WASHINGTON — A national strategy for protecting critical networks from attack is expected to be ready by the spring, according to the Bush administration's point man on network security.

"The threats to our networks have increased significantly" since the Sept. 11 terror attacks here and in New York, Richard Clarke, special adviser to the president for cyberspace security, told an industry symposium on network security on Tuesday (Dec. 11), the three-month anniversary of the attacks. Government agencies and private network operators are drafting versions of a strategy to guard against cyberterrorism, Clarke said.

The U.S. strategy will be an action plan, not "another bloody government report," Clarke stressed. "This document is going to live in cyberspace, it's going to be modular," and it will include legislative and research proposals.

As he had before being named in October to oversee security for U.S. financial, power, air traffic control and other critical networks, Clarke called for a government-industry partnership as threats to network security escalate. He called recent denial-of-service (DNS) attacks such as the Nimbda virus "the tip of the iceberg," warning that more serious attacks are coming as terror groups and hackers probe for weaknesses in network security.

"Parts of our infrastructure are fragile," as the terror attacks and their aftermath showed, Clarke warned.

Early plans call for a "cyber corps" to train security experts and for an awareness campaign that will kick off in California next month. The strategy will also include "coordinated research" on network security, Clarke said.

Call for coordination

The government has thus far allocated $800 million for network security research. And Congress is expected to approve legislation soon that would create a simulation and modeling center to simulate interdependent national networks and identify possible single points of failure within them.

Recent network attacks also have exposed a lack of coordination among security experts. In response, the government plans to launch a Cyber Warning Intelligence Network next year that would bring experts together to respond to attacks.

Government officials said industry must also play a leading role in combating cyber terror. Besides embedding security in software and communications hardware such as routers, Clarke said, companies need to work more closely with vendors to ensure that security software patches are used.

U.S. researchers are also focusing on router security, a frequent target in fast-spreading DNS attacks. "If you want to attack the network, you attack the routing nodes," said Bill Joy, chief scientist at Sun Microsystems Inc. The Defense Advanced Research Projects Agency, one of the creators of the Internet, will host a conference on router security later this month, Clarke said.

Industry role

U.S. officials and industry executives here agreed that industry must create network security standards and "best practices." "This administration will not do it," Clarke stressed.

A big part of the software problem is outdated programming languages that provide little network security, Joy said. Time-to-market pressures and Microsoft Corp.'s dominance of the operating system market mean "the industry ships crap — bad designs, poorly implemented."

Joy said the government's role in network security includes setting standards for the products it buys. More broadly, he said, it could boost the overall performance and security of future networks by making deployment of all-optical networks a national priority.

Experts at the conference agreed that network operators must improve their vulnerability assessments and improve detection and reporting of network attacks. Administration officials said industry needs to think about security on the next-generation network rather than focus on "Band-Aids" for the current one.

"Let's do the vulnerability assessment now, before the next network is built," Clarke said.