should be sharing information with, or whom it can depend on within the government for up-to-date information. So far, one can argue that possible focal points include the Department of Homeland Security, FBI/NIPC, CIAO, the new Cybersecurity Board, and a mix of other government agencies: the FTC, FCC, SEC, DOE, DOD, and more. The new Department of Homeland Security is further altering the government landscape.19 It may centralize some federal responsibilities for CIP, although it seems clear that others will remain distributed among many agencies. After this major organizational change is set in motion, the government should clearly and consistently explain to the private sector what its objectives are for CIP, how it has organized itself to accomplish those objectives, who is responsible for what (e.g., what are the information flows), what kind of information should be shared and in what form, and why all of this is important (i.e., what the threat is and how the proposed actions will address the threat). This message should clearly and consistently articulate what protections already exist for information sharing and what safe harbors exist (or will be established) to encourage information sharing in light of FOIA and antitrust concerns in the private sector. A clear and consistent message from the government to the private sector will go a long way toward building the trust that is necessary to protect the nation’s critical information infrastructures.


Observers note that the recent government-wide cybersecurity reorganization has increased confusion about where to go to report cybercrime incidents (Michael Fitzgerald, 2003, “Homeland Cybersecurity Efforts Doubled,” Security Focus, March 11).

The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement