Bush calls for cyber-security force

The White House is setting up a panel to determine the best way to fend off attacks on government systems and protect 'critical' private-sector computer networks.

WASHINGTON--The Bush administration is moving to set up a government cyber-security panel to determine how best to protect the nation's most important computers and keep the federal government functioning in case of serious cyber-attack.

The effort is outlined in the final draft of an executive order, called "Infrastructure Protection in the Information Age," which is circulating among senior administration officials. President Bush is expected to sign and issue the order within two weeks, and the panel would begin operations Oct. 1.

To be composed of 23 officials representing a broad range of federal departments and agencies, the panel would be a focal point for policy decisions on computer-network security and act to ensure that outages from attacks are "rare, brief, limited geographically, manageable and minimally detrimental to the economy, human and government services and national security," the draft order says.

The document doesn't spell out who will run the board as a senior adviser reporting to Bush, but the presumptive chairman is Richard Clarke, the U.S. national coordinator for counterterrorism, organized crime and computer security. The order specifies that each department and several agencies appoint a "senior official" to the committee, but it remains unclear whether board members will have sufficient clout to reverse years of generally poor computer security in government.

The board could have an indirect impact on private industry. It will work with industry groups on how to protect "critical'' private-sector computer networks, such as those controlling banking, telecommunications and electric power. It also is expected to consult with Congress on computer-security legislation. And by helping to set standards for government equipment, the board could influence the broader market.

It will work with companies through advisory panels and two industry groups, the National Information Assurance Council and the National Security Telecommunications Advisory Committee.

But some computer-security experts question whether a committee approach can be effective. "All of these people have a point of view," said Fred Rica, a partner at PricewaterhouseCoopers who participates on a White House advisory committee. "Ultimately you need someone accountable."

The result of months of review by the National Security Council, Bush's order wouldn't make the board itself responsible for computer break-ins at U.S. agencies; the heads of departments would continue to be accountable for lax security.

The new order switches oversight for national security networks from the Pentagon to the civilian board. Under the order, the Defense Department would help lead studies on protecting sensitive U.S. networks and deciding how to respond to attacks. Senior officials earlier had hoped to scrap some of the government's patchwork of committees, boards and councils responsible for warning about cyber-attacks. The new order doesn't disband any existing organization.