Clarke: Government Has To Help Private-Sector Security EffortsClarke: Government Has To Help Private-Sector Security Efforts

In his first public speech since leaving his post as special adviser to the president for cyberspace security, Richard Clarke on Monday put to rest rumors that his departure came about because he believed the presidential strategy to secure cyberspace, released last month, was too watered down from the draft released in September. But he also told attendees at information's Spring Conference that now is the time to work hard to get the government to fund the research, pay for awareness training, and provide information--even classified data--to the private sector about threats in order to help industry play its part in the private-public partnership to secure cyberspace. And he warned that companies have to do not only the hard work of securing their own systems but of securing the Internet itself.

Terrorism, the potential war in Iraq, and the country's cyber-vulnerability all came under Clarke's scrutiny. Referring to the arrest this weekend of al-Qaida's Khalid Shaikh Mohammed, said to be the mastermind of the Sept. 11, 2001, attacks, he noted that the terrorist group might use cyberspace to attack the country's infrastructure. But even if it didn't, it was clear from confiscated computers that the group was using the Internet to do "virtual reconnaissance" on our infrastructure--not only on companies but on dams and power plants and the software that runs them--and downloading hacker tools from Web sites. As for Iraq, he said it was impossible to know what cyberattack capability the country may have, but that it's easy to hire experts in cyberattacks.

And he noted that some of the recent attacks, such as the DNS denial-of-service attacks of a few months ago and the recent Slammer worm, seem to be evidence of "some funny things happening in cyberspace" that stopped short of being seriously destructive. "It looked to me like people were seeing what you could do to be really destructive but not being really destructive," he said, "yet."

Even companies that have managed to avoid cyberinjury so far need to care about vulnerabilities in the DNS as well as in the border gateway protocols because "the chances of being hit in the next 24 months are high" no matter how good a job you're doing with security. And even if your own company isn't hit, chances are someone you depend on may be. But more important, attacks "hurt the economy. Osama bin Laden said to go after the American infrastructure and their economy." The $17 billion lost in 2001 as a result of cyberattacks is a drop in the bucket in a $17 trillion economy, but Clarke says that's just the tip of the iceberg. "We'll see more destructive attacks." Additionally, without real security in cyberspace we won't realize the full potential of the IT revolution, Clarke said.

He offered specific suggestions, including asking software companies to come up with best practices for code drafting so things such as buffer overflows can be avoided; having the federal government offer tax credits to get companies to get rid of old edge routers that aren't equipped to secure border gateway protocols; having broadband providers make sure to include firewalls as part of the broadband-access packages they sell to consumers so their PCs can't be overtaken for use in denial-of-service attacks; having Internet service providers follow FCC voluntary rules, posted a few months ago, to ensure security and interoperability; and improving wireless phone security. He also said that it's important for American industry to move from IPv4 to IPv6, as Europe, Japan, and China as well as the federal government will do in the next couple of years, because trying to translate between IPv4 and IPv6 will only create big problems, including big security problems.