Security board makes progress

Improving the security of commercial products and increasing the level of security expertise in the government are at the top of the agenda for the Bush administration's Critical Infrastructure Protection Board, according to Richard Clarke, the White House cyberspace security adviser.

In its first 90 days of existence, the board has begun to address many basic security issues that affect the public and private sectors, as well as specific initiatives such as the high-profile GovNet intranet and an emergency personnel wireless priority system, both of which are under consideration.

One major concern is that commercial products are inherently insecure, making it that much harder for public and private organizations to practice good security.

By bringing together leading information technology companies and service providers with many top commercial and government customers, the board has fostered a "breakthrough," Clarke said at a Senate briefing Feb. 13. Now companies such as Oracle Corp. and Cisco Systems Inc. have followed Microsoft Corp.'s "Trustworthy Computing" pledge to include security in the development of all products, he said.

"They are changing their products and they are redesigning the next generation," Clarke told the Senate Judiciary Committee's Subcommittee on Administrative Oversight and the Courts. "There's a much greater willingness in the industry to start designing in security from the ground up."

Clarke's office is also concerned about the lack of experienced security personnel. The board is working closely with the National Science Foundation to expand a program that offers scholarships to college students studying information security in return for service at a federal agency.

The initial students in the Scholarship for Service program just finished their first semester. So far, the program is "doing very well, and probably ought to be expanded," Clarke said.

In fact, NSF is now increasing the number of colleges and universities eligible to receive funding under the program, from eight to 24, he said.

However, many top schools with information security education programs do not have the top security research programs, he said. So the board is looking at the top 10 federally funded institutions for information security research and development — a group that includes universities and national laboratories — to see how to bring closer the education and research groups, Clarke said.

The groups will meet later this month to try to structure a way to leverage existing federal funds, as well as to coordinate future spending, he said.