Administration says it will give industry and academia heads up on cyberattacks
Government will share intelligence and law enforcement data on malicious activity so other sectors can protect their infrastructure.
The Obama administration will provide universities and businesses with government intelligence and law enforcement information about malicious Internet activities so that they can protect their critical assets, the president's cyber czar said on Tuesday.
"I think we all recognize that the government has unique access to information," Howard Schmidt, cybersecurity coordinator and special assistant to the president, told congressional staff, policymakers and interest groups at a Washington conference. "We need to continue to look for ways to share that information, but also give our universities and our businesses information to be able to protect themselves."
Recent history is rife with examples where such disclosures could prove helpful. The intelligence community is privy to information about foreign governments, such as China, that Americans fear could be trying to extricate intellectual property from technology firms or research institutions. The FBI, in the past, has learned of holes in automated banking security, which it then told 4,000 financial sector organizations about so they could shore up systems before hackers exploited the vulnerabilities.
Schmidt also addressed a forthcoming public-private initiative to create secure online identities that has riled some privacy advocates. The National Strategy for Trusted Identities in Cyberspace, which President Obama will complete in the next few months, aims to provide people with a means of verifying who they are interacting with when they conduct online transactions.
Critics liken the concept of Internet IDs to a national identification card that the government will use to track the activities of everyone online.
Schmidt said people reading between the lines to draw such conclusions should "wait to see until the real lines come out and then read the lines," adding, "the intent is not to create one situation that fits all." The Commerce Department on Jan. 7 announced it will oversee the ID process, in coordination with the private sector, out of a new program office. The policy will be more concise than a proposal the Homeland Security Department released in June 2010, Schmidt said. It will be anchored in the Federal Trade Commission's fair information practice principles, which encourage companies to provide notice about the information they collect from consumers; seek consent before using individuals' personal information; tell them why they are obtaining the data; collect minimal data and retain it only until that purpose has been fulfilled; limit the use of the information; ensure it is accurate; protect the data against unauthorized disclosure; and audit compliance with all the principles.
Schmidt was speaking at the annual State of the Net summit hosted by the Congressional Internet Caucus Advisory Committee, an assortment of public interest and industry groups, which typically draws about 500 people to debate information technology policy issues.
Another participant -- Rep. Bob Goodlatte, R-Va., co-chairman of the Congressional Internet Caucus -- said any plan to secure the nation's networked infrastructures, including power grids, must involve cooperation between the public and private sectors. He is the newly appointed chairman of the House Judiciary Subcommittee on Intellectual Property, Competition and the Internet, which oversees IT matters.
"We need solutions that contain incentives to encourage business to adopt best practices to security" and "no one-size fits all mandate from Washington" that becomes outdated by the time it is implemented, Goodlatte said.
His panel will explore the idea of using limited liability protections that urge businesses to reveal their network vulnerabilities and threat mitigation activities so others can learn from their experiences, while at the same time sheltering the companies from potential lawsuits. The government used such legal protections during the Y2K problem, where organizations worldwide were racing to ensure their systems did not go haywire when their internal clocks hit the digits 2000.
NEXT STORY: Is Preventing Leaks a Technological Problem?