White House may use procurement process to push computer security

The nation's cyberspace chief on Friday told members of the Bush administration's National Infrastructure Advisory Council (NIAC) that the White House may wield the federal procurement process as a means to encourage greater computer security in the private sector.

At the first meeting of the NIAC, which was created by President Bush to garner private-sector advice on critical infrastructure protection matters, Richard Clarke defended the non-regulatory approach of the recently released draft National Strategy to Secure Cyberspace. He said the buying power of the federal government could unleash market forces that would lead to greater computer security in the private sector.

"We'll call for the use of federal procurement power," Clarke said in response to a question about incentives to push companies to focus on computer security. "We'll spend $52 billion on IT systems this year...and we are going to require security certification of products at the Department of Defense and that may spread."

President Bush created the NIAC through executive order last October, in conjunction with the new Office of CyberSpace Security, which Clarke heads. Richard Davidson, CEO of railroad company Union Pacific, is the chairman of NIAC, which also includes representatives from Cisco Systems, eBay, Internet Security Systems, Nasdaq, Mellon Financial, the New York City Police Department and Symantec, among others.

Clarke on Friday noted that he had been criticized by the media and by some at town hall meetings for not including specific regulations in the strategy, and defended the administration's position.

"We fear having regulation could.... create a homogenous environment that would be easier to attack," said Clarke, who then asked NIAC members for their opinion on whether a regulatory or market-based approach was best. He also asked the members to comment on the strategy's scope, any possible missing pieces and to suggest methods of ascertaining the precise vulnerability of the private sector to an attack. He asked for the group's comments by Nov. 26.

Some group members suggested ways to clarify the strategy, such as more explicitly noting that it aims to bolster the cybersecurity of the private sector, that it prioritize short- and long-term goals and that it provide solutions to improving cybersecurity and rank them on a scale of easiest to most difficult. This scale could aid the private sector in determining where to focus their resources, members said.

Clarke noted that the administration is developing a national plan for cyberspace-security research and development with Dartmouth College to determine where long-term R&D funding should be allocated.

Just as the meeting began, Tom Ridge, director of the White House Office of Homeland Security, told NIAC members that it is clear that the security of cyberspace is linked to homeland security. "You know more than most Americans, the interdependence of critical infrastructures and the physical and cyber [systems that] we are all so dependent upon," he said in welcoming the new NIAC members.