By Riva Richmond
Dow Jones News Service
March 11, 2002
NEW YORK -(Dow Jones)- Government should persuade industry to better protect the
Internet from threats of cybercrime and cyberterrorism, but should refrain from imposing
mandates, said Howard Schmidt, vice chairman of President Bush's Critical Infrastructure
Board on Monday.
The board was created in October after the Sept. 11 attacks raised concerns about
homeland security and the security of the information systems that support the nation's
basic infrastructure.
Chaired by Richard Clarke, the president's cybersecurity adviser, the board is developing
a national strategy to protect cyberspace. So far, it has emphasized building a
public-private partnership to respond to threats and to address Internet-security
policy questions.
"We can bring up the level of security without creating additional regulation," Schmidt
said during a panel discussion sponsored by Network World magazine and broadcast over
the Internet. "The government's procurement power and the marketplace will continue to
drive companies to do more in security."
The nation spends billions of dollars a year responding to security breaches and installing
technologies to prevent them, and the costs are escalating. Both the Internet's
infrastructure and the software that runs on it were created, for the most part, with
performance and ease-of-use as priorities, to the detriment of security.
Panelist Peggy Weigle, chief executive of security-software maker Sanctum Inc. of
Santa Clara, Calif., said 97% of Web sites are vulnerable to attacks using Web
browsers alone. Sanctum recently audited an airline's network and the company found it
could gain access to the passenger manifests with a Web browser.
The Bush Administration is using its "bully pulpit" to push software companies to
build better security into their products and the rest of industry to make their
own networks more secure, Schmidt said.
Schmidt said some security priorities ought to be authentication of computer users
using tougher criteria than passwords and better network management to avoid configuration
mistakes and to make sure patches that fix software flaws are applied.
Weigle argued the government should use legislation to enhance Internet security. Top
executives aren't giving the problem enough attention or resources, she said.
"We need a little bit more of a push to make things happen. It's not happening
by itself," Weigle said.
The board is also in favor of increasing government spending on research and development
and on education of the public and technology professionals.
And, in the absence of a secure public Internet, it's considering creating a
private government network, called GovNet. The board has requested proposals from U.S.
telecommunications companies on how such a network might be created. Schmidt said the
board has received more than 150 proposals and is working on thinning the number of
plans to consider more closely.
Law enforcement is also a government focus, he said. Current laws provide the government
with adequate authority to investigate and prosecute cybercrime, he said. What the government
lacks are resources to pursue complex cases that often cross state and national boundaries.
Responding to criticism from online-privacy advocates, Schmidt said the USA Patriot Act,
signed into law in late October, doesn't widen investigative powers, but simply makes
"the technology work better for law enforcement."
Schmidt said so far terrorists are using the Internet to communicate with each other and
to collect information, not to carry out attacks. But he cautioned: "We don't always know
whose fingers are on the keyboard."
Riva Richmond
Dow Jones Newswires
201-938-5670
[email protected]
|