From...

July 12, 1999
Web posted at: 11:35 a.m. EDT (1535 GMT)

by Ann Harrison

LAS VEGAS (IDG) -- A White House official last week outlined a 10-point plan for protecting critical U.S. information systems from attacks by hostile nations and organized crime. One goal is to get businesses and government agencies to exchange information about security breaches.

Jeffrey Hunker, director of the Critical Infrastructure Assurance Office of the National Security Council, unveiled the plan at the Black Hat Briefings computer security conference here. Known as Version 1.0, the plan is backed by the president's $1.4 billion budget request for national cyberdefenses in fiscal year 2000.

Hunker acknowledged that in the past many companies were hesitant to report security intrusions to state and federal agencies, but that may be changing. He noted that the banking industry is setting up a pilot system to confidentially share information on intrusions and threats. The system could include briefings for government agencies and nationwide computer emergency response teams.

MORE COMPUTING INTELLIGENCE
	IDG.net home page
Computerworld's home page
Computerworld Year 2000 resource center
Computerworld's online subscription center
Reviews & in-depth info at IDG.net
IDG.net's personal news page
Year 2000 World
Questions about computers? Let IDG.net's editors help you
Subscribe to IDG.net's free daily newsletter for IT leaders
Search IDG.net in 12 languages
News Radio
	Computerworld Minute
	Fusion audio primers

Raymond A. Pompon, a data communications analyst at the Boeing Employees Credit Union in Seattle, said he liked the idea of organizations exchanging security information -- a process which he said was already occurring among credit unions.

The Clinton administration's plan generally calls for the public and private sectors to develop their own safeguards but to work together to identify best practices and swap information.

Hunker said the first phase -- to be implemented next year -- is for both sectors to identify and address vulnerabilities, using network analyzer software and tiger team attacks.

"The systems we are using are full of holes. They are like Swiss cheese," Hunker said, referring to government systems. "We have to identify critical vulnerabilities and fix them."

In the second phase, government agencies and businesses would set up systems to detect attacks and unauthorized intrusions with firewalls, intrusion detection monitors, enterprisewide management systems and malicious-code scanners. Full-scale deployment is expected by 2003.

Other elements of the plan include developing robust law-enforcement capabilities to investigate and prosecute cyberattacks, as well as a federal scholarship program, called CyberCorps, to train information security specialists.