Bush draws cybersecurity lines

The Bush administration's plan for protecting the nation's critical infrastructure, outlined this month in an executive order, creates only one new organization. But that single structure changes the role of all of the organizations that have been involved in such efforts.

The order revises a directive President Clinton issued three years ago and tries to address concerns from agencies, Congress and industry that efforts to secure the nation's critical infrastructures — systems that run the transportation, finance and electrical power grid — are hampered by a lack of coordination and accountability.

In May 1998, President Clinton issued Presidential Decision Directive 63 (PDD 63), which requires agencies to protect the information systems that support the nation's key infrastructures. During the past year, multiple reports have criticized the lack of coordination between new and existing organizations, and Congress has called for someone to be held accountable. At the beginning of the year, Bush administration officials said they would review and revise their stand on the issue.

Following the terrorist attacks of Sept. 11, the need for coordinated protection and response became clearer and more pressing. Bush quickly named Pennsylvania Gov. Tom Ridge to head the new Office of Homeland Security and moved Richard Clarke one step up the ladder in the White House to become special adviser to the president for cyberspace security.

The new executive order makes Clarke chairman of a governmentwide Critical Infrastructure Protection Board, which will oversee and coordinate all activities of the organizations defined in PDD 63. The order clearly names Clarke as the one in charge — and directs agencies to "make all reasonable efforts to keep the chair fully informed in a timely manner" — and provides a step-by-step explanation of where each organization fits in relation to the others (see box).

Placing Clarke at the top should make it much easier for the agencies and organizations involved to get the job done, said Sallie McDonald, assistant commissioner for information assurance and critical infrastructure protection at the General Services Administration. Her office is in charge of the Federal Computer Incident Response Center (FedCIRC), which oversees civilian warnings and analysis of cyberattacks and computer viruses.

"Dick was not given the authority before," she said. "Now we know somebody's in charge."

Industry leaders also praised the move to place Clarke within a more defined structure, and his position should prove more effective "based on the 'one throat to choke' principle," said Harris Miller, president of the Information Technology Association of America.

PDD 63 created several new organizations, including the Critical Infrastructure Assurance Office — which provided policy support for Clarke in his previous position as national coordinator for security, infrastructure protection and counterterrorism at the National Security Council — and the National Infrastructure Protection Center to provide a national focal point for threat and incident protection and response.

The order also outlined lead agencies for each of the critical infrastructure protection sectors and functions, in the end creating so many leaders that the General Accounting Office called many times for the administration to clarify the roles and responsibilities of everyone involved.

"The [new] order creates substantially more coordination and less duplication among the plethora of government departments and agencies involved" in information security, Miller said.