"There has always been an awareness that national security is a very big business concern," said John Tritak, head of the Bush administrations point agency for fostering cooperation between the public and private sector. "The urgency has not changed, but the appreciation that theres an urgency has."
Ron Dick, director of the FBIs computer crime division, said the agency now conducts multiple daily briefings with industry groups representing the power, water and financial services industries to discuss possible points of attack on computer systems.
The increased cooperation comes as the FBI warns that terrorists could soon target vulnerabilities in systems that regulate the nations most critical infrastructures, such as the national power grid and the telecommunications network.
Sen. Robert Bennett, R-Utah, said the next physical terrorist attack on U.S. targets may likely come with a simultaneous attack on computer systems used to coordinate an emergency response.
"Realize how the two can be tied together to produce the maximum terror and fear, so that not only has something very spectacular blown up, but we cant do anything about it because our computers are shut down," Bennett said at a conference sponsored by the Center for Strategic and International Studies.
Though both sides cheer the relatively nascent cooperative efforts, Congress and industry have determined that the data sharing will go only so far without legal guarantees giving companies a limited exemption from antitrust scrutiny for sharing information on computer attacks.
Corporations also want to limit information that may be obtained by the press or public through the Freedom of Information Act.
Bennett and Sen. Jon Kyl, R-Ariz., recently introduced legislation to enact such protections. Reps. Tom Davis, R-Va., and James Moran, D-Va., have proposed a similar measure in the House.
Bennett, who played a key role in drafting similar legislation in preparation for the Y2K conversion, said the response to his legislation from both industry and fellow lawmakers has been overwhelmingly positive.
So far, intense internecine squabbling among various Senate committee chairmen with jurisdiction over the measure typifies the sort of stovepiping that has stymied stronger interagency cooperation on computer-security issues to date, Bennett said.
"Everybody likes my bill, but we cant find a home for it," he said. "They say hell hath no fury like a congressional chairman whose jurisdiction is challenged. Various chairmen of the various committees say, Yes, this is an important problem, and I will handle it. Every one of them is willing take on the issue, but not one is willing to give up jurisdiction to anyone else. At the moment, [Senate Majority Leader Tom] Daschle is struggling with how he can deal with the various maharajas who preside over these committees."
Bennetts bill would encourage industry sectors to share data on computer intrusions and network vulnerability with the government, which would, in turn, compare the information with data gleaned from other sectors and provide industry with a meta-analysis of the data.
Bennett said he was engaged in ongoing discussions with the new chairman of the Securities and Exchange Commission to see if the SEC might be amenable to issuing a rulemaking that would require companies to detail their information security measures in their quarterly SEC filing, in much the same way companies were required to list their Y2K remediation efforts leading up to the date change.
"If you adopt fail-and-fix notion with respect to cyber terrorism, youre going to have much higher costs than if you address the issue up front," Bennett said. "If we can get the SEC and other agencies to get people to understand that, we will go a long way toward getting the advantages that come out of remediation activities."
But Harris Miller, president of the Information Technology Association of America, said the federal government must first do a better job of coordinating action among its own agency heads accountable for computer crime-fighting agencies.
"The alphabet soup of government agencies charged with some aspect of computer crime prevention makes it easy to see why progress has been slow," Miller said.
His comments are reinforced by a General Accounting Office (GAO) report issued on Thursday, which found the number one obstacle to greater information sharing among federal organizations was settling on a common approach for sharing such data.
Last week, the Bush administration signed an executive order to establish a critical-infrastructure-protection board that would be staffed by CIOs from major federal agencies. Those agency chiefs would answer to longtime national security aide Richard Clarke, tapped earlier this month to be the governments information security czar.
Yet Miller said most federal CIOs he has talked to privately concede they are in desperate need of funding to update the computer equipment needed to carry out their new responsibilities. The GAO report cites a general lack of adequate funding as the second biggest obstacle to increased interagency cooperation.
Miller suggested the government invest at least $10 billion in federal spending, grants and loans to get the job done.
"Simply saying that this is important is not the same as providing the resources to get the job done," he said.
Brian Krebs, Newsbytes
