Industry balks at Clinton critical protection plan

The Clinton administration took its first step last week to form partnerships with companies and private-sector groups to protect the nation's critical infrastructures from electronic and physical threats, but the effort is already drawing criticism from the telecommunications industry.

The Commerce Department's National Telecommunications and Information Administration (NTIA) released a request for expressions of interest to enlist telecommunications companies and hardware and software suppliers to develop a plan to protect the information and communications infrastructure from cyberattacks.

The effort is the result of President Clinton's May directive that requires agencies to reach out to the owners and operators of financial markets, power grids, water supplies and telecommunications systems to develop a way to protect from cyberattacks the computers that support those critical infrastructures.

While most experts generally agree on the need to develop a national plan for protecting the critical assets— something that would not necessarily occur under the direct control of the government— enticing the private sector to work with the government has often been considered one of the primary hurdles standing in the way of making the program work.

The NTIA request calls for volunteers as "sector coordinators," who will work with the government to assess the vulnerabilities of the communications sector to cyberattacks and propose a system for identifying and preventing attacks. The coordinators— which could include trade associations, professional societies or consortiums formed especially for infrastructure protection— also will develop a plan for alerting, containing and rebuffing an attack in progress.

According to NTIA's request, the private sector would provide information to the government about cyberattacks, but the government would not be required to supply the private sector with information, said Mark Gembicki, president of WarRoom Research LLC in Annapolis, Md., and head of the Manhattan Cyber Project, a government/industry partnership to study information warfare attacks on the nation's infrastructure.

The President's Commission on Critical Infrastructure Protection, which first recommended the partnerships, hosted a simulation that tested this type of relationship among the government and the owners and operators of the critical infrastructures. As part of the simulation, the private-sector participants were required to forward information about threats and vulnerabilities to law enforcement agencies. Before the end of the simulation, the private-sector participants quit because they were not receiving any information back from the government, said Gembicki, who was a participant.

The private sector also is reluctant to enter into the partnerships because of worries about what may happen to threat and vulnerability information turned over to the government, said Daniel Wiener, vice president of advanced technology programs at Unisys Corp.

"There is a legitimate need to share information, but the issue is: Can the government protect it?" Wiener said. He also questioned whether industry participants would be able to justify a business case for the costs associated with being a sector coordinator.

However, Irwin Pikus, director of the infrastructure assurance program at Commerce's NTIA, said, "This is an area that is of interest to a large number of people in the private sector. It's ripe for an undertaking. It affects their own business interests. They are indeed good citizens; they have a feeling for their role in protecting national security."