CNET también está disponible en español.

Ir a español

Don't show this again

Christmas Gift Guide
Tech Industry

The cyberterrorism czar: What's next?

Richard Clarke is responsible for finding weaknesses in the Net and making sure they aren't exploited. The good news: It's a familiar role. The bad news: Cybersecurity remains elusive.

Anyone following cybercrime may think the whole concept of "cyberterrorism" is an overhyped myth. With Web defacements and short denial-of-service attacks the norm, few fear a future attack from the Net.

But Richard Clarke, the newly appointed special adviser to the president for cybersecurity, is one of those few.

Leading the government's charge to secure critical components of the Internet, Clarke doesn't think the past is any indication of what might happen in the future. As more companies put increasingly important data on the Internet, Clarke thinks it's only a matter of time before an individual or group takes advantage of the United States' poor security.

That's why the secretary of homeland security, Thomas Ridge, appointed Clarke as the cyberterrorism czar, making him responsible for finding weaknesses in the Internet and ensuring they aren't exploited.

The role is a familiar one for Clarke, who served under President Clinton as the national coordinator for security, infrastructure protection and counterterrorism. On the National Security Council staff since 1992, he has handled the reform and reduction in the cost of U.N. peacekeeping, the restoration of democracy in Haiti, Persian Gulf security, and international crime control in his role as special assistant to the president for global affairs.

CNET News.com tracked down Clarke just before his speech at Microsoft's Trusted Computing Conference to talk to the presidential adviser about the proposal for a separate "Govnet," cyberterrorism, and how to protect the Internet in a newly uncertain world.

Q: When you announced Govnet, it was a project that you had been talking about for a while. Are you essentially saying that you can't secure the Internet?
A. No. What I am saying is that for some federal agencies, they may want to put some of their mission-critical, private communications--their intranet--onto a system that is not going to be as subjected to viruses and worms, and not be subjected at all to denial-of-service attacks.

It's hard to affect security on systems that are already deployed and don't have security built in. Several government agencies have it already to a limited degree. The Department of Energy has three national laboratories on a private line. It is something that the government has in the past gone away from because it was too expensive. I think we may be at a time when we can return to that and not have it be too expensive. But it is only for internal communications...and each agency that chooses to participate would have its own LAN (local area network) and its own fiber. So it's not for multiple-agency communications.

So it wouldn't be connecting two agencies together or various government agencies?
No. It's not meant to replace the Internet. The kind of system we have in mind is akin to what I have on my desk now. I've got three PCs on my desk right now and one monitor. By using Shift-F1, -F2, -F3, I switch between networks; two of those networks are closed and the other is the Internet.

The key is to make sure that your own network doesn't touch somebody else's routers or a public switch. You can do a better job monitoring the activity on the network because you can tell all your employees, "We will be monitoring your activity on this net," and you have a higher standard of security access.

Including viruses?
A virus is unlikely to get onto a closed-loop network like that as rapidly as it goes around the Internet. It's still possible to get a virus on the (intranet), but it will be hours, if not days, after it was loosed in the wild. During that time, you are going to be able to filter the viruses out, develop an antivirus program, change your antivirus files--and you will catch it. So there are certain protections in terms of reliability and security that you get that you wouldn't get on a public system.

After Sept. 11 there has been a lot of focus on cybersecurity, even though to my knowledge there has been no connection between what happened and the Internet. So as we are talking about terrorists and people who might want to attack the critical infrastructure, what does the United States have to do to protect its information-technology infrastructure?
Ninety percent of the hacks on government systems occur because people haven't updated the patches on their operating systems or applications. A number of things. And it's not the kind of thing that you solve, and you've solved it. So we have to make some long-term investments because this is a problem that is going to be with us for a long time. Some investments won't bear fruit for a while. Then there are some short-term investments.

I think the most critical thing we need to do is increase our investments in training, education and awareness programs. That does two things: One, it gives us more trained IT and security personnel. All of our studies in the government and the private sectors say there is a relative dearth compared to the real need. Where the awareness part gets us is, the manager, system administrators and individuals who use systems (should be)...conscious of the risks of not using good security practices, (such as) not changing passwords, not updating their antivirus software, not updating operating-system patches or application patches. Ninety percent of the hacks on government systems occur because people haven't updated the patches on their operating systems or applications. So we can buy a lot in terms of the number of attacks by doing things like that. The No. 1 priority is training, education and awareness.

