29 January 2002
Source: http://usinfo.state.gov/cgi-bin/washfile/display.pl?p=/products/washfile/latest&f=02012801.glt&t=/products/washfile/newsitem.shtml


US Department of State
International Information Programs

Washington File
_________________________________

28 January 2002

White House Developing Plan for Information Infrastructure Security

(Private sector must make key contributions, Bush advisor says) (640)
By Charlene Porter
Washington File Staff Writer

Washington -- The Bush administration aims to develop a new strategy
for security of information systems by June, according to Paul Kurtz,
the White House senior national security director and director of
Critical Infrastructure Protection. Kurtz sought support and
collaboration from the private sector January 25 when he outlined the
administration's goals before an audience of about 500 specialists in
business intelligence software.

"The good ideas come from you," Kurtz said in the keynote speech at a
two-day conference focused on cyber security, homeland defense and the
protection of information infrastructure. The Washington-based
business intelligence company MicroStrategy sponsored the meeting.

In May 2001, President Bush began a review of homeland security, Kurtz
said, placing special emphasis on protection of the information
infrastructures that support the pillars of a technologically advanced
nation -- business, finance, government, energy, transportation and
communications. The September 11 terrorist attacks made the project
more imperative, he said, and underscored that the nation must prepare
itself for a wholly different form of hostile action than what defense
planners had focused on during the last half of the 20th century.

"This isn't a missile over the (North) Pole," Kurtz said. The nation
must now focus on "attacks that can be launched anywhere on the
planet, perhaps by a small group of people." The objective in drawing
a new protective strategy for information infrastructure will be to
"get in front of attacks" such as those the nation experienced on
September 11.

Asked if the industry representatives on hand for the meeting endorsed
the Bush administration's push for stronger cyber security,
MicroStrategy spokesman Marc Brailov said, "No question. The industry
is on the front lines. We're part of the solution, and we're a
target."

Kurtz said the private sector owns 80 percent of the U.S. information
infrastructure, so the administration is devoted to winning
cooperation and support from industry in development of the new
strategy. He hopes that the strategy drawn over the next several
months will be "largely authored" by the private sector.

As currently envisioned by the Bush administration, Kurtz said the new
strategy will avoid excessive government regulation and break down
existing barriers to sharing information between private and public
institutions.

The proposition of sharing information could violate some traditional
corporate precepts of maintaining confidentiality in order to gain an
edge over competitors, but Brailov said in an interview after Kurtz's
speech that "the issue transcends competition" in the post-September
11 environment.

Kurtz said another component of the cyber security plan would be to
develop fail-safe protections for critical government systems. He said
the administration is attempting to construct secure and reliable
networks for public safety agencies, such as the Federal Aviation
Administration, the Secret Service, the Federal Emergency Management
Agency and others.

Information technologies have evolved at a rapid pace. The threats to
those systems can evolve and mutate just as rapidly, Kurtz warns, so
government and business must work together to develop a warning system
that uses common reference points to detect an attack on information
infrastructure.

Kurtz advised the business executives to take a variety of steps to
protect their own organizations. He suggested they identify critical
information systems essential to maintaining operations, and determine
the vulnerabilities of those systems. Security procedures should be in
place, and employees should be educated in their importance. Kurtz
said companies should constantly review their security measures, and
run drills on how to respond to attacks.

"The worst case can happen," Kurtz cautioned. "You need to build it
into your business plans."

(The Washington File is a product of the Office of International
Information Programs, U.S. Department of State. Web site:
http://www.usinfo.state.gov)