Feds to industry: You have a responsibility for security too

The Clinton administration on Tuesday reiterated its commitment to making the security of the nation's infrastructure a joint partnership between government and industry, with government serving as a model of security and advising, not regulating, the commercial sector.

Because the majority of the nation's information infrastructure is in the hands of industry, the commercial sector has a responsibility to the nation to ensure secure and consistent service without the government stepping in, said Commerce Secretary William Daley, speaking at a White House sponsored summit on Internet security prompted by the recent wave of denial-of-service attacks against popular electronic commerce sites. "We can support [industry]," he said. "It is not about the government regulating this."

This message was an important product of the meeting, said Jeffrey Hunker, senior director for infrastructure protection at the National Security Council's Office of Transnational Threats. Even following the December creation of the industry-led Partnership for Critical Infrastructure Security, many private-sector organizations have been unsure about the government's commitment to allowing industry to secure its own systems without interference, he said.

"This was a very concrete demonstration to a very diverse industry and academic group that the president cares about this issue," Hunker said.

The administration emphasized the need for federal agencies to protect their systems and serve as a model for security. This would include the current effort to scan all agency systems for vulnerabilities in the wake of last week's denial-of-service attacks. It also would encompass a new focus on getting agencies and industry to use the tools and patches that are available before they are needed, not after.

"We need to raise the level of security practice.... We need to be more proactive in getting the tools out and getting them in use, to practice better hygiene," said White House chief of staff John Podesta. "We are not doing a good enough job in making sure that the government's own systems are secure."

The meeting also focused on the need for increased research and development of security technologies. The president submitted a $9 million supplemental funding request to Congress for fiscal 2000, which includes $4 million to jump-start the development of the Institute for Information Infrastructure Protection at the National Institute of Standards and Technology.

The $50 million institute will serve as a clearinghouse for government and industry security R&D "to make sure that the hardware, the software and the networks that are part of the global information infrastructure are more secure and evolve in a way in which security is built in at the front end, rather than thought about at the back end, when solutions will be more difficult to implement and more expensive to implement," Podesta said.

The 29 industry and academic representatives that attended the summit agreed to use next week's meeting of the partnership to start forming the mechanisms that will allow security and vulnerability information to be shared across industry sectors.

"The information sharing needs to be widespread," said Jim Dempsey, senior staff counsel at the Center for Democracy and Technology. "It is not desirable to hold information tightly."

The partnership meeting will focus on sharing many types of information, including interdependencies and vulnerabilities, best practices, work force issues, and legal and policy issues, said Howard Schmidt, chief information security officer at Microsoft Corp.