White House plans to overhaul computer security plan

The Bush administration's approach to computer security will focus on realigning federal agencies' responsibilities for their own computer networks before revising the national plan that details how the government and the private sector should work together to combat threats from hackers and cyberterrorists, administration officials said Tuesday.

The realignment of government responsibility may involve changes to the current patchwork of agencies that each oversees a piece of the problem, said Kenneth Juster, who was sworn in Monday as the new head of the Bureau of Export Administration.

Amplifying a White House statement on cybersecurity last week, Juster said the agency review would be completed over the next several weeks.

"The federal government cannot solve critical infrastructure issues alone," Juster said at a conference hosted by the Institute of Internal Auditors at the U.S. Chamber of Commerce, "but it has a leading role in assuring the delivery of essential services that it must deploy," such as military protection, natural disaster warnings and the delivery of Social Security checks.

A second key government responsibility is to play "a supporting role to ensure that a sufficient level of critical infrastructure services is available for a smoothly functioning national economy," he said, specifically endorsing market-based, and not regulatory, approaches to mitigating the risks of computer intrusion.

Richard Clarke, the National Security Council's national coordinator for security, infrastructure protection and counterterrorism, also emphasized the importance of continuity between the Clinton and Bush administration approaches to the subject.

He said when his boss, National Security Adviser Condoleezza Rice, raised the subject of critical infrastructure protection at a recent Cabinet meeting, Vice President Richard Cheney, Treasury Secretary Paul O'Neill and Commerce Secretary Donald Evans all agreed on the importance of maintaining a collaborative public-private sector partnership.

But Juster also said that unlike the Clinton administration's January 2000 cybersecurity plan, the new National Plan for Cyberspace Security and Critical Infrastructure Protection, which is scheduled to be written and released this year, "will have the full input of the private sector."

Clarke also criticized Congress for slipping security regulations into bills that had substantial privacy elements, including the 1999 Financial Services Modernization Act and the 1996 Health Insurance Portability and Accountability Act.

"Even though we have been pledging no regulation, alas, there is creeping regulation," Clarke said. "Congress is requiring legislation about cybersecurity and is turning that authority to regulatory agencies, and they are giving somewhat vague guidance."

"Constituents are telling Congress that they are concerned about Big Brother or corporate brother finding out too much about them and violating their privacy," Clarke said. "This interest in achieving privacy and security in cyberspace through regulation will continue to grow, and you all play a role in retarding the growth of that regulation by providing alternatives."

Clarke also said earlier in the month that three out of four White House Web-site computer servers were slowed by denial-of-service attacks that appeared to have originated in China, even as he cautioned that such an appearance could be faked.