Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Document 13669298

WEEK OF August 14, 2000
At Risk:A Secure Net
Federal Oversight of the Internet May Lead to Interference
he Y2K apocalypse failed to materialize. But
the resulting complacency about computerinduced disaster proved short-lived as we were
besieged by denial-of-service attacks and computer
viruses. Businesses were effectively shut down; government services were temporarily suspended. The
attacks highlighted the need to do more to secure the
systems that so many sectors of our economy, as well
as the federal government, rely upon.
T
Protecting the privately owned and operated computer networks that make up our “critical information infrastructure”—
which extends from utilities to banking, to communications,
to transportation, to health care, to e-commerce—is essential
for Americans’ national security, economic welfare, and fundamental freedoms. But how this is done will be key to its success—and the information technology industry has a vital
interest in seeing that we do it the right way.
So far, the government has said that it will work cooperatively with industry to deter, identify, and respond to cyber
threats and attacks. Yet by treating our information infrastructure as a national security asset, the government has laid
the basis for future control and regulation through technology mandates or federal standards. Such actions would hamper
efforts to improve cybersecurity. They would also impose significant costs on industry and reduce the privacy of businesses and consumers on the Internet.
SECURITY’S STRUCTURE
In May 1998, President Bill Clinton issued Presidential
Decision Directive 63, calling for a national effort to strengthen
the country’s defenses against unconventional threats to its
increasingly vulnerable and interconnected computer infrastructure. The government’s announced goal is to establish a
reliable, secure information infrastructure by 2003, using the
full authorities, capabilities, and resources of the government
as necessary.
In January of this year, the administration released the
first version of its National Plan for Information Systems
Protection. The two major stated objectives are (1) to make
the federal government a model of information security and
(2) to build a voluntary public-private partnership to protect the national information infrastructure. The president
also requested $2 billion from Congress for programs and
research.
A bureaucratic soup of acronyms has been created to
analyze and respond to threats and to work closely with the
private sector. The administration’s effort is directed by
Richard Clarke, national coordinator for security, infrastructure protection, and counter-terrorism at the National
Security Council. The Department of Defense is receiving
the lion’s share of the funding, primarily to secure its own
systems and to conduct research and development. Within
the Federal Bureau of Investigation, a National
Infrastructure Protection Center, headed by Michael Vattis,
has been established to coordinate threat assessment and
warnings, as well as law enforcement investigations and
responses. At the Department of Commerce, a temporary
Critical Infrastructure Assurance Office (CIAO), headed by
John Tritak, serves as a national planning center to coordinate with the private sector.
The government is also working hard to encourage private
businesses to do more to improve security and to share information and best practices among themselves and with the government. At the
TM
CEO level, a
National Infralawyers.clients.money
8.14.00
By Bruce J. Heiman
A Legal Times Publication
© 2000 NLP IP Company. All rights reserved. No reproduction of any portion of this issue is allowed without written permission from the publisher.
structure Assurance Council will advise the president and the
Cabinet. The Partnership for Critical Infrastructure Security is
a cross-sector, cross-industry effort supported by the CIAO. A
few individual companies have joined the FBI’s Infraguard
program. And the information technology industry itself is
considering creation of a center that would gather, analyze,
sanitize, and disseminate information to industry members
and the government.
A HELPING HAND?
Is there any real reason for industry to be concerned
about all this government activity? The administration has
said that it will work cooperatively with the private sector.
But where “encouragement” fails to yield desired results,
forced compliance may follow. In meetings and at conferences, officials from the NSC, DOD, DOC, and FBI all say
that regulation remains an option. The private owners and
operators of the information infrastructure could someday
be required to meet federal standards, use federal technologies, and follow federal policies and practices.
There are several very good reasons why that kind of government intervention would be a bad idea:
• The government does not have the expertise. It’s the private sector that has the knowledge necessary to protect the
information infrastructure. The government has hardly done
an exemplary job of protecting even its own systems. It is
unsettling at best to contemplate Washington as the arbiter
of specific security objectives and the judge of whether
industry has achieved desired results.
• Regulation would be counterproductive. The best cybersecurity solutions will be market-driven and industry-led.
New laws, regulations, or standards would be self-defeating, stifling innovation, artificially channeling R&D, and
harming the very infrastructure that needs protection.
Moreover, companies’ incentive to improve security could
be eviscerated if they are forced without fair compensation
to license a new tool or technique that the government
deems critical.
• Government standards would raise costs. Washington
should not mandate technologies or require companies to
shielded from unjustified examination. We do not need
widespread surveillance or monitoring of citizens at home
and work under the guise of information infrastructure
protection.
• Government action could compromise business secrets.
