Cybersecurity guide delayed

The federal government is pushing back plans to unveil a national roadmap for securing cyberspace from this summer to mid-September, President Bush's cybersecurity czar said June 10.

Richard Clarke, White House special adviser for cyberspace security, said the National Strategy to Secure Cyberspace will not be written by bureaucrats, but by people in such areas as higher education, banking, transportation, oil and gas, and state and local governments.

The effort has been under way for several months, with town hall meetings conducted in Portland, Ore., Denver and Chicago. Another is scheduled for next week in Atlanta.

Clarke spoke at the third annual Networked Economy Summit, which focused on technology security. The conference is sponsored by George Mason University's National Center for Technology and Law.

He said the number of cyber incidents is on the rise — causing $15 billion in damage last year — and they are more complex, but many businesses and public agencies are not taking it seriously and believe that it won't happen to them. For example, the Nimda worm, which alone did $2 billion in damage, hit many banking institutions that thought they were doing a good job on cybersecurity, he said.

"Well folks, digital Pearl Harbors are happening every day," Clarke said. "It could happen to any company any day.

"At any time, [the number of incidents] could spike," he said. "At any time, we could have a much more serious attack on a piece of the infrastructure or what holds the infrastructure together."

People need to move away from a "threat paradigm" to a "vulnerability paradigm," he said. Instead of reacting to an attack or impending attack, the public and private sectors should conduct a "vulnerability self-examination" at every level.

But the federal government should not regulate, dictate or take a command role in securing the Internet, he warned. That's because in cyberspace, technology and threats move rapidly and the government is not fast enough to keep up, nor does it have the expertise, he said.

Instead, he said the government should:

* Try to stimulate the economy.

* Keep encouraging information technology customers to buy products with adequate security.

* Continue talking with insurance companies to establish cybersecurity insurance based on certain criteria.

* Encourage development of standards and best practices for each sector.

* Help foster a private-sector certification program for IT security companies.

* Help create information-sharing analysis centers.

* Create education and training programs, including funding for the Cybercorps program and centers for excellence.

He also said the federal government should show the private sector the seriousness of the issue. For example, last October, federal agencies were asked to resubmit proposed budgets to include funding for IT security programs, he said. The Office of Management and Budget said certain agency programs would not be funded if agencies did not factor in security. That resulted in a 64 percent increase — representing more than $5 billion — on IT security spending.

He said the proposed Department of Homeland Security — which would house the National Infrastructure Protection Center, the Critical Infrastructure Assurance Office and the National Communications System — should create a concentration of operational, policy, outreach, and threat responsibilities in one place, pool skilled staff and perform better coordination.

But he said maybe the best way the federal government could help the issue is by being a "nudge," that is, constantly talking about the issue.