Forbes - SAN FRANCISCO, CALIF. -There's a problem facing the Bush administration: It has $30 billion to spend over the next five to seven years to keep the U.S. safe from hackers and cyberspies.

The Bush administration's cyber initiative, signed by the president in early January, aims to increase surveillance of government networks, which have suffered multiple major intrusions in recent years. But the vulnerability of critical infrastructure systems, mostly owned by the private sector, has slowly emerged as a real threat to national security. Over the past two years, cybercriminals extorted hundreds of millions of dollars from critical infrastructure companies, according to Alan Paller, director of the SANS Institute, an organization that hosts a crisis center for hacked companies. (See: America's Hackable Backbone). In January, a CIA official told a conference of cybersecurity professionals that power outages affecting multiple non-U.S. cities had been the work of hackers. (See: Hackers Cut Cities' Power).

Laura Sweeney, a DHS spokesperson, countered that it's still too early to judge how the cyber initiative deals with the private sector--the project is still focused on securing government networks, she argued. But she pointed to NIPP as evidence that the government can successfully work with private industry, even when trading in classified data. "For now we're focused on getting our own house in order," she said. "But we've realized that the private sector will be an incredibly important partner moving forward."

But the disconnect between the private sector and government is a familiar problem, says Howard Schmidt, a former Air Force and DHS official who has also held jobs at eBay and Microsoft. "When I was working with a corporation, I would hear from the government about a new attack pattern, and because it was classified, I wouldn't be able to share it with my IT people," he says. "It's a very real problem."

Despite Chertoff's comments about private sector partnership and Project 12's initial attempt to open communication, that old problem of overclassification still afflicts the cyber initiative, says Schmidt. "When I think about what I would do to secure government networks--things like intrusion protection, strong authentication, event correlation and data analysis--none of it would be classified," he says. "This decision about what to classify is a very big deal, and it's something that the government has got to fix."
See also

Show Me Your Cyberspies, I'll Show You Mine