Cyber Security Report Spreads Burden

A 65-page proposal titled "National Strategy to Secure Cyberspace" isn't so much a set of regulations as a primer on safe computing. The latest draft appears to have been watered down from mandates to suggestions.

Under intense lobbying by industry groups, the White House panel studying ways to protect America's high-tech backbone has dropped several security ideas and turned others into topics for discussion rather than government edicts, according to the latest version of the plan.

The ideas that have been dropped include requiring companies to pay money into a fund to improve national computer security and restricting use of emerging wireless networks until their security is approved.

The proposal still has plenty of suggestions, however, says CBS Radio News Technical Consultant Larry Magid, who has seen an advance copy.

"The plan advises everyone — home users and small business, large enterprises, higher education and government agencies — to do all they can to shore up security," Magid reports. "Home users, especially those with an always on connection to the Internet — such as DSL or cable modem — are being asked to install firewalls, anti-virus software and spam filters and to keep their operating systems up to date. Corporations, universities and government agencies are being urged to set up high level committees to review their security policies."

The plan points out that "when the Internet was built, features like security, which are vital today, were not part of its foundation."

The report is not without critics, however.

"We're just identifying the stuff we already know to be a problem, and saying it's a problem," said Russ Cooper of network security firm TruSecure Corp. who was briefed on the plan. "I thought there was going to be some meat, and there's not."

"Though it may seem far fetched, it's actually possible for an Internet-connected home computer to be commandeered by a hacker and used to attack other computers, including government networks," said Magid. "Based on this scenario, the government is asking everyone to do their part to help protect our information infrastructure."

The White House board has no statutory power to compel federal agencies or companies to follow its directives. Officials have previously noted that much of the nation's high-tech backbone - its banking, transportation and utilities networks – is owned and operated by private corporations.

White House cybersecurity czar Richard Clarke and other White House cybersecurity experts argue that the U.S. economy and national security are fully dependent on information technology and networked computers and that attacks on these networks can have serious consequences including disrupting critical services, potentially leading to the loss of life.

Buildings, bridges, airports and roads aren't the only things vulnerable to terrorist attack. The proposal suggests that potential adversaries have the intent and the tools to bring down our nation's data networks as well.

The report asks Americans to consider the following scenario: "A terrorist organization announces one morning that they will shut down the Pacific Northwest electrical grid for six hours starting at 4:00 p.m.; they then do so. The same group then announces that they will disable the primary telecommunication trunk circuits between the U.S. East and West Coasts for a half day; they then do so, despite our efforts to defend against them.

"Then, they threaten to bring down the air traffic control system supporting New York City, grounding all traffic and diverting inbound traffic; they then do so. Other threats follow, and are successfully executed, demonstrating the adversary's capability to attack our critical infrastructure.

"Finally, they threaten to cripple e-commerce and credit card service for a week by using several hundred thousand stolen identities in millions of fraudulent transactions, if their list of demands are not met. Imagine the ensuing public panic and chaos."

While the scenario seems a bit unlikely, there is no question that the Internet is now part of our national infrastructure, said Magid. Even if cyberspace weren't used to launch an attack there is certainly the possibility of a combined physical and virtual attack.

"As terrible and chaotic as things were on Sept. 11," Magid said, "some of the bright spots included the ability for information to flow via cell phones and the Internet, even when other channels of communications were unavailable. People used the Internet to find information about loved ones and colleagues and millions turned to net news sites to supplement what they were hearing on radio and seeing on television. Shutting down this resource would certainly add even greater confusion and chaos to whatever tragedy was unleashed."

Security expert Bruce Schneier said the White House won't be able to convince companies that expensive security enhancements are worth it when the company's stock price is at stake.

"The government should either make a law, or not bother," Schneier said. "This cajoling only goes so far. I think (companies) do want to be good corporate citizens, as long as it's free."

The plan is the product of heavy lobbying by companies, security experts and trade group, some of which helped draft entire chapters.

"We've been forthcoming throughout the process, trying to offer just suggestions from technologists and others," said Business Software Alliance head Robert Holleyman. "It's fair to say that I expect some of those suggestions were well received; others may not have been incorporated."

Officials had a tough job creating the plan, said Douglas J. Sabo of security software firm Network Associates.

"They had mission impossible: They were basically told to design a strategy but not an implementation plan," Sabo said. "Make it effective but not prescriptive. Make it short but include industry's input. Make real advancements but don't gore anyone's ox."

One proposal popular among security experts would have put more responsibility on Internet providers to screen data traffic for attacks or require them to distribute firewall and antivirus software.

But Internet companies like Verisign Inc. argued those ideas didn't consider the impact on their business costs or the speed and reliability of their networks.

"More security tends to slow down data transmissions," Verisign chief executive Stratton Sclavos said. "That one probably needs more percolating before it comes back as a recommendation."

In earlier speeches, Clarke likened companies selling high-speed Internet access without protection software to "selling a car today without a seat belt."