Revised cybersecurity plan goes to Bush next week

White House officials expect to present a revamped national cybersecurity strategy to President Bush for his approval next week, and a formal public release is expected in early January, according to a spokeswoman for the White House Office of Cyberspace Security.

The strategy has been significantly rewritten and includes greater responsibility for Internet service providers (ISPs) to ensure that computer networks are less vulnerable to attack, according to sources. Further, it puts more emphasis on the need for private firms to disclose computer vulnerabilities and for wireless technologies to be secure.

Earlier this month, Richard Davidson, president of the National Infrastructure Advisory Council (NIAC) that is advising Bush on cybersecurity, told a Western Governors Association conference that his group recommended that ISPs be given more responsibility for securing cyberspace.

White House spokeswoman Tiffany Olson declined to confirm what changes are in the plan.

Guy Copeland, vice president of information infrastructure in Computer Science Corp.'s federal sector, could not speak to the specifics on ISPs' planned role in cybersecurity, but he said the parts of the draft he has seen indicate that "it is shorter, to the point and clearer" than the initial draft released in September.

Copeland also said the plan has been restructured into five priorities, making it easier for the private sector "to know where to focus their attention and resources." The original plan structured the strategy into five areas rather than priorities. The areas were home users and small businesses; large enterprises; critical sectors like government, higher education and the private sector; national priorities; and international cooperation.

Copeland said that Richard Clarke, Bush's cybersecurity adviser and a chief architect of the strategy, has said the five priorities in the new version include: creating a security response system; building a program to reduce threats and vulnerabilities; providing awareness and training; and securing federal, state, local governments; and gaining international cooperation.

Copeland also said the emphasis of the strategy remains non-regulatory. "Regulation is still considered a last resort," he said.

The section on security response is likely to discuss the creation of a national operations center to monitor any terrorist or other attempts to undermine the Internet, the need to identify potential threats, and the goal of boosting public and private information sharing on securing computer networks, Copeland said. And the program to reduce threats is likely to include recommendations for making software more secure and improving law enforcement on computer crimes.

The cybersecurity training program was detailed in the previous plan, and it includes an awareness campaign. The September draft also outlined a strategy on winning international cooperation and on protecting government computer systems.

Separately, sources said it is not clear whether the Homeland Security Department will be responsible for monitoring the success of the strategy, but Olson said Clarke would remain at the White House as special adviser to Bush rather than joining the new agency.