Who's to blame for security breaches? President Bush's cybersecurity czar says software makers and ISPs are among the five groups guilty of not doing enough to lock up the Internet.
Speaking to a thousand attendees at the annual Black Hat Security briefings here, Richard Clarke identified five specific groups responsible for the vulnerability and said that people who can secure the Internet must step up to the plate.
"There are a lot of people in our country that rely on cyberspace, who are not taking responsibility for securing their part of cyberspace," he said.
The speech, which precedes the Bush administration's rollout on Sept. 18 of the national strategy for critical infrastructure protection, outlined many of the issues that Clarke and others had to consider in constructing the new strategy.
The major issue, Clarke said, is that companies and organizations that create the hardware, software and services that makeup the Internet aren't doing enough to secure their products. In laying the blame for the vulnerabilities in the Internet, he pointed not only to software makers and ISPs, but also to those who create and use wireless networks, to the lack of a group responsible for securing the Internet, and to the government itself.
While he didn't outline the national strategy's recommendations, Clarke's list of the five groups shows whom the government is targeting with the new initiative.
Clarke saved much of his rhetoric to lambaste the software industry.
"The software industry has an obligation to do a better job producing software that works," he said. "It's no longer acceptable that we can buy software and run software on sensitive systems that is filled with glitches."
Clarke pointed to statistics published by the Computer Emergency Response Team (CERT) Coordination Center that show that the number of software vulnerabilities found by researchers has increased every year. The number of flaws found to date has already surpassed the total flaws found last year, he said.
He also said that while few firms acknowledged the incidents, nearly every major financial and banking company was hit hard by the Nimda virus last September. He cited damage figures of nearly $3 billions attributed to the virus.
He stressed, however, that the virus got into computers through vulnerabilities that at the time were known.
"It's not because the vulnerabilities has not been identified (that Nimda spread), but because the patches had not been applied," he said.
He called on software makers to provide patches that are easy to install and also have been checked for compatibility with the major software applications used by most companies.
"That's why Nimda was so successful," he said. "Not because (the system administrators) didn't have a chance to put the patches on but because they wanted to test the patches themselves."
ISPs to step up
Internet service providers also have to be more security conscious, Clarke said. By selling broadband connectivity to home users without making security a priority, telecommunications companies, cable providers and ISPs have not only opened the nation's homes to attack, but also created a host of computers with fast connections that have hardly any security.
"Millions of houses are getting connected, which means that more and more are getting vulnerable," he said.
In a measure of how greatly wireless networks are undermining corporate and home-user security, Clarke put such networks in his top five of security offenders. Already, he said, the Department of Defense has ordered the shutdown of all wireless LANs in use within the department and in the various military forces.
"Companies throughout the country have networks that are wide open because of wireless LANs," he said.
Clarke also called on the government to drive more secure standards for the Internet and for the Net's gurus to form an organization responsible for the network's security.
Clarke likened the situation to Winston Churchill's early warnings of Germany's air force buildup prior to World War II that prepared Great Britain for the air war against Germany. He said that today's system administrators must do the same.
"You all have responsibility to be Winston Churchills, to be out there in front of anyone who will listen to say we are vulnerable," he told the attendees. "If a cyberwar comes, and come it will, we will be like the (Royal Air Force) and win."