Efforts by the Bush administration to secure key IT systems that support the nation's critical infrastructure have been "vague and weak," Sen. Joseph Lieberman, D-Conn., the ranking Democrat on the Senate Government Affairs Committee, said in a March 19 letter to Homeland Security Secretary Tom Ridge.

Several days later, former cybersecurity czar Richard Clarke criticized the administration for not taking the terrorist threat seriously enough prior to Sept. 11, 2001. Clarke also told a congressional committee that cybersecurity "is still an extraordinarily important issue for which this country is very underprepared."

In his letter, Lieberman complained of slow progress in establishing Internet vulnerability baselines, which were supposed to be set by mid-2002, and in securing remote-monitoring and -management systems used by utilities. He also charged there was little progress in reducing the number of software vulnerabilities that make many cyberattacks possible.

The letter says some of the blame can be placed on the delay in filling the position Clarke vacated in February 2003. The post was filled on Sept. 15 by Symantec Corp. VP Amit Yoran, who was named director of the Homeland Security Department's National Cyber Security Division.

Yoran rejects charges of slow progress. "Implementation of a national cybersecurity strategy is a significant task whose scope and complexity cannot be underestimated," he wrote in an E-mail. "While there are challenges in the area of cybersecurity, we have great confidence, leadership, and enthusiasm in taking on this important and honorable endeavor."

Security professionals are concerned that cybersecurity isn't getting the attention it deserves from the Bush administration. "I'd like to see a greater sense of urgency," says one security manager at a major telecommunications company who asked not to be identified. "While cyberterrorists may not attack us digitally this year or next, it's something that's likely to happen someday, and we need to be better prepared."

Others agree. "Lieberman has it right; there's been a whole lot of paper shuffling," says Lloyd Hession, chief information security officer with financial-network provider Radianz Inc. Federal regulations to establish basic information security guidelines could help raise overall security, he says. "Sometimes you need regulation to get things done right and safely. Just look at consumer-protection and public-safety laws and the auto industry."

If the government won't create security regulations, Hession says he'd like to see it embrace existing best practices in security for critical infrastructure industries so government officials can point to those and say: "This is what we expect."

New security regulations in health care and financial services have helped to raise awareness--and budgets--for IT security, says Alan Paller, director of research at the SANS Institute, a cooperative research and education organization. The federal government could start by setting uniform security standards for the software it buys. "That would go a long way to improve application security," Paller says.

Still, some businesses aren't waiting for government guidance. "There's a challenge with respect to the Internet and the speed with which we need to react," says Anuj Dhanda, CIO of retail and wholesale banking for PNC Financial Services Group Inc., a financial-services company that's already participating in industry-security and information-sharing groups. Says Dhanda, "Our attention to it will not diminish."