IT Groups Plan for Cyber-Security

Advocates hope improved coordination, info sharing can ward off new laws.

Responding to a request from the Bush administration, IT and telecommunications industry representatives in Washington filed a plan with the government last week to improve the countrys critical infrastructure and cyber-security.

Calling for improved information sharing and private- and public-sector coordination, the groups hope to ward off heavy-handed government mandates in response to the demand for a more secure online environment.

The plan, submitted to the National Telecommunications and Information Administration last week, aims to protect not only the IT and communications industries but also all other industries that rely on their products and services.

The main message is that nobody can do it alone; it is every businesss responsibility to contribute to cyber-safety.

"Continuing to monitor and patch known vulnerabilities—studies show that this is not always happening," said Dan Bart, senior vice president of standards and special projects at the Telecommunications Industry Association, in Arlington, Va. "Making sure you have virus protection that kicks in on your screen savers—it has to become part of everyday instruction," said Bart. "If youre the chief information officer of a company, youve got to kick some butt to make this happen."

Developed by TIA and three other industry groups in Washington, the National Strategy for Critical Infrastructure and Cyberspace Security recommends that businesses and schools regularly teach ethical online behavior. It also calls for the government to close loopholes in laws that make it difficult to punish malicious hacking and other illegal online activity.

By making suggestions for improved private- and public-sector coordination, the industry hopes to avoid potentially burdensome new regulations. "People dont want to have government mandate that you must do this or you must do that," Bart said. "Regulators abhor a vacuum."

The groups are also looking to the government to increase international initiatives to promote better practices when it comes to information security and reporting cyber-crime because varying legal frameworks make international investigations and prosecutions difficult. The trade groups suggested the creation of an International Critical Infrastructure Assurance Coordinating Center, in which industry would play a key role along with governments.

"It doesnt make sense to have government-to-government-only negotiations," Bart said. "Thats kind of like a bunch of podiatrists standing around talking about brain surgery."

The cyber-security plan, combined with similar proposals submitted by other critical industries, will be incorporated into policy papers under development by the administrations Critical Infrastructure Protection Board and the Office of Homeland Security. The papers are slated for completion in July, according to Bart.

"Its no secret that we are not supportive of federally mandated standards," said Shannon Kellogg, vice president of information security programs at the Information Technology Association of America, in Arlington, Va. "Regulation and legislation cannot keep up with technology."