Infrastructure security plan takes shape

CIAO

Efforts started under President Clinton to protect the nation's critical services and infrastructure are moving forward under the Bush administration, which is completing its work at organizing those efforts.

The Bush administration will shortly be releasing the recommendations from months of Cabinet-level meetings about the coordination among the numerous federal organizations involved in critical infrastructure protection. Last year, members of Congress, the General Accounting Office and others criticized what appeared to be overlapping responsibilities and a lack of coherent partnerships among the many groups.

Protecting critical infrastructures — a segment of the overall security picture that focuses on information systems that support infrastructure such as telecommunications and power — became a priority in 1998. President Clinton signed Presidential Decision Directive 63 that May, which mandated that agencies secure their own critical infrastructure systems and take the lead in private-sector security efforts.

Progress has been slow since that time, as noted in a recent report by governmentwide inspectors general. But actions by the Clinton administration in its final months and new initiatives from the Bush administration are quickening the overall effort.

"PDD 63 was a good start, but we need to move forward aggressively," said Sen. Robert Bennett (R-Utah), a longtime advocate of critical infrastructure issues.

The top recommendation may be to form a coordination board to supplement the oversight by the National Security Council, said John Tritak, director of the Critical Infrastructure Assurance Office. Such a board would include members of the CIAO and officials from major departments such as Commerce, Energy, Transportation and Treasury, officials said.

Through the CIAO, the policy support organization created by PDD 63, the Bush administration is developing the second version of the National Plan for Information Systems Protection. The first version focused almost entirely on federal responsibilities in this area.

Since the original plan's release in January 2000, the CIAO has been working with the private sector to include its input. Now Bush officials are pushing to make sure the new version — renamed the National Plan for Cyberspace Security and Critical Infrastructure Protection — is a "co-authored document," Tritak said.

The CIAO is also reaching out to state and local governments to define how they fit into the picture. Virginia officials are meeting with the CIAO to adapt federal models to the state and local environment and to foster a bottom-up approach to handling e-government issues, said Donald Upson, Virginia secretary of technology.

And one of the last initiatives from the Clinton years will get under way next month, providing an expert resource for agencies that often need help handling critical infrastructure issues.

The National Institute of Standards and Technology finally received funding in the 2001 budget for the Computer Security Expert Assist Team, a group of security experts targeted to provide outside assistance to agencies with scarce resources.

The team is in place at NIST and will start work in June. The first stage will be to respond to agency requests to review their security programs and to requests from the Office of Management and Budget to review the security for existing and planned information technology systems, according to NIST.