Communications Litigation Today was a service of Warren Communications News.

CLARKE: CYBERSECURITY DRAFT RELEASE ‘UNPRECEDENTED,’ DEFENSIBLE

September 19, 2002 by Louis Trager, Patrick Ross, Mary Greczyn and Dugie Standeford|Miscellaneous

STANFORD, Cal. -- While acknowledging that releasing White House cybersecurity report in draft form Wed. (CD Sept 18 p1) was “unprecedented,” White House Cybersecurity Czar Richard Clarke defended its lack of conclusions by telling high-tech audience here that now “everyone in the country can tell us what they think it [the nation’s cybersecurity strategy] should be.” More than 200 pages were excised from earlier drafts of National Strategy to Secure Cyberspace as it circulated among hundreds of companies and trade associations in recent weeks. That approach to plan’s formation reflected Clarke’s oft-stated point that nearly 90% of nation’s critical infrastructure was held by private sector, but it also reflected Administration position that cybersecurity was not area in need of immediate regulation.

Draft report defended its status as draft, as well as reliance on private sector initiative. “The Strategy is not written in stone,” introduction said. Instead, White House plans “to periodically issue, online, new releases of the Strategy as it evolves.” Report also includes hyperlinks to sites “owned and operated by nongovernment organizations, trade associations, academic institutions, state and local governments, and corporations,” it said, because “the National Strategy is not intended to be a federal government prescription, but rather a participatory process.” Four trade associations were cited in . report and at Palo Alto ceremony as being central to effort -- CTIA, Information Technology Assn. of America (ITAA), Telecom Industry Assn. (TIA), USTA.

Simultaneous with unveiling of report here on Stanford U. campus, Commerce Dept. held Homeland Security Tech Expo at D.C. Armory, showing simulcast of Clarke’s speech and allowing dozens of security-focused companies to exhibit their products and services. At that event, Commerce Dept. Undersecy. Kenneth Juster said “the strong preference of us in government… is to rely on market solutions rather than federal mandates.”

“The government cannot dictate, the government cannot mandate,” Clarke told high-tech leaders: “We need you to bring your expertise to design those strategies” to secure cyberspace. Clarke’s deputy, former Microsoft official Howard Schmidt, said “this is not about government regulation.” Juster echoed Clarke in defending draft release, saying any effort to convince everyone from large corporations to individual computer users to adopt new security measures requires “a broad support of the public,” which could come from 2-month comment period. FTC Comr. Orson Swindle, who represented U.S. in cybersecurity report prepared by Organisation for Economic Cooperation & Development (OECD), echoed nonmandate approach of govt. speakers by comparing report to parents telling children to look both ways before crossing street. FBI Dir. Robert Mueller did announce new govt. initiative, saying FBI would be teaming with Secret Service in forming electronic crimes task forces in several key cities.

While trade groups such as Business Roundtable and Internet Security Alliance lauded report, reaction wasn’t universally favorable. “The government’s heart is in the right place, but asking us to practice safe-surfing in cyberspace smacks of its unheeded calls for safe sex in back seats,” said Wayne Crews, Cato Institute dir.-technology policy: “Government should set the example by shoring up its own networks, and to its credit, the report calls for that.” VeriSign Chmn. Stratton Sclavos said report marked “beginnings” of comprehensive blueprint for govt. and industry to work on security issues surrounding digital networks.

CTIA pointed out extent to which report focused on wireless LAN technologies such as Wi-Fi and not mobile phones. “Newer technologies, such as Wi-Fi and personal area networks, are adding on security measures as they develop, but today, none match the advanced tools and policies used by commercial wireless networks,” CTIA Pres. Tom Wheeler said. While final version of draft didn’t mention mobile phones, one earlier version circulating this week had cited next- generation wireless technologies such as General Packet Radio Service and Universal Mobile Telephone Service (3G). “These technologies will provide high data transmission rates and greater networking capabilities,” earlier draft had said. “However, each new development will present new security risks, and government agencies and private sectors must assess these risks to ensure that critical assets remain protected.”

At news conference, officials responded to questions about draft’s emphasis on private vs. govt. action. “It is a strategy rather than a programmatic budget document,” Clarke said of possible increases in federal spending on security R&D. Administration will follow up by analyzing each sector’s needs and then make specific recommendations in budget process, he said. Commerce’s Juster reiterated that market action was preferred to govt. intervention. “As a last resort, where the market is not responding, we will have to look at other measures, but that is not our preferred approach.”

Clarke said 2 months of discussion on draft before completion of plan would supply something that 10 months leading up to draft could not: “Specific comment on a specific set of proposals.” Responding to suggestion that Microsoft had too much influence in deliberations, he said “everyone will have an equal say in recommending things.”

Clarke said al-Qaida took interest in cyberattacks, downloading tools for that purpose and researching crucial U.S. facilities. But “I don’t want people to think al-Queda is the largest part of the cyberthreat.” he said. “We're going to eliminate al-Queda.” That still leaves extortion, national and industrial espionage, govt. cyberwarfare and other dangers, he said. “Somewhere along the line, we will face a major threat, even if we've not identified those threats” specifically, Clarke said.

Pres. Harris Miller of Information Technology Assn. of America said draft offered “a road map, and we will be able to measure our progress” against new set of metrics. He said IT industry had been accused, contradictorily, of not caring enough about security and of seeking to profiteer from issue.

Among others not pleased with stripped-down version of report was House Judiciary Crime Subcommittee Chmn. Smith (R- Tex.), author of cybersecurity bill that passed House earlier this year and is awaiting action in Senate. He said: “We need a more comprehensive plan, one that contains necessary preventative measures.” Smith, based on seniority, is considered likely candidate to replace retiring Rep. Coble (R-N.C.) as top Republican on House Judiciary Subcommittee on Courts, Internet and Intellectual Property in next Congress.

Report Recommends 6 Global Actions

Saying U.S. can’t go it alone on cybersecurity, report recommends 6 actions to spur more international cooperation: (1) It calls for govt. and private sectors to work with other countries and international and nongovernmental organizations to build national and global watch-and-warning networks for detecting and preventing cyberattacks. (2) It urges U.S. to encourage other nations to adopt Council of Europe cybercrime treaty or to ensure their laws are at least as comprehensive. (3) It says U.S. should work with Canada and Mexico to identify and implement best practices for securing critical N. American information infrastructures. (4) It calls on U.S. to join with industry and international organizations to stimulate dialog and partnership between foreign public and private sectors on information infrastructure protection. (5) It urges U.S. to promote sort of global “culture of security” envisioned by Organization for Economic Cooperation & Development’s Guidelines for the Security of Information Systems and Networks. (6) It calls for each country to appoint national cyberspace czar.

International recommendations haven’t been “lightning rod” that private sector ones have been, said Cato Institute’s Crews. Most of recommendations apply to govt., and “it’s widely known that government networks are full of holes and easily breached,” he said.