The Bush administration has plans to create a centralized facility for collecting and examining security-related e-mail and data traffic and will push private network operators to expand their data-gathering initiatives, according to an unreleased draft of the plan.
The proposed cyber-security Network Operations Center is included in a draft of the National Strategy to Secure Cyberspace, which was developed by the Presidents Critical Infrastructure Protection Board and is due for release Sept. 18.
The call for expanded data collection and analysis results from administration concerns that efforts to secure cyberspace are hampered by the lack of a single data-collection point to detect cyber-security incidents and issue warnings, according to a draft of the plan, which was obtained by eWeek.
Critics, however, worry that such a system would be expensive, difficult to manage and allow government agencies to expand their surveillance powers.
Other recommendations include requiring corporations to disclose their IT security practices, establishing a test bed for multivendor patches, creating a certification program for security personnel and mandating certifications for all federal IT purchases. (See chart for other proposals.)
According to the draft, the governments “forward-looking analysis” capabilities are considered sparse because of a shortage of information. The proposed center would improve capabilities for predicting cyber-security incidents as well as responding to hacker or terrorist threats.
Howard Schmidt, vice chairman of the CIPB, said the center would consolidate threat data from the countrys collection end points, such as the FBIs National Infrastructure Protection Center, the Critical Infrastructure Assurance Office, the Department of Energy and commercial networks.
Private companies would also be encouraged to increase the amount of data collected and share it with the government. “Major companies generally report this information internally,” Schmidt told eWeek. “Were looking for that to come back to a central location.”
According to the draft strategy, the public/private initiative would involve the major ISPs, hardware and software vendors, and IT security companies, in addition to law enforcement agencies.
Some said they believe the governments interdepartmental rivalries and information-sharing rules will hamstring any attempt at centralized collection and analysis. “There are such high barriers in government to being able to disseminate information and react to threats, I dont think it will have much impact,” said William Harrod, director of investigative response at TruSecure Corp., in Herndon, Va., and a former FBI computer forensics specialist. “Theyll have different information coming in from different analysts, and theyll have to weed through it.”
: Bush Calls for Fed NOC”>
The proposed strategy recommends that the center be partially federally funded, but critics charge it would inevitably impose new costs on the private sector without commensurate benefit in addition to duplicating similar efforts.
“Government doesnt have a good track record when it comes to collecting and disseminating massive volumes of data,” said Kevin Baradet, network systems director at Cornell Universitys Johnson Graduate School of Management, in Ithaca, N.Y., and an eWeek Corporate Partner. “We could be drowning in data, most of it noise.”
Above all, users said, there are the privacy concerns.
“Whatever the federal government wants to do with its own data is OK with me, as long as it doesnt waste my personal and corporate tax dollars,” said Karl Keller, president of custom software developer IS Power Inc., in Thousand Oaks, Calif. “The privacy aspects, however, concern me greatly. This sounds like a dramatic and evil expansion of Echelon and Carnivore.”
The strategy calls on the FBI, Secret Service and Federal Trade Commission to establish a single system for corporations to report Internet fraud and extortion, illegal hacking, and unauthorized network intrusions. It recommends that the federal government systematically collect data on cyber-crime victims and cyber- intrusions from businesses.
However, most CIOs are loath to report any network breach, even in confidence. The Bush administration is seeking to assuage industry fears by recommending legislative changes, including exemptions from Freedom of Information Act requirements and exemption from antitrust laws, that would reduce liability for turning over data to law enforcement.
Of the more than 80 proposals in the draft of The National Strategy to Secure Cyberspace, among the most worrisome to corporations is a recommendation that they publicly disclose the identity of their IT security audit companies and the scope of their activities annually. The draft strategy recommends that businesses report incident and tracking data, the effectiveness of remediation measures, and the steps they take to secure their systems. In addition, they should reveal corporate and governance systems for IT security in a standardized form.
“I dont see us turning over any logs to the government,” said a security administrator at a major East Coast financial company, who asked not to be named. “Its too risky.”
Proponents say that as the number of attacks continues to increase, more communication and information exchange between the government and private sector can only help.
“Theres no doubt in my mind that [sharing information] will help. This goes beyond just the corporate world,” said George Samenuk, CEO of Network Associates Inc., in Santa Clara, Calif., who consulted with CIPB Chairman Richard Clarke on the national strategy. “Weve accelerated our efforts in providing information to the government and giving them early notification of problems. I see all the barriers being broken down.”
- WLANs May Be Banned at Agencies
- How Real Is the Threat?
- Clarke Lambastes Software Industry
- Editorial: Security: The Feds Can Help
- Congress Zeros In on Cyber-security
- Homeland Security Plan Draws Criticism
- Cyber-security Czar Gives IT a Wake-Up Call