The Path to Safety?

Industry readies plan for pre-emptive network defense.

Later this month some of the largest companies in the United States, led by the IT sector, will publicize a set of recommendations on hardening cyber-infrastructure so that the government doesnt legislate the effort for them. The recommendations—all voluntary—are to include television advertising aimed at small businesses and data collection research with the federal government, according to sources involved in the planning.

A little more than a year after the White House released its National Strategy to Secure Cyberspace, which includes a blueprint showing the private sector how to improve network security, federal policy-makers remain concerned that industry-owned networks are vulnerable to terrorist attack. Late last month, Sen. Patrick Leahy, D-Vt., said the country has been fortunate that terrorists have not infiltrated U.S. networks.

"We can assume, unfortunately, that they would if they had the opportunity," Leahy said. "It is essential that we work with the private sector to thoroughly assess our weaknesses and take steps to deal with them."

The national strategy came under criticism for failing to outline specific action items, and in December, three trade organizations in Washington—the Information Technology Association of America, the Business Software Alliance and TechNet—joined the U.S. Chamber of Commerce to develop ideas on implementing the strategy. However, the result so far is in large part another blueprint, with most of the details left for future discussion, sources said.

"In most cases, the recommendations will be more like road maps of what we need to do to get where we want to be," said Gary Garcia, vice president of information security policy at the ITAA. "This stuff does not lend itself to overnight solutions."

A primary aim of the industry-led initiative, which comprises five task forces, is to encourage buy-in from stakeholders, including infrastructure owners, users and vendors, Garcia said. To reach out to smaller businesses and individual users, the task forces are recommending public awareness campaigns, including television advertising, sources said.

The fear is that Congress will impose expensive new security obligations on corporations because so much of the countrys interdependent infrastructure is held in private hands. Policy-makers have sought to develop incentives for companies to invest in more secure hardware, software and processes. Last year, Rep. Adam Putnam, R-Fla., floated the idea of mandating security audit reporting, but Putnam is still talking with industry leaders about alternative proposals, an aide said.

What has policy-makers particularly alarmed is the possibility of a wide-scale attack on computer networks in conjunction with an attack on physical infrastructure. At a hearing earlier this month on the threat of cyber-terror, Sen. Jon Kyl, R-Ariz., said the devastation following the Sept. 11 terrorist attacks could have been worse if a cyber-attack had been launched against New Yorks electricity or water systems.

"An attack on these systems would have inhibited emergency services from dealing with the crisis and turned many of the spectators into victims," Kyl said.

While much of the task forces work sets only a framework for improving network security, some recommendations will provide specific direction, sources said.

"We dont want just dialogue or monologue; we want action," said Howard Schmidt, chief information security officer at eBay Inc., in San Jose, Calif. The plans will include detailed schedules and will recommend projects for improved education, such as including a network security course in the ordinary curricula at community colleges, Schmidt said.

The task forces are working closely with the Department of Homeland Security, and recommendations will include joint research and development to collect network intrusion data, sources said. Industry will look to the DHS for funding some security research that would otherwise be difficult to devote resources to.

In addition to corporate governance and public awareness, early-warning improvements are included in the recommendations. Ideas for improvement will center largely on integrating the wide array of alert systems already in place, Garcia said, adding that there will be suggestions on how to encourage more effective information sharing.

Before months end, the industry group plans to launch a Web site enumerating its recommendations and other information to better secure private networks, sources said.