No plan for personal cybersecurity
At Lines of Defense, ZDNet's first-ever national town-hall meeting, a doctor asked via Internet chat whether the U.S. government had guidelines for securing privately owned PCs from hackers. Jeffrey Hunker, a senior White House adviser on threats to the national infrastructure, gave a less-than-comforting answer.
"I think the short answer is no," Hunker said. "There is no commonly accepted framework of standards or configurations of guidance for cybersecurity."
Hunker was the keynote speaker and a panelist at the Lines of Defense Town Hall, held to discuss Internet security in general and the Clinton administration's National Plan for Information Systems Protection in particular. (Download a copy of the national plan.)
Other panelists at the event, held at ZDNet's San Francisco headquarters and Webcast live, were Brad Templeton, Electronic Frontier Foundation chairman; John S. Tritak, Critical Infrastructure Assurance Office (CIAO) director; Kenneth C. Watson, Cisco Systems Critical Infrastructure Protection manager; and Gregor Freund, Zone Labs president.
Hunker said that while corporations have best-practice policies, few recommendations exist for individuals. "I find it extraordinary that we don't have such a policy," he said.
That oversight leaves personal PC security -- a critical step to prevent distributed denial-of-service attacks like those that struck eight major Web sites, including ZDNet, in February -- in limbo.
Freund, whose Zone Labs develops personal firewall software, said individuals have to take care of their own Internet civil defense. "Security is a personal responsibility," he said. "Just like you lock your car to protect it against being stolen.
"With the denial-of-service attacks, people have realized (that) with your PC you have a very powerful -- I don't want to say weapon -- but conduit for these attacks," Freund said. "Closing that door is important for national security."
Hunker said the problems facing the government are difficult ones: "The Internet (may have) been designed against nuclear attack, but it was never designed to be resistant against electronic attack."
Corporations have to take a central role to solve the problem, said CIAO's Tritak.
"Government is taking a supporting role. We do not want to regulate," Tritak said.
While national security and civil rights have frequently been at odds, that doesn't have to be the case in the Internet age, said the EFF's Templeton.
"We are not against security systems," Templeton said. "Every security technology protects all of us (not just corporations) against attacks." Encryption, he pointed out, is a pro-privacy technology that also enhances data security.
However, Cisco's Watson said some sacrifices must be made for better security.
"We don't have a problem sacrificing a bit of our own privacy by going through a metal detector in an airport to make the flight safer," he said. "It will be the same for Internet security."
Hunker stressed that Clinton's National Plan is a work in progress -- such issues could easily be incorporated. "What the National Plan answers is a drop in the bucket to what needs to be addressed," he said.
"This is Version 1.0 of the plan," he said. "We titled it 'An Invitation to a Dialogue' for a reason."