In an effort to bolster the nations cyber-security, the Bush administration has plans to create a centralized facility for collecting and examining security-related e-mail and data and will push private network operators to expand their own data gathering, according to an unreleased draft of the plan.
The proposed cyber-security Network Operations Center is included in a draft of The National Strategy to Secure Cyberspace, which was developed by the presidents Critical Infrastructure Protection Board with input from the private sector and is due to be released Sept. 18.
The call for expanded data collection and analysis results from administration concerns that efforts to secure cyber-space are hampered by the lack of a single point of data collection to detect cyber-security incidents and issue rapid warnings, according to the draft strategy, obtained by eWEEK. Critics, however, worry that such a system would be expensive and difficult to manage, and would allow government agencies to expand their surveillance powers.
Other recommendations include restricting the use of wireless technologies by government agencies; requiring corporations to disclose their IT security practices; establishing a “test bed” for multivendor patches; creating a certification program for security personnel; and mandating certifications for all federal IT purchases.
Howard Schmidt, vice chairman of the PCIPB, said that the center would consolidate threat data from the countrys collection end points, such as the FBIs National Infrastructure Protection Center, the Critical Infrastructure Assurance Office, the Department of Energy and commercial networks. Private companies would be encouraged to increase the amount of data collected and share it with the government.
“Major companies generally report this information internally,” Schmidt told eWEEK. “Were looking for that to come back to a central location.”
According to the draft strategy, the public/private initiative would involve the major ISPs, hardware and software vendors, IT security companies, and Computer Emergency Response Teams, in addition to law enforcement and other agencies.
: High Barriers”>
Some feel that the governments internecine rivalries and information-sharing rules will hamstring any attempt at centralized collection and analysis.
“There are such high barriers in government to being able to disseminate information and adjusting the environment to react to threats, I dont think it will have much impact,” said William Harrod, director of investigative response at TruSecure Corp. in Herndon, Va., and a former FBI computer forensic specialist. “Theyll have different information coming in from different analysts, and theyll have to weed through it.”
The proposed strategy recommends that the center be partially federally funded, but it would inevitably impose new costs on the private sector without commensurate benefits, critics charged.
“Government doesnt have a good track record when it comes to collecting and disseminating massive volumes of data,” said Kevin Baradet, network systems director at Cornell Universitys Johnson Graduate School of Management in Ithaca, N.Y. “We could be drowning in data, most of it noise.”
Then there are the privacy concerns.
“Whatever the federal government wants to do with its own data is OK with me as long as it doesnt waste my personal and corporate tax dollars,” said Karl Keller, president of custom software developer IS Power Inc., in Thousand Oaks, Calif. “The privacy aspects, however, concern me greatly. This sounds like a dramatic and evil expansion of Echelon and Carnivore.”
The strategy also calls on the FBI, Secret Service and Federal Trade Commission to establish a single system for corporations to report Internet fraud and extortion, illegal hacking, and unauthorized network intrusions. It recommends that the federal government systematically collect data on cybercrime victims and cyber-intrusions from businesses. The administration hopes to assuage industry fears by recommending legislative changes–including exemptions from Freedom of Information Act requirements and exemption from antitrust laws–that would reduce liability for companies turning over communications to law enforcement.
Look for updates on eweek.com next week.
- How Real Is the Threat?
- Clarke Lambastes Software Industry
- Editorial: Security: The Feds Can Help
- Congress Zeros In on Cyber-security
- Homeland Security Plan Draws Criticism
- Cyber-security Czar Gives IT a Wake-Up Call