Administration official defends cyberspace security plan
SEATTLE - The Bush administration official responsible for the details of the National Strategy to Secure Cyberspace responded late Wednesday to critics who argued that the plan does too much or not enough to protect the nation's critical computer networks.
The report "is not a full-blown tactical implementation plan," Howard Schmidt told National Journal's Technology Daily in a telephone interview after the formal unveiling of the report at Stanford University. Schmidt is vice chairman of the President's Critical Infrastructure Protection Board and was the top liaison with the technology industry on the plan.
Both Schmidt and Richard Clarke, the top White House cybersecurity adviser, stressed at the launch that the report is a "draft" subject to a 60-day comment period. An earlier version was tagged a "strategy of how the United States will take steps to secure [critical] information technology networks." Schmidt also said that the president has not yet seen the plan.
In addition, several controversial recommendations-including requiring Internet service providers to assume greater responsibility for their users' security and admonishing against the security of wireless Internet connections-were dropped in recent weeks.
"We have 17 priorities and 80 recommendations," Schmidt said. "If there is something that we don't see, that is what the 60-day comment period is for-to let us know if we need to shift gears." He said the report was cut in half as many implementation details were eliminated. But Schmidt added that he expects comments similar to those already received from the technology industry.
"As we have seen, some argue for more regulation, some say let the market work, as do we," he said. "The bigger thing is, did we miss anything?"
Meanwhile, technology industry officials attending an Internet Law and Policy Forum conference on security and privacy offered their own critiques of the report. Stewart Baker, an attorney at Steptoe and Johnson who represents ISPs, referred to "three or four bad ideas that ended up not in the report."
Baker said he is glad the board dropped its advocacy of ISPs being "responsible for the security, and indeed the contents, of the hard drives of their customers," a concept that he said ran afoul of traditionally limited liability for common carriers. Requirements that ISPs merely agreed on the security software they offer to the customers also could have raised antitrust issues, he said.
He cautioned, "The idea that this should be the responsibility of ISPs is kicking around the White House, and we will hear it again."
Baker also slammed the notion that company boards of directors should be responsible for computer security and the idea of a network operating center linking the private sector.
"It is not clear that any good can come from that, but that may not be enough to kill it in Washington," he said.
Al Gidari, an attorney at Perkins Coie in Seattle, criticized the assumption that computer networks are a national resource. "It is the nation's critical infrastructure," he said. "The nation didn't build it, they don't operate it, and they don't run it."