President Bush's newly installed cybersecurity czar, Richard Clarke, vowed Tuesday to enhance ways in which government and industry safeguard critical infrastructures against terrorism, but observers say hurdles stand in the way of full cooperation.
In taking the post, Clarke immediately called for closer cooperation between government defense and industry.
"America has built cyberspace, and America must now defend its cyberspace. But it can only do that in partnership with industry," said Dick Clarke, newly installed as the president's special adviser for cybersecurity. Hand-picked by President Bush, Clarke will report directly to former Pennsylvania Gov. Tom Ridge, who is now the high-profile director of homeland security.
Echoing Clarke, Ridge acknowledged in a ceremony surrounding Clarke's appointment that cybersecurity poses both legal and political issues.
"It's a legal challenge, because this effort raises cutting-edge questions of both privacy and civil liberties," he said. "It's a political challenge, because the government must act in partnership with private sector, since most of the assets that are involved in this effort are owned by the private sector," Ridge continued.
Even before Clarke's appointment, industry and government groups charged with critical infrastructure protection were buoyed by a new sense of urgency following the Sept. 11 attacks.
"The tragedy that occurred on Sept. 11 didn't radically change the things that are being done, but it did give greater emphasis to speeding them up," noted Guy Copeland, who played a key role in a central telecommunications coordinating committee. Copeland is now a vice president of El Segundo, Calif.-based Computer Sciences Corp. (CSC).
Still, coordinating cyberspace security may prove a complex endeavor, because there are 13 different entities in place to swap information on perceived or potential cyberattacks on the nation's most sensitive infrastructures, such as IT, telecom, financial, and transportation.
Government groups involved include FBI's National Infrastructure Protection Center (NIPC), www.nipc.gov, and the Department of Commerce Critical Infrastructure Assurance Office (CIAO), www.ciao.gov.
Meanwhile, industry has spearheaded the inception of others, such as the Partnership for Critical Infrastructure Security (PCIS), www.pcis-forum.org, and the IT Information Sharing and Analysis Center (IT-ISAC), www.it-isac.org.
"Some streamlining and coordination of budget authority and accountability would provide some added efficiencies," said Ken Watson, PCIS president.
To kick off such streamlining, Bush is expected to soon sign an executive order that will put in place a "governmentwide board that will coordinate the protection of critical infrastructure systems," Ridge said.
But despite these initial efforts, several thorny issues remain around the disclosure of private sector data to government bodies.
For instance, many company officials fret that they will run afoul of antitrust statutes or face steep liabilities for handing over information on system vulnerabilities or on specific cyberattacks.
"Companies don't want to be sued because a piece of information has been disclosed for the common good," CSC's Copeland said.
On top of these practical concerns is a fear among corporations that information turned over to the government theoretically could be ferreted out by private citizens, advocacy groups or the media under an existing law called FOIA (Freedom of Information Act).
Lawmakers, including Sen. Bob Bennett, R-Utah, have been scurrying lately to tackle such disclosure issues. Bennett has introduced the Critical Infrastructure Information Security Act of 2001 (CIISA), which would exempt from FOIA information shared with the government for purpose of analysis or warning.
Bennett's legislation also takes on industry frustration over the fact that it does not always get from government information about cyberattacks.
"It has not always been a two-way street," said Harris Miller, president of the Information Technology Association of America (ITAA) in Arlington, Va.