Bush adviser: Terror a real threat to tech

The president's Net security chief says CEOs who are loath to spend on security should rethink their priorities, as the threat from online vandals pales next to potential cyberterrorism.

Robert Lemos
Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
4 min read
PALO ALTO, Calif.--The terrorist attacks of Sept. 11 may not have touched the Internet, but the incidents have put the high-tech industry on notice, President Bush's special adviser on cyberspace security said.

In his first speech since Sept. 11, Richard Clarke stressed Wednesday that the nuisance of online vandals and the occasional hacker should not be used as a yardstick to measure the threat of terrorism to cyberspace.

"Think not about the costs that have already occurred as a measure of what could occur," he told security experts, privacy advocates and policy-makers at a dinner here concluding the second day of Microsoft's Trusted Computing conference. "Our enemies are smart; they are not to be underestimated."

Clarke, who was appointed as an adviser to Bush in early October, also helped formulate policy under the Clinton administration, taking a large role in drafting the National Plan for Critical Infrastructure Protection.

As part of the Office of Homeland Security, Clarke now works to craft the nation's strategy for protecting critical parts of the Internet and government networks.

It's going to be a tough job, he said.

"Our information infrastructure is fragile," he said, "because we didn't build it to do the things that it is doing."

A lesson of Sept. 11, he said, is that critical networks aren't safe.

"Our enemies will use our technology against us," Clarke said. "They may not be able to build it, but they can understand it."

Priorities need to change
Both the industry and the government need to do more to protect the critical communications and control components of the Internet, he said. While there has been much talk about a public-private partnership for security, only modest gains have been made in further securing the Internet.

That has to change, said Clarke, adding that CEOs who are loath to spend money on security need to rethink their priorities.

"We now recognize that security costs money," he said. "Freedom isn't free, and neither is security."

Clarke also defended his Govnet proposals for a separate government channel of the Internet, saying the idea is not to replace the Internet but to create special intranets to serve critical government functions. The proposal for such networks drew concerns from security experts soon after a call for proposals was published.

"This doesn't mean that the government is abandoning the Internet," Clarke said. "Not at all."

Instead, critical functions such as air traffic control and manned space flight operations would travel over leased-line networks, much as they did before the Internet.

Though some experts have said that it would be difficult to completely separate networks--a government employee could always copy files between computers using a floppy disk--Clarke said that's not the point.

Instead, agencies using Govnet would have more time to react to quickly spreading worms and viruses, because any malicious data would have to be moved between separate computers, a policy known as an "air gap." Clarke himself has three different computers on his desk: one connected to the Internet and the other two to sensitive networks.

"Even air-gapped, closed-loop networks get viruses and worms," he said. "We know because we have air-gapped, closed-loop networks that have gotten viruses and worms. But they got them later."

The LoveLetter virus proved that point to the government when four systems in the Department of Defense were infected with the mass-mailing program last year.

Agencies that used a Govnet would not be connected to each other--only internally.

"It is not designed to replace the Internet," Clarke said. "It is not designed to be a silver bullet."

ID cards: No-go?
One security measure that Clarke didn't put much store in, however, was a proposal by some industry leaders, including Oracle CEO Larry Ellison, to create a national ID card.

Clarke said he could not name one official who supports the idea as proposed, though he said the administration does not yet have a formal position on the concept.

"Everyone I've talked to doesn't think it's a good idea," Clarke said.

The idea, raised since the Sept. 11 attacks, has drawn criticism from civil libertarians, who say it would violate individuals' privacy.

Despite those concerns, Oracle's Ellison was the first to push ID cards, suggesting that his company's database software should be used. Sun Microsystems CEO Scott McNealy was next, and earlier Wednesday, Siebel Systems announced "Homeland Security" software.

Clarke said it is not clear that the country needs to have a mandatory identity card but suggested there might be a use for credit card-size "smart cards" that contain data on microchips. Such cards could be used for specific actions such as boarding airplanes and crossing U.S. borders, he said.

"Not one national ID card that we force everybody to have," but multiple, voluntary cards that could improve the efficiency of activities, Clarke added.

Reuters contributed to this report.