National cybersecurity plan omits industry mandates

The latest version of the national cybersecurity plan expected to be presented to President Bush within the next month encourages the private sector to do more to protect the Internet but without mandates on industry, which had been proposed in the initial draft released publicly last September.

Internet service providers (ISPs) will not be required to build a centralized system to enable broad monitoring of the Internet; rather, they will be encouraged to develop a national network operations center (NOC) that could complement a federal cybersecurity response team that is to be developed in the Homeland Security Department, according to a copy of the plan obtained by National Journal's Technology Daily.

"In substance, the latest draft isn't all that different from September," said one high-tech industry source who viewed the latest version. "Stylistically, it's much different in that it is much better written, simpler and more straightforward. If you ticked off the items in this draft compared to the other, however, there aren't that many differences."

The administration has been gathering comments on the first draft and has addressed issues raised in those comments, including suggestions that the plan more clearly state that it does not seek to regulate the private sector.

Late last month, The New York Times reported that the Bush administration was planning to propose requiring that ISPs build a central monitoring system of the Internet, raising fears that the strategy had become more regulatory. However, the version that has been circulating within the high-tech sector since December says only that private-sector organizations focused on cybersecurity "should consider the benefits of creating an entity or center with a synoptic view of the health of cyberspace on a 24 by 7 basis."

The creation of such an operations center will continue to face resistance from companies that have made a business by monitoring cyberspace for specific clients, a high-tech lobbyist said. Richard Clarke, the special adviser to Bush on cybersecurity and chief architect of the strategy, "just hasn't made a good enough case that a NOC is necessary ... when it is already being done in the private sector," the lobbyist said.

The strategy states that "federal regulation will not be used as a primary means of securing cyberspace" but also emphasizes that the federal government cannot protect the Internet alone.

On the international front, the draft still makes a strong pitch for global cooperation but adds that the United States "reserves the right to respond in an appropriate manner, including through cyberwarfare." It also stresses stronger U.S. counterintelligence efforts in cyberspace, improvements in attributing cyberattacks to their sources, and better interagency coordination.

Other points emphasized in the latest version include:

  • A Cyber Warning and Information Network to allow government officials and the private sector to discuss cyber threats.
  • Tests to determine the impact cyberattacks would have on processes in various agencies.
  • A program to manage the information flow and to protect the information on threats to critical infrastructures that companies voluntarily submit.
  • A public-private task force to recommend the implementation of the new Internet protocol, IPv6 in the United States.
  • Annual priorities for cyber-security research and development and periodic reviews of emerging cyber-security technologies.
  • An information and analysis center for universities and colleges because they have among the most powerful computing systems in the nation.
  • A task force of public and private-sector officials to identify ways that information technology providers, other organizations and the government can reduce the burden on home users and small businesses in securing their computer systems.