Page Two

By Dennis Fisher  |  Posted 2002-08-26 Print this article Print

: Bush Calls for Fed NOC"> The proposed strategy recommends that the center be partially federally funded, but critics charge it would inevitably impose new costs on the private sector without commensurate benefit in addition to duplicating similar efforts.

"Government doesnt have a good track record when it comes to collecting and disseminating massive volumes of data," said Kevin Baradet, network systems director at Cornell Universitys Johnson Graduate School of Management, in Ithaca, N.Y., and an eWeek Corporate Partner. "We could be drowning in data, most of it noise."

Above all, users said, there are the privacy concerns.

"Whatever the federal government wants to do with its own data is OK with me, as long as it doesnt waste my personal and corporate tax dollars," said Karl Keller, president of custom software developer IS Power Inc., in Thousand Oaks, Calif. "The privacy aspects, however, concern me greatly. This sounds like a dramatic and evil expansion of Echelon and Carnivore."

The strategy calls on the FBI, Secret Service and Federal Trade Commission to establish a single system for corporations to report Internet fraud and extortion, illegal hacking, and unauthorized network intrusions. It recommends that the federal government systematically collect data on cyber-crime victims and cyber- intrusions from businesses.

However, most CIOs are loath to report any network breach, even in confidence. The Bush administration is seeking to assuage industry fears by recommending legislative changes, including exemptions from Freedom of Information Act requirements and exemption from antitrust laws, that would reduce liability for turning over data to law enforcement.

Of the more than 80 proposals in the draft of The National Strategy to Secure Cyberspace, among the most worrisome to corporations is a recommendation that they publicly disclose the identity of their IT security audit companies and the scope of their activities annually. The draft strategy recommends that businesses report incident and tracking data, the effectiveness of remediation measures, and the steps they take to secure their systems. In addition, they should reveal corporate and governance systems for IT security in a standardized form.

"I dont see us turning over any logs to the government," said a security administrator at a major East Coast financial company, who asked not to be named. "Its too risky."

Proponents say that as the number of attacks continues to increase, more communication and information exchange between the government and private sector can only help.

"Theres no doubt in my mind that [sharing information] will help. This goes beyond just the corporate world," said George Samenuk, CEO of Network Associates Inc., in Santa Clara, Calif., who consulted with CIPB Chairman Richard Clarke on the national strategy. "Weve accelerated our efforts in providing information to the government and giving them early notification of problems. I see all the barriers being broken down."

Related stories:
  • WLANs May Be Banned at Agencies
  • How Real Is the Threat?
  • Clarke Lambastes Software Industry
  • Editorial: Security: The Feds Can Help
  • Congress Zeros In on Cyber-security
  • Homeland Security Plan Draws Criticism
  • Cyber-security Czar Gives IT a Wake-Up Call


    Submit a Comment

    Loading Comments...
    Manage your Newsletters: Login   Register My Newsletters

    Rocket Fuel