Cybersecurity chief to offer input on agency budgets

The nation's top cybersecurity adviser will work closely with the White House Office of Management and Budget to ensure that federal agencies have the money to implement effective computer security, a government official told cybersecurity experts Wednesday. Paul Kurtz, director of the critical infrastructure protection at the White House National Security Council, said that Cybersecurity Adviser Richard Clarke will work with OMB through the President's Critical Infrastructure Board, which coordinates federal agency and private-sector security efforts. Kurtz said the board will create a Web site to enable government agencies and the private sector to communicate their concerns. It also would be designed to better coordinate policy between agencies, he said. "Our first priority is to ensure the government is securing its own systems, and we will call upon the private sector for good ideas," Kurtz said in an Internet chat hosted by House Science Committee Chairman Sherwood Boehlert, R-N.Y. Reflecting the contents of an executive order issued this month, Kurtz noted that the White House will create a National Infrastructure Advisory Council of 30 experts on computer security from the private sector, academia and state and local governments. The group will provide President Bush with advice on information security and the nation's critical infrastructure. A White House spokesman said no decision about board members has been made. Randy Sandone, the CEO of Argus Systems Group, who participated in the chat and spoke with National Journal's Technology Daily, said the government could help the private sector with its computer-security efforts by broadening an established clearinghouse on industry best practices and tools for protecting networks. The Commerce Department's National Institute of Standards and Technology in 1999 founded a program that evaluates security products. Sandone suggested that it could be expanded to offer more information to the private sector to help them wade through the claims of various security vendors. "While warning us of threats is important, what I think is more important is for the government to put together a clearinghouse of best practices, and serious information about products and tools, and the nature and types of computer-security problems out there," Sandone said. He said the federal government has focused on convincing the private sector to communicate with it on attacks so the government can evaluate the information and possibly prosecute the attackers. The emphasis should be on attack prevention rather than pursuing the attackers, he said. During the chat, executives from companies such as TruSecure and Vericept said a key way to protect computer networks is to monitor employee activities and their level of access to networks.