing efforts so far, saying that firms aren't notified quickly enough about new security holes.
A congressional report earlier this year stated that the National Infrastructure Protection Center, part of the FBI, is understaffed and needs more training so it can keep companies up to date.
Rasch said the language used in the draft is vague. For example, while the plan says the board will ``assist in the development of standards,'' it doesn't mention if the board can force companies to abide by them.
``Is the government going to come in and tell whether (Microsoft's upcoming operating system) Windows XP is secure? And then is it going to tell people how to secure it?'' Rasch asked. ``The government is the one that should be coming up with new vulnerabilities, not the 19-year-old hackers.''