The Clinton administration has unveiled a long-overdue national plan for guarding the country's critical computer systems. The plan will establish a central intrusion-detection network and create a scholarship program to educate and recruit budding information technology experts for the government.
Government security experts have long worried that because the nation's "critical infrastructure" - from systems for national defence and electric power, to banking and telephones - is now digitalised and accessible via the Internet, wanton attacks on various government and corporate systems could paralyse the US. Even now, those systems are subject to hundreds of attacks every day, from fleeting probes to aggressive intrusions. Cataclysmic attacks could come from any quarter, including foreign governments, disgruntled employees or teenage computer geeks.
"This new age of promise carries within it peril," says President Clinton. "If we are to continue to enjoy the benefits of the information age, we must protect our critical computer-controlled systems from attack."
A General Accounting Office report issued in October sharply criticised the US government's internal computer-security efforts as weak and lacking in focus.
The National Plan for Information Systems Protection, dubbed Version 1.0, asks Congress to set aside $US2.03 billion in the fiscal year 2001 budget for various measures, including a detection network and a scholarship program, with $621 million going for increased research and development efforts.
The plan also calls for a new government institute that will cooperate on research and development with the private sector, which controls 95 per cent of the critical infrastructure. Since October, the Treasury Department has been working with a dozen large financial corporations to share information about cyberthreats.
Perhaps the most controversial part of the new plan is the creation of a federal intrusion-detection network, or FIDNet to monitor 22 government computer systems - from the health care system run by the Department of Veterans' Affairs to the taxpayer databases at the Internal Revenue Service - for signs of attack. FIDNet will be modeled on an existing Defence Department detection network that monitors military computer systems. When FIDNet was first proposed last year, it was to be administered by the FBI. The plan released today calls for FIDNet to be operated by the General Services Administration.
Civil liberties activists worry that FIDNet will prove unwieldy in practice. Ironically, such a network offers a new target for cyberterrorists, and activists are concerned that innocent stumbles by law-abiding citizens who approach the government in cyberspace could be misconstrued as terrorist attacks.
"It's creating another new database of personal information that is labeled suspicious and potentially terrorist in nature," says Jim Dempsey, a spokesman for the Centre for Democracy and Technology. "We're disappointed to see that it still has a prominent role in the program."
Richard Clarke, the administration's cyberterrorism czar, says FIDNet would simply be "a burglar alarm and a lock" for government files in cyberspace.
To make up for what it calls a severe lack of government IT workers, the administration is setting up a Scholarship for Service program that will assist up to 300 college students each year who pursue degrees related to information security. In return, the students will work for the government for an as-yet-unspecified number of years after graduation. The plan also calls for recruitment of high school students who would work summer jobs and internships with the goal of becoming certified federal IT workers.
Clarke, who confessed that government agencies "are having a hell of a time getting trained IT security personnel," says the government pay scale for such workers might be adjusted. According to Clarke, the top starting salary for a government IT worker with a bachelor's degree is $30,000 - far less than comparably skilled workers can make in the private sector.