Install

Get the latest updates as we post them — right on your browser

. Last Updated: 07/27/2016

Bush to 'Bully' Computer Security

SAN FRANCISCO -- A plan by President George W. Bush's administration to improve computer security will impose no new regulations but instead use the "bully pulpit" and the federal checkbook to reduce cyber-attacks, according to industry insiders.

When cyber-security czar Richard Clarke releases the long-awaited proposal Wednesday in Silicon Valley, he will shine a spotlight on "safe computing" practices that security experts say are not used enough.

Observers expect Clarke to announce that the U.S. government will direct some of the $50 billion it spends each year on software, computers and other information technology toward products that meet certain security standards.

But the former counterterrorism expert will shy away from imposing similar rules on an industry that has lobbied for months against them.

Instead, Clarke will offer a wide range of suggestions to businesses, universities and individuals about how to voluntarily shore up their online defenses.

High-tech officials say the hands-off approach will allow them to lock down cyberspace faster than they could if they had to follow new laws or regulations.

"Talking and spending is probably the most effective means to get something done, rather than proposing legislation," Stratton Sclavos, chief executive of security company VeriSign Inc., said Monday.

But others said businesses were unlikely to spend extra money to secure their networks amid of a recession if they were not required to do so.

"Security budgets are flat for most corporations. If anything, they took money away from cyber-security over the past year," said Ed Skoudis, vice president of security strategy for New York consulting firm Predictive Systems.

While early drafts of the proposal required Internet service providers to bundle firewalls and other security software with their service, Clarke will now only suggest their use, high-tech officials said.

"ISPs take the position, quite rightly, that they're not security specialists," said Harris Miller, president of the Information Technology Association of America. "There are important issues about capacity, liability, cost."

Alan Paller, research director at the System Administration, Networking and Security Institute, said Internet service providers can easily detect and stop Internet attacks. But they don't want to spend the extra money needed to upgrade their systems to help prevent worms or denial-of-service attacks, he said. They also don't want to be held liable for failing to do enough.

A proposal to ban the use of wireless networks by government workers, as the Defense Department is considering, has similarly been softened.

"I think earlier versions of the draft did either imply or direct federal agencies to make pretty radical breaks with wireless technology until the security improves," said Mario Correa, director of security policy at the Business Software Alliance, a high-tech trade group. The latest version of the proposal only suggests that federal agencies and departments should not use wireless technologies in certain circumstances, she said.

In addition, the proposal asks industry to ship products that are more secure or in default secure settings and get software patches and fixes out more quickly.