President Clinton won't be releasing an administration strategy to bolster the nation's defenses against cyberterrorism until the fall, as government agencies continue to work on reaching a consensus for the plan.
Earlier this year, Richard Clarke, the president's expert on cyberterrorism, had said he expected the draft to be ready this spring, but it has gotten bogged down as the numerous agencies and private sector groups try to reach agreement.
"Anything where you have 50 plus cooks in one kitchen, it gets very difficult" to get agreement, said Fred Cilluffo, who heads a counterterrorism task force at the Center for Strategic and International Studies. "This issue can be everything and nothing depending on how you define it. And of course, people want to hold onto turf, so it's complicated."
The plan sets up outlines for cooperation across federal agencies, law enforcement, defense, counterterrorism, Cabinet offices and the private sector to protect the nation's critical infrastructure. It has been in the works since May 1998, when Clinton issued a directive to ensure the security of the telecommunications, banking and finance, energy, transportation, and essential government services, which he saw as vulnerable to attack.
Right now, two organizations within agencies are pulling together the national policy plan. One is the Critical Infrastructure Assurance Office (CIAO), which is the engine driving the creation of policy by coordinating private sector cooperation with the government and within agencies, and falls under the jurisdiction of the National Security Council. The second is the National Infrastructure Protection Center (NIPC), which is housed in the FBI and is the focal point for the government's investigation into cyber threats.
Also as part of Clinton's 1998 directive, the private sector is working to create Information Sharing and Analysis Centers (ISACs), which will serve as a place where companies can get government intelligence information about possible cyber-attacks and for the private sector to share with the government how it solved attacks to its infrastructure without fear that it will get into the hands of the public. CIAO is helping to coordinate the ISACs' effort with the private sector.
"Many companies are sensitive to the trusted nature of their business and they don't want to give the idea to customers that because they have had an attack, that their security is worse than another company's, so they want to be able to quietly share the information but not have it (in the public domain)," said Guy Copeland, vice president information infrastructure advisory programs with Computer Sciences Corp.
Those who have seen drafts of the Administration's plan said it appears "robust" and contains "good thoughts and material" but they would like to see the plan executed in the near future and they'd like to see more involvement from the private sector.
"It was a good first attempt but I have openly conveyed (to the authors) that unfortunately the government went off by the themselves and worked on the plan, and they should have had private industry working with them, because the problem is, there is a little bit of an alienation factor…there was a lot of good thought and good material (in the plan) and my fear is that there will be the not invented here syndrome" could hinder its implementation, Copeland said.
A CIAO spokesman said the current draft is only a first draft and the government will be open to suggestions from the private sector to help it draft second and third versions.