Experts react cautiously to U.S. cybersecurity plan

BY LISA TREI

A national cybersecurity draft plan unveiled on campus last week is a positive step in raising public awareness about Internet safety but it must not be used to erode civil liberties, university experts said.

The report -- the National Strategy to Secure Cyberspace -- calls for a broad-based partnership between industry and government to improve security in computer networks nationwide. The proposal -- presented as an extension of the war on terror -- makes recommendations to Internet users, technology vendors, businesses and the government for preventing viruses and hacker attacks.

FBI Director Robert Mueller was among the government and industry speakers who spoke last week at Kresge Auditorium as the Bush administration released a draft of its cybersecurity policy. Photo: L.A. Cicero

In the absence of steps to improve network security, the report warns that the nation's critical infrastructure -- railroads, dams and electrical grids -- could be vulnerable to an assault similar in scope to last September's terrorist attacks.

President John Hennessy opened the presentation at Kresge Auditorium on Sept. 18. The program featured speeches by government and industry leaders including FBI Director Robert Mueller and Richard Clarke, chairman of the U.S. President's Critical Infrastructure Protection Board. "Problems in computer security have received insufficient attention in the race to create the Internet," Hennessy said. "Any program to improve dramatically our computer security must also include a significant investment in research."

The 57-page draft, available at www.securecyberspace.gov., will be open for public comment until mid-November when it will be presented to President George Bush. Originally, the strategy was to be presented at Stanford as a final report, but the administration decided to keep it open for comment to try to build support among high-tech companies that had lobbied to weaken earlier versions.

Jennifer Granick, director of Stanford's Center for Internet and Society and a cy berlaw expert, said a "disconnect" exists between the government's war on terrorism as motivator for the strategy and its actual recommendations, which are based on voluntary compliance.

"I think a lot of these proposals are common-sense proposals about making the network more secure, and that's good," Granick said. "But I don't like cloaking this whole thing in the war on terrorism. I think it masks the report's weaknesses and I think it creates an imbalance in terms of [protecting] civil liberties."

Granick added that voluntary self-regulation will not work. "Unless it's economically profitable, companies will not institute procedures that are protective of their customers," she said. "I'm in the camp that believes you need a more regulatory approach."

The report offers suggestions ranging from home computer users installing personal firewalls to industry and government establishing programs to share information.

Granick said the report does not adequately address the issue of using the Internet to communicate information about the nation's critical infrastructure. Costs, as well as efficiencies, she said, are incurred when using the Internet. "I think we have to be very careful about what type of information and what type of systems we put on the public network," she said. "[Officials] need to make some kind of risk analysis about what kinds of systems should and should not be online. I don't think the report begins to address that."

At the same time, Granick said, society must make sure that the government's need for greater security does not result in a lack of freedom for Internet users in general. "One concern is that those needs will result in a call for an implementation of technical changes in the rest of the Internet that will make it harder for anonymous speech and nontraceability," she said.

Ced Bennett, director of information security services at Information Technology Systems and Services, praised the report as an important first step in raising public awareness about the need for improved Internet security. Most people do not realize that they are at risk of being hacked when they go online, he said. "Every time you attach a new computer to the Internet, within five minutes somebody is scanning it," he said. "The equivalent is as if someone is walking down the street where you live and trying the front door of your house every five minutes. With houses, we all know that when we leave, we lock the door. We haven't had that [understanding] yet with the Internet."

As a university, Bennett said, Stanford faces a constant tension between maintaining a secure computer system at an institution where information is shared. "The whole point of education is to communicate," he said. "We have an open community and anyone can come in. In fact, they're invited in. That makes it all the more important to be rigorous about security at a level below that. Security is something that you have to do in layers."

Bennett's office plans to raise public awareness about computer security on campus this fall. Some of the recommendations will include advising students, staff and faculty to set hard-to-guess passwords for personal computers and running up-to-date virus software. "I think people can be driven by self-interest if they understand they have [information] at risk and that they do not have to do very much to lower that risk," he said.

• A National Strategy to Secure Cyberspace
  
  
• Information Security Services
  
  
• Center for Internet and Society