Originally created 09/18/02

Industry lobbying removes parts of cybersecurity plan



WASHINGTON -- Under intense lobbying by industry groups, a White House panel studying ways to protect America's high-tech backbone has dropped several security ideas and turned others into topics for discussion rather than government mandates, according to the latest version of the plan.

The ideas that have been dropped include requiring companies to pay money into a fund to improve national computer security and restricting use of emerging wireless networks until their security is approved, according to the draft obtained by The Associated Press.

"We're just identifying the stuff we already know to be a problem, and saying it's a problem," said Russ Cooper of network security firm TruSecure Corp. who was briefed on the plan. "I thought there was going to be some meat, and there's not."

The cybersecurity panel headed by President Bush's computer security adviser, Richard Clarke, is expected to release its recommendations Wednesday. Clarke adviser Andy Purdy said Monday the panel has decided to put its ideas out for public comment for two months before sending it to the president.

Once called the "National Strategy to Secure Cyberspace," the draft circulated Monday added the words "For Comment" to the title.

The board is part of the White House, but has no statutory power to compel federal agencies or companies to follow its directives. Officials have previously noted that much of the nation's high-tech backbone - its banking, transportation and utilities networks - is owned and operated by private corporations.

Within the past week, officials removed a proposal to create an Internet fund built with tax dollars and industry contributions to pay for Internet security enhancements, the latest draft shows.

Security expert Bruce Schneier said the White House won't be able to convince companies that expensive security enhancements are worth it when the company's stock price is at stake.

"The government should either make a law, or not bother," Schneier said. "This cajoling only goes so far. I think (companies) do want to be good corporate citizens, as long as it's free."

Another dropped proposal would have called for companies to work on securing wireless networks, and barred the use of such networks until they could be proven secure. Wireless technology, which is increasingly cheap and easy to use, has been criticized as difficult to secure.

Now, the plan says only that "federal agencies should consider installing systems that continuously check for unauthorized connections to their networks." The rest of the wireless network proposal is under the heading "Issues highlighted for continued analysis, debate and discussion."

Earlier this summer, Clarke lambasted wireless networks as inherently insecure, saying "we all should shut them off until the technology gets better."

A White House official, speaking on condition of anonymity, said Clarke's statements were based on wrong information. At the time he made the comments, Clarke believed it was impossible to run wireless networks safely, the official said.

The plan is the product of heavy lobbying by companies, security experts and trade group, some of which helped draft entire chapters.

"We've been forthcoming throughout the process, trying to offer just suggestions from technologists and others," said Business Software Alliance head Robert Holleyman. "It's fair to say that I expect some of those suggestions were well received; others may not have been incorporated."

Officials had a tough job creating the plan, said Douglas J. Sabo of security software firm Network Associates.

"They had mission impossible: They were basically told to design a strategy but not an implementation plan," Sabo said. "Make it effective but not prescriptive. Make it short but include industry's input. Make real advancements but don't gore anyone's ox."

One proposal popular among security experts would have put more responsibility on Internet providers to screen data traffic for attacks or require them to distribute firewall and antivirus software.

But Internet companies like Verisign Inc. argued those ideas didn't consider the impact on their business costs or the speed and reliability of their networks.

"More security tends to slow down data transmissions," Verisign chief executive Stratton Sclavos said. "That one probably needs more percolating before it comes back as a recommendation."

In earlier speeches, Clarke likened companies selling high-speed Internet access without protection software to "selling a car today without a seat belt."

---

On the Net:

Critical Infrastructure Protection Board: http://www.securecyberspace.gov

Network Associates: http://www.networkassociates.com