Forced public-private partnerships raise concerns regarding
the disclosure of companies’ proprietary information. Will the
shared information be subject to disclosure under the
Freedom of Information Act? Will there be carve-out protection for trade secrets? Will the information be classified?
What will the liability implications be?
Mandatory compliance in this area would not be
unprecedented. Consider that after three years of government-industry “partnership” in developing wiretapping
standards pursuant to the Communications Assistance to
Law Enforcement Act, the FBI rejected those standards and
sought to impose its own gold-plated requirements, which
would have significantly expanded FBI capabilities despite
contrary congressional direction and billions of dollars in
costs to industry.
Another example of government overreaching is the original plan for the Federal Intrusion and Detection Network, or
FIDNET. The administration first proposed that the FBI monitor Internet traffic generally within this country. In the wake
of strong congressional and private sector criticism, FIDNET’s
mission was narrowed to monitoring the federal government’s
own computer networks.
TRUE PARTNERSHIP
So what would be the best way to protect our critical information infrastructure? Both the private sector and the government have essential roles to play. But a voluntary partnership is the only approach that can succeed.
The private sector needs to:
• Continue improving protection in product lines and networks. Information technology companies are already
responding with greater rapidity to virus attacks, often
announcing solutions within hours. The recent change in
administration policy facilitating the use of strong encryption
also helps, as does public education about practicing good
The administration has said it will work cooperatively
with the private sector. But where ‘encouragement’ fails to yield
desired results,
may follow.
forced compliance
implement government-developed standards regardless of
whether they are reasonable for a particular situation or
whether more cost-effective alternatives exist. There is also
the possibility that companies will be forced to pay licensing fees for technology that only the government wants
them to use.
• Government intervention could violate privacy rights.
Threats to computer security should not be used as a broad
justification for violating personal and corporate privacy.
Indeed, as more of our lives are conducted electronically, it
is essential that these communications and transactions be
“security hygiene.” But it is important to understand that
there is no silver bullet for the problem of cybersecurity; it is
a process of continual improvement.
• Do a better job of sharing information among industry
members and with the government about threats and vulnerabilities as well as best practices. In this regard, legislation
could facilitate the sharing of information by removing disincentives imposed by antitrust laws, FOIA requirements, and
the apparent ability of third parties to use such disclosures
against those who provide them.
At the same time, the government must:
• Share information with the private sector. The FBI’s
National Infrastructure Protection Center is a step in the
right direction. More must be done with greater frequency
and efficiency, specifically with respect to warnings of particular threats.
• Get its own house
in order. Given the
Legitimate
recent report on the
ease with which Gen- to computer security
eral Accounting Office
do not call for new
employees
gained
access to supposedly
of
secure facilities by pos, new
ing as law enforcement
officers, we can only
burdens on
hope that the government’s virtual security
, or loss of
is better than its physical security.
• Improve law
enforcement’s ability
threats
powers
regulation
industry
fundamental
rights.
to detect and prosecute cybercrime. The government must
continue to strengthen its own technological capabilities to
investigate crime over the Internet. Additional training is
needed, including at the state and local levels.
Cybersecurity scholarships and the creation of a new cybercorps with specialized training would also help.
Information technology has made many of our nation’s
essential services enormously more robust and reliable. Indeed,
the technological advances in our information infrastructure
sparked the dramatic rise in productivity underlying the economic success of the 1990s. Yet the same interconnectedness
that allows us to increase efficiency and opens new frontiers of
commerce and government make us more vulnerable.
Better protection of our computer networks is essential to
the public and private sectors. But the government should
not overreact to denial-of-service attacks and Internet
viruses. These legitimate threats to computer security do not
call for new powers of regulation, new burdens on industry,
or loss of fundamental rights of privacy. Giving government
the resources to fight cybercrime is a priority. Broad new
government authority is not.
■
Related documents
Business Plan Scope Sheet - Cleveland Clinic Academy
Business Plan Scope Sheet - Cleveland Clinic Academy
How Cities Work - Urban Systems Collaborative
How Cities Work - Urban Systems Collaborative
Agenda FBI Counterintelligence Strategic Partnership Program Academic Alliance
Agenda FBI Counterintelligence Strategic Partnership Program Academic Alliance
spring13DA107outline
spring13DA107outline
Strategic Planning Using a Market Orientation
Strategic Planning Using a Market Orientation
Lecture 3
Lecture 3
Collaborative Security
Collaborative Security
– Security JDiBrief Scenario based risk assessment for critical infrastructures:
– Security JDiBrief Scenario based risk assessment for critical infrastructures:
marketing
marketing
A. Explain the nature of marketing plans. B. Explain the role of
A. Explain the nature of marketing plans. B. Explain the role of
Download