Anything else?
After that, we need to start thinking about what the network is today and where the network will be in three to five years. It's hard to affect security on systems that are already deployed and don't have security built in. What we'd like to be able to do is work with the industry and see where networks, hardware and software are going over the next three to five years, and to begin to identify the potential security vulnerabilities in these new systems and the evolving systems--start working now to identify those vulnerabilities and fix them before they go to market. Can you offer an example?
I think wireless is a case in point. The banking and finance industries are working through their information-sharing and -analysis centers, creating a wireless security standard. I don't know how good the standard is, (but) from my perspective, that's what we want to have happen. Here's the private sector organizing itself--people who are going to define infrastructure owners and operations to create a standard, not government creating a standard. And that's always a good idea.

But then, infrastructure owners and operators are creating that standard and going to the vendors and saying, "If you are going to be manufacturing this, we want it this way. We are willing to pay for security." And that will allow us to get past this chicken-and-egg problem we had in the past where vendors of hardware and software went to the carriers and said (they) could offer security but no one wanted to pay for it.

There are ways--simple ways--that you can mitigate the risk...We can go a long way to reducing the potential of denial-of-service attacks without having to do very much. We talked to the owners and operators of the infrastructure, and they have said they would rather buy secure systems than buy security. We need to somehow get the two together, and examples like having an industry sector create a standard in time for it to be incorporated into a technology--that's the kind of thing we need.

There are a lot of bad practices going on right now. For instance, a lot of the risks associated with distributed denial-of-service attacks could be mitigated if every ISP used source-egress filtering (letting only a PC connected to the ISP's network send packets with that PC's Internet address). Is there anything the government can do to get the industry to adopt these measures?
There are ways--simple ways--that you can mitigate the risk. I think that both my office and DARPA (the Defense Advanced Research Projects Agency) are going to be cooperating in bringing together people who can do something about denial-of-service attacks. That's the carriers, and it's also vendors of routers. We can go a long way to reducing the potential of denial-of-service attacks without having to do very much.

And the role of service providers?
(We have to) get the ISPs to start worrying about it, and to use anti-spoofing techniques that are available to them now--get the ISPs to start doing screening for viruses and worms. Some of them are doing it, but not all of them are doing it. And if we can get the carriers to want functionality in the routers, which is there to a certain point already, we can address denial-of-service attacks. We can't stop them, but we can put a dent in the effects that most of them have. Between DARPA and my office, we have been having conversations like that.

With the Office of Homeland Security starting up now--and you analyzing where the threats are, as far as critical infrastructure--calling it "cyberterrorism" seems to be hyping up the reality of these attacks. But obviously, there is some risk from attack. Where do you see those risks coming from?
We have to differentiate from an attack that has already happened and the kind of attack that will come. As far as the Sept. 11 terrorism, (it) presents a certain level of threat (and) made us realize that terrorism presents a much bigger form of threat. There is a parallel trend in IT security. Up to now, IT security threats have been...affordable, for the most part. They are the cost of doing business in modern times. And some people are under the mistaken impression that that's all it is or all it could be.

It doesn't matter what the actors involved are--terrorists or nations. From our perspective, we don't worry about <i>when</i>; we worry about what they can do and start locking doors. I think the message that we have to send out is that it can be much greater. At the same time, the nuisance levels that we see are not the catastrophic threat for IT security. And it doesn't matter what the actors involved are--terrorists or nations. From our perspective, we don't worry about when; we worry about what they can do and start locking doors.

Do you think we need to have more than one vendor of software like operating systems to improve security? Does the government want to support open-source initiatives in order to have options?
I think we do have more than one vendor. I don't think we, the government, need to support open source. People do have a choice today in most markets. There are niches where there is dominance by one company, whether you are talking about operating systems or routers or database systems or chips. You will find a dominant player in those areas. But you have a choice.

We have to realize that there are dominant players in these pieces of the IT spectrum, and to work with those dominant players, because they have legacy systems that are out there and will remain out there. (We have to work) with them to ensure that they do all they can to provide security functionality, not only for their new product but for their old products as well.