The Bush administration has begun an effort to reorganize and rewrite the federal plan for protecting the nation's largely privately owned critical infrastructure.
The White House contends that the existing plan isn't helping businesses strengthen their IT security defenses.
Administration officials began selling their new approach to businesses last week with what appeared to be a good cop/bad cop routine: The good-cop administration says it will oppose new regulations forcing businesses to upgrade IT security, but it warned that the bad-cop Congress will act if a major cyberincident damages or cripples part of the nation's infrastructure.
"The fact that new laws and regulations might be ill-conceived or ill-advised may not be a bar to their passage, especially if lawmakers and regulators conclude that industry is incapable of self-governance in this area," said Kenneth I. Juster, undersecretary for export administration at the U.S. Department of Commerce.
White House officials said the Clinton administration's 1999 national plan for critical infrastructure protection is flawed because it couldn't be translated into business concerns. The Clinton plan "lacked the reservoir of knowledge" that private-sector executives can provide, said Richard Clarke, national coordinator for security, infrastructure protection and counterterrorism. Clarke was among the administration officials at a national infrastructure security conference held here last week that was and sponsored by The Institute of Internal Auditors Inc. in Altamonte Springs, Fla.
In the past several weeks, the Bush administration has embarked on two efforts aimed at gaining greater business involvement. First, it's examining whether the present multiagency approach can effectively protect critical infrastructure. Second, it has begun meeting with businesses in industries such as oil and gas, telecommunications, transportation and finance to draft a new protection plan, which it wants completed by year's end.
The new plan will likely retain some of the recommendations of the Clinton administration's plan. Those include funding for security research and development, regulatory relief and continued strengthening of Information Sharing and Analysis Centers (ISAC), which companies can use to share incident reports and information about trends in security. ISACs have been set up thus far in the banking, electricity, telecommunications and technology industries.
Rhonda MacLean, chief information security officer at Bank of America Corp. in Charlotte, N.C., said the ISACs have delivered real business value. "What I have found through that information sharing I do not believe I would have gotten from any other source," she said. "That, I think, really gives us a leg up in being aware of what is actually happening out there."
MacLean suggested that the industry-specific ISACs should include mechanisms for sharing information across industrial sectors, adding that "there is commonality" among sectors.
She also urged the strengthening of federal research and development efforts on security. "Too many vendors are really delivering us poorly developed products," MacLean said. "Not only are they full of operational problems, but they lack basic security controls."