The Bush administration yesterday announced its strategy for protecting computer systems from attacks by hackers or terrorists, but it backed away from proposals by several security experts for government requirements and funding.
Instead, the plan suggests how individuals, businesses and governments can meet the growing threat of cyber-attacks on computer networks.
"Of primary concern is the threat of organized cyber attacks capable of causing debilitating disruption to our nation's critical infrastructures, economy or national security," said the plan, released by the Department of Homeland Security.
The plan encourages companies to regularly review their technology security plans, and individuals who use the Internet to add firewalls and anti-virus software to their systems. It calls for a single federal center to help detect, monitor and analyze attacks, and for expanded cyber-security research and improved government-industry cooperation.
The report is markedly different from early drafts that included proposals championed by Richard A. Clarke, who recently resigned as President Bush's adviser on cyberspace security. Among them were suspending wireless Internet service until security holes were addressed, requiring Internet service providers to include firewall software and recommending that government agencies use their power as major purchasers of computer programs to push software makers to improve the security of their products.
"Leaving it to the vendors is basically the path we've been following . . . and the whole reason we have the problems that we have," said Eugene H. Spafford, a security expert and professor at Purdue University who frequently consults with the government.
Clarke could not be reached for comment.
Peter G. Neumann, chief computer scientist with SRI International, a nonprofit research group in Silicon Valley, said the recommendations were like saying, "If you put duct tape around your computer, you'll be secure."
Technology and telecommunications companies lobbied hard against regulation, arguing that the private sector is better qualified to develop the most effective security.
The report was scheduled for release last September but the government said more input from industry was needed.
"It's a wonderful statement of the problem," said Allan Paller, director of the SANS Institute, a computer security think-tank and education center. "But it's missing some of the best ideas that people had."
Paller said that through the various drafts the report went from "companies should do something, to companies should consider," and in some cases to no recommendations at all.
Democrats, too, were disappointed.
"When it comes to cyber-security, we're running at a punch-card pace when we need Pentium speed," said Sen. Charles E. Schumer (D-N.Y.), who is the Senate Democrats' point man on homeland security. "The administration has been working on this proposal for months and should have come out with a specific plan of action, not a vague set of broad principles that has no money backing it up."
Of particular concern to computer specialists is pushing the technology industry to develop more secure products. "You need much stronger stuff, and you can't get it," Neumann said. "There's no accountability."
Among the ideas that were discussed were financial incentives for improving security and legal liability for failing to meet basic security standards.
Technology companies supported the report yesterday.
"The national strategy challenges our traditional focus on technology as the 'silver bullet,' and highlights more fundamental behavioral matters -- like IT training and certification -- that can make America's computer networks safer," said Michael Wendy, policy counsel for CompTIA, a technology trade association.
Sources familiar with discussions between the industry and the administration said some tech companies would have supported a more concrete plan. But White House advisers held fast to their philosophical reluctance to regulate free markets or to impose industry standards that might favor one sector over another, the sources said.
Mark D. Rasch, chief security counsel for Solutionary Inc., a computer services firm, said the report was an important first step. But critical industries such as banking and utilities should be subject to mandatory security audits, he said.