With little fanfare, the White House Friday afternoon released the much debated National Strategy to Secure Cyberspace, which calls on industry to show unprecedented cooperation with goverment agencies in the name of network security.
The plan depends heavily on network operators and industry groups sharing with the government information on network attacks, security threats and widespread vulnerabilities. While similar efforts in the past have failed, some industry insiders say there is reason to believe that this time may be different. Meanwhile, President Bush in his introduction of the plan, called the effort "a framework for protecting this infrastructure that is essential to our economy, security, and way of life."
"The cornerstone of Americas cyberspace security strategy is and will remain a public-private partnership. The federal government invites the creation of, and participation in, public-private partnerships to implement this strategy," Bush wrote. "Only by acting together can we build a more secure future in cyberspace."
Those who had seen earlier versions of the plan expressed support. "The strategy is being accepted within the government," said Pete Morrison, director of the public sector at security vendor Netegrity Inc., in Waltham, Mass. "Ive seen a new awareness inside the government, and I think when people see that, they [will be] more willing to take it seriously and help with information."
The centerpiece of the strategy is a comprehensive cyber-security response system that relies on contributions from the private sector. The system would utilize a broad information-sharing program both inside and outside the federal government, facilitated by a separate office within the Department of Homeland Security, which the plan also calls for.
The "infrastructure protection program office," as referred to in the plan, would handle the flow of data between the private sector and the government. The office would also be responsible for determining how to store information regarding critical infrastructure protection that is voluntarily submitted by nongovernment organizations.
The strategy also recommends that the private sector develop a centralized network operations center to assess Internet health and complement the DHSs centralized capability and the overall National Cyberspace Security Response System.
This final plan differs greatly from the preliminary draft released for comment by the Presidents Critical Infrastructure Protection Board in September under the direction of outgoing PCIPB Chairman Richard Clarke.
That original draft was divided into five sections—covering home users and small businesses, large enterprises, critical sectors, national priorities, and global issues. The final version is organized along five priorities—a national cyberspace security response system, a national cyberspace security threat and vulnerability reduction program, a national cyberspace security awareness and training program, securing governments cyberspace, and international cyberspace security cooperation.
And where the original draft was heavy on recommendations and suggestions, the approved plan uses much stronger language, in many cases issuing directives to various government agencies.