newsmakers Anyone
following cybercrime may think the whole concept of "cyberterrorism" is an
overhyped myth. With Web defacements and short denial-of-service attacks
the norm, few fear a future attack from the Net.
But Richard Clarke, the newly appointed special adviser to the
president for cybersecurity, is one of those few.
Leading the government's charge to secure critical components of the
Internet, Clarke doesn't think the past is any indication of what might
happen in the future. As more companies put increasingly important data on
the Internet, Clarke thinks it's only a matter of time before an
individual or group takes advantage of the United States' poor security.
That's why the secretary of homeland security, Thomas Ridge, appointed
Clarke as the cyberterrorism czar, making him responsible for finding
weaknesses in the Internet and ensuring they aren't exploited.
The role is a familiar one for Clarke, who served under President
Clinton as the national coordinator for security, infrastructure
protection and counterterrorism. On the National Security Council staff
since 1992, he has handled the reform and reduction in the cost of U.N.
peacekeeping, the restoration of democracy in Haiti, Persian Gulf
security, and international crime control in his role as special assistant
to the president for global affairs.
CNET News.com tracked down Clarke just before his speech at Microsoft's
Trusted Computing Conference to talk to the presidential adviser about the
proposal for a separate "Govnet," cyberterrorism, and how to protect the
Internet in a newly uncertain world.
Q: When you announced Govnet, it was a project that you had been
talking about for a while. Are you essentially saying that you can't
secure the Internet?
A. No. What I am saying is that for some
federal agencies, they may want to put some of their mission-critical,
private communications--their intranet--onto a system that is not going to
be as subjected to viruses and worms, and not be subjected at all to
denial-of-service attacks.
Several government agencies have it
already to a limited degree. The Department of Energy has three national
laboratories on a private line. It is something that the government has in
the past gone away from because it was too expensive. I think we may be at
a time when we can return to that and not have it be too expensive. But it
is only for internal communications...and each agency that chooses to
participate would have its own LAN (local area network) and its own fiber.
So it's not for multiple-agency communications.
So it wouldn't be connecting two agencies together or various
government agencies?
No. It's not meant to replace the Internet.
The kind of system we have in mind is akin to what I have on my desk now.
I've got three PCs on my desk right now and one monitor. By using
Shift-F1, -F2, -F3, I switch between networks; two of those networks are
closed and the other is the Internet.
The key is to make sure that your own network doesn't touch somebody
else's routers or a public switch. You can do a better job monitoring the
activity on the network because you can tell all your employees, "We will
be monitoring your activity on this net," and you have a higher standard
of security access.
Including viruses?
A virus is unlikely to get onto a
closed-loop network like that as rapidly as it goes around the Internet.
It's still possible to get a virus on the (intranet), but it will be
hours, if not days, after it was loosed in the wild. During that time, you
are going to be able to filter the viruses out, develop an antivirus
program, change your antivirus files--and you will catch it. So there are
certain protections in terms of reliability and security that you get that
you wouldn't get on a public system.
After Sept. 11 there has been a lot of focus on cybersecurity, even
though to my knowledge there has been no connection between what happened
and the Internet. So as we are talking about terrorists and people who
might want to attack the critical infrastructure, what does the United
States have to do to protect its information-technology
infrastructure?
A number of things. And it's not
the kind of thing that you solve, and you've solved it. So we have to make
some long-term investments because this is a problem that is going to be
with us for a long time. Some investments won't bear fruit for a while.
Then there are some short-term investments.
I think the most critical thing we need to do is increase our
investments in training, education and awareness programs. That does two
things: One, it gives us more trained IT and security personnel. All of
our studies in the government and the private sectors say there is a
relative dearth compared to the real need. Where the awareness part gets
us is, the manager, system administrators and individuals who use systems
(should be)...conscious of the risks of not using good security practices,
(such as) not changing passwords, not updating their antivirus software,
not updating operating-system patches or application patches. Ninety
percent of the hacks on government systems occur because people haven't
updated the patches on their operating systems or applications. So we can
buy a lot in terms of the number of attacks by doing things like that. The
No. 1 priority is training, education and awareness.
Anything else?
After that, we need to start thinking about
what the network is today and where the network will be in three to five
years. It's hard to affect security on systems that are already deployed
and don't have security built in. What we'd like to be able to do is work
with the industry and see where networks, hardware and software are going
over the next three to five years, and to begin to identify the potential
security vulnerabilities in these new systems and the evolving
systems--start working now to identify those vulnerabilities and fix them
before they go to market.
