Clinton to propose Net security center

The Cyber-National Information Center, to be known as Cyber-NIC, will be a place where companies "can work together to address cyber security problems and crises," according to a planning document. In addition, the White House is asking its science adviser, Neal Lane, to take the lead in establishing a think tank supported by both the public and private sectors to consider cyber security issues.

The modest steps reflect the lack of consensus about how the government should respond to last week's incidents, in which numerous Web sites were brought down after being deluged with meaningless data. Some industry representatives have been concerned that federal law-enforcement agencies may use the attacks to pressure companies to take security steps that are either costly or otherwise unpopular with Internet users.

The private and public sectors tend to take different approaches to security issues, with companies emphasizing narrow technical changes, like better protocols at Internet-service providers, while government has stressed increased law-enforcement activities and the like.

Search for common ground
But since last week's attacks, both sides have been trying to find common ground. Commerce Department officials, for example, have had numerous telephone discussions with industry representatives in the days since the attacks to work out security approaches. One person following the calls said they were designed, as much as anything, to get companies talking to each other.

"We're not bringing much to the table outside of a desire to be helpful," said one Commerce Department official. "We want the private sector to solve its own problems. After all, they're the ones who own the infrastructure. This is just not a realm that is conducive to a top-down, government-czar approach."

Still, there are concerns. One person who is attending the session said top executives at several of the companies invited to the White House have been reluctant to attend the meeting, out of fear of being pressured into making security steps they would rather avoid, and are therefore sending lower-level executives who lack the authority to make commitments for their companies. The White House Monday was insisting that only "principals" attend for companies, according to one invitee.

Among the companies expected to attend are Microsoft Corp. (Nasdaq: MSFT), IBM Corp. (NYSE: IBM), America Online Inc. (NYSE: AOL), Yahoo! Inc. (Nasdaq: YHOO), Electronic Data Systems Corp., Lucent Technologies Inc. (NYSE: LU), eBay Inc, (Nasdaq: EBAY), Nortel Networks Inc. (NYSE: NT), Iridium LLC and AT&T Corp. (NYSE: T).

Focus on existing programs
President Clinton said Monday in an online interview with CNN.com that he found the attacks last week "very disturbing" and hoped to use Tuesday's summit as a way to promote Internet security. The White House plans today to refocus on a few existing programs, including a proposal to spend $9 million on education and training for computer-security specialists.

The money, earmarked for this year, was included as a supplemental item in President Clinton's 2001 budget proposal. Administration officials say their efforts to boost critical infrastructure protection have been hampered by a severe shortage of trained computer-security experts.

On the private-sector side, the Information Technology Association of America, a trade group, said that in preparation for the session it had coordinated support for agreed-upon "best practices" that its tech-company members should adopt to keep hackers at bay. The association said most tech companies had long been concerned with security issues, but that they may need to become even more vigilant.

"The recent incidents are a 2-by-4 across the head of the entire industry and helped push the issue high up on everybody's list," a spokesman said.

A statement to be issued by the group calls for the establishment of "a mechanism for the systematic and protected sharing" of information on cyber attacks, security vulnerabilities, and countermeasures.

Meanwhile, security experts said a monetary reward may be needed in addition to technical detective work in order to track down the perpetrators. Financial rewards are commonly used to solve criminal cases, and some experts now are starting to push the idea as a way to crack last week's attacks.

"This thing needs a million-dollar bounty if it is going to be solved," said Michael D. Allison, CEO of the Internet Crimes Group Inc., a Princeton, N.J., security-consulting operation. "That's one way of turning the firepower of the hackers against themselves."

Mr. Allison and others cite two reasons in advocating rewards. For one, skillful hackers know how to hide their tracks. "Mixter," the German hacker who wrote one of the programs involved in last week's attacks -- but who isn't suspected of actually launching them -- has told interviewers that the chance of finding the person who used the program is slim unless he made a serious mistake.

Bragging rights
What's more, hackers routinely talk to each other over communications links known as IRC channels, and tend to know about the activities of other hackers. In fact, people familiar with the hacker world say that bragging rights are a major motivation for Web attacks in the first place. Also, there are many well-known rivalries among hackers, suggesting that could be exploited by offering a reward.

"This case is probably going to be solved by an informant, and not by any technical tools," said Steve Bellovin, a prominent expert in network security issues at AT&T.

On the eve of the online-security summit, further attention was drawn to the Internet's vulnerability to mischief. Monday night, Reuters reported that online hecklers posted irreverent queries to the CNN.com Internet site during the interview with President Clinton, and that "ribald remarks" under Clinton's name slipped through a network filter designed to block inappropriate questions.

A representative of CNN wouldn't confirm or deny the report.