Grand federal plans for cybersecurity falter
Task force on computer terrorism drops stiff rules, asks individuals to guard their own corners of cyberspace.
Nearly one year ago, Richard Clarke stood before a gathering of Silicon Valley business leaders and told them that unless the lessons of Sept. 11 were heeded, the terror of that day would someday be repeated on the Internet.
In his first public address as President Bush's adviser on cybersecurity, Mr. Clarke issued a stark warning: "We still have a system ... that is vulnerable to sophisticated attacks," he said. "If done at a time of national security crisis, [they] could lead to catastrophic damage to our national defense."
Wednesday, Clarke returned to the Bay Area to announce the administration's response to this challenge, but the mood was dramatically different. Gone was the Jeremiad of last November, and in its place was a plan that one industry analyst derided as "worthless."
As airports ask Congress to delay a Dec. 31 deadline for screening all checked luggage and the TIPS program for citizen surveillance is trimmed, the cyberplan is a parable of how grand visions of greater security can be scaled back by practical limitations and Beltway politics.
With the tech economy already broken, Internet providers balked at added burdens, critics say, and a Republican administration frowned on creating a new tangle of laws.
The result is a series of well-worn guidelines that, in essence, simply ask users to pay more attention. Any sterner attempt to impel more accountability industry-wide, say analysts, has vanished.
"The government is telling every individual that it's up to them to protect their portion of cyberspace," says Russ Cooper of TruSecure, a data security company in Herndon, Va.
Among its nearly 60 suggestions, for example, the National Strategy to Secure Cyberspace says people should devise tougher passwords. It asks users to get antivirus software. It implores businesses to share information about hackers. It encourages government officials to do less of their work on wireless networks, which are less secure.
The hope is that the plan will provide the framework for businesses and tech companies to increase security on their own. Don't count on it, says Bruce Schneier.
"If you're the government, and you want people to do something, you pass a law," says Mr. Schneier of Counterpane, an Internet security company in Cupertino, Calif. "When push comes to shove, [a CEO] is not going to do something that puts [the company] at a competitive disadvantage," because it costs money.
"Cajoling only does so much," he says.
Yet cajoling is what Clarke is left with. The plan presented Wednesday is not even the final draft. Technology companies can lobby to reshape it for another 60 days.
According to sources, the plan has been reshaped a lot already. The Associated Press reports that an earlier draft asked Internet providers to give customers security software. Mr. Cooper adds that the government abandoned an outright ban on using wireless networks after wireless companies complained that it made them look bad.
The administration denies that corporations have had any influence in fashioning the plan, but critics say it has gradually become more friendly to businesses than consumers.
"As time passes, the guidelines get weaker and weaker," says Cooper.
Still, some look at the Internet infrastructure and say it is in businesses' best interests to invest.
They say hackers be they enemy nations or terrorists could cause chaos. Power grids could be shut down. Internet trading on the stock markets could be spiked. Entire sections of the e-economy could be upended.
"An attack would not be difficult to launch," says Sushil Jajodia, director of the Center for Secure Information Systems at George Mason University in Fairfax, Va. "Because the country is so connected to the Internet, we now are vulnerable."
Other analysts, though, say the risk of cyberterror is overstated.
Compared with the devastation physical attacks can cause, cyberattacks would merely be temporary inconveniences, they say.
"I don't see Al Qaeda sitting in their caves talking about how to crash our pager network," says Cooper.
Instead, these critics would rather the government focus on what they see as the real threat economic damage caused by hackers out for an Internet joy ride.
Computer security cannot be accomplished through a user's antivirus package, they say. It's done by making Internet service providers and software companies either through laws or public pressure take more responsibility.
The Code Red worm, which wriggled its way across the Internet through holes in Microsoft software, cost companies more than $2 billion last year. Service providers could have shut down the link that fueled the virus, some say, and Microsoft while taking steps to patch gaps in its software could do more, as well.
"Any recommendation where the home user is expected to do much isn't going to work," because they can't track all the updates, says Richard Smith, an Internet security consultant in Cambridge, Mass. "It's a lot easier to get Microsoft to do something."