Ridge releases physical, cyberdefense strategies

WASHINGTON -- Secretary of Homeland Security Tom Ridge today released the final versions of the Bush administration's national strategies for the defense of physical and cyber-based critical infrastructures.

As the nation remained at Code Orange -- the second-highest level of alert -- Ridge said the two strategy documents will be "critical" to the future planning of the new Department of Homeland Security (DHS). The "National Strategy to Secure Cyberspace" and the "National Strategy for The Physical Protection of Critical Infrastructures and Key Assets" will "help guide governments and businesses" in their efforts to defend the homeland from terrorism, he said.

"Al-Qaeda will attack when they deem themselves ready to move," said Ridge. "We know that enhanced security and broader awareness is a deterrent."

According to the administration's cyberdefense strategy, one of the first priorities will be to establish a national cyberspace security response system that will enable the government to work with the private sector on analysis, warning, incident management and recovery efforts stemming from a coordinated cyberattack against the U.S. Although the private sector currently operates various information sharing and analysis centers (ISAC) specifically for this purpose, the strategy clearly recognizes the need for a single point of contact on cyberdefense issues in the new department.

"There is no synoptic or holistic view of cyberspace," the strategy states. "Therefore, there is no panoramic vantage point from which we can see attacks coming or spreading."

The private-sector-run ISACs will play a key role in the formation of a public/private effort to respond to national cyberincidents. Other agencies that will be part of the architecture the DHS is now working on include the National Communications System, the National Infrastructure Protection Center, the Federal Computer Incident Response Center, the office of Energy Assurance and the Critical Infrastructure Assurance Office. All of those agencies are now part of the DHS.

Howard Schmidt, acting chairman of the President's Critical Infrastructure Protection Board, said another major goal of the cyberdefense strategy is to work with the private sector to reduce the nation's vulnerability to attack. Issues such as common router infrastructures and telecommunications systems that serve various infrastructures are responsible for some of the nation's vulnerabilities to potentially debilitating cyberattacks, he said. The national strategy recommends that corporations "consider diversity in IT service providers as a way of mitigating risk."

In addition, the department is considering a cybersecurity alert system that would work in conjunction with the overall Homeland Security Alert System, said Schmidt. However, because the Defense Department also operates a national defense condition alert system, Schmidt said cybersecurity officials are trying to determine how a cyberalert system could be done "without causing confusion."

Notably absent from the final version of the cyberdefense strategy is any plan to force the private sector to improve security. While Schmidt said the goal from the start was to build a "partnership," Bob Stephan, special assistant to Ridge for information analysis, said regulation could be an option for some industries, such as the chemical industry, where the threat to public health and safety is particularly acute.

Although options being considered by the administration range from government grants and insurance credits for those companies that demonstrate a clear focus on security, Stephan said any unwillingness by some industries to focus on security means "regulation may be something that we could use." Though he didn't name them, Stephan said some industries are "not using common methodologies [and] standards."

Stephan acknowledged that the question in the private sector is not whether security is worthwhile. "The biggest concern that industry has is are they doing enough and what is the end state and sustainability" of the current strategy, he said.

In a statement released today, Robert Holleyman, president and CEO of the Washington-based Business Software Alliance, called on Congress and the administration "to ensure that cybersecurity remains a key focus of the new Department of Homeland Security and that the proper resources are allocated to establish the necessary programs and improve the security of government networks."

However, during the news conference announcing the strategies, Ridge expressed concern about the level of flexibility Congress has given the administration in doling out the $3.5 billion budget for homeland security initiatives. "They have placed some constraints on the distribution of those dollars," he said.

For example, only $1.3 billion can be used for a program based on requirements identified by state and local communities, Ridge said. He said it will be important to free up the rest of the money and get it into the hands of the organizations that need it most at the state and local level.

More information is available on the Department of Homeland Security Web site.

Copyright © 2003 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon