[ISN] Adviser enlists support to fight cyber-attacks

From: InfoSec News (isnat_private)
Date: Tue Nov 06 2001 - 01:53:44 PST

  • Next message: InfoSec News: "[ISN] SANS Top 20 Vulnerability List Updated"

    http://www.siliconvalley.com/docs/news/svfront/clrkqa110301.htm
    
    Mercury News 
    Friday, Nov. 2, 2001 
    
    President Bush last month named Richard Clarke to the newly created
    post of cyberspace-security adviser to the president. Clarke will
    report to both the Office of Homeland Security and national security
    adviser Condoleezza Rice.
    
    Clarke, who served as a White House counterterrorism adviser in two
    previous administrations, also will head a new federal cyber-security
    group, the Critical Infrastructure Protection Board, composed of
    members from 28 federal agencies.
    
    Clarke, currently in Silicon Valley to confer with tech industry
    leaders, met with the Mercury News on Thursday to discuss
    cyber-security threats and responses. This is an edited transcript of
    his remarks.  
    
    Why are you here in the valley this week?
    
    I'm trying to meet with everyone from the big multinationals to some
    of the niche security companies and at least one little start-up, plus
    academics at Berkeley and Stanford. I'm telling them how the
    government's cyber-security structure is organized and asking them
    what they've seen and where they think we're going. I'm also inviting
    them to join us in drafting a national strategy to secure cyberspace.
    It's what can they do for us and what can we do for them.
    
    What was the state of awareness and preparedness on these issues prior
    to Sept. 11? Hasn't the federal government been building some effort
    to address strategic vulnerability for some time?
    
    The Clinton administration issued a plan in January of 2000. A
    perfectly nice plan, written by the government with some consultation
    with the private sector -- but not a lot. Prior to Sept. 11, although
    most sectors had some planning, there was also a lack of belief that
    this was a real threat. In the past, there was a belief that the kind
    of damage that could be done by non-state terrorists against us, or
    even nations, was a nuisance.
    
    We've never had a framework before where all activity on this issue is
    brought together. We had a myriad of committees and groups that,
    frankly, didn't report to anybody. Our goal is a single, unitary
    structure to produce a national strategy. That strategy is designed to
    be written in concert with the private sector.
    
    What are you telling companies they must do on their own behalf to
    meet cyber-terror threats?
    
    It's been a chicken-and-egg problem. Hardware and software vendors
    have said that there's no market for security. And then when you talk
    to the people doing the buying for the finance industry, for the
    electric-power industry, they say, `We know the value of security, but
    we can't find anything to buy that has security in it.' There's a lot
    of truth on both sides of the argument. Our message is: Sector by
    sector, the industries need to get together, establish best practices,
    and then work with vendors to get it.
    
    We knew from the Y2K experience that some structure for centralized
    threat reporting was really important. Do we have a system where we
    can see a virtual attack in real time?
    
    Not a sufficient one. What we have are a network of information
    centers for various sectors. The structure is there for individual
    companies who are seeing a problem to report it.
    
    What warning systems are in place for the government to efficiently
    get the word of a threat out? Do we need the Internet equivalent of
    radio's Emergency Broadcast System?
    
    The Internet needs more than it has. What it has now is the National
    Communications System, where a telecom carrier can send up a red flag
    very quickly. What we haven't done yet is set this up so that if there
    is, say, a major denial-of-service attack, we can get information out
    quickly to companies.
    
    Up until now, most hackers haven't had much of a political agenda or
    state sponsorship. Are we entering an era of hacking warfare supported
    by hostile nations?
    
    We're aware of a number of countries who are creating offensive
    information warfare units. And I can't prove it, but I suspect a lot
    of the activity we see on our networks today is reconnaissance by
    those units.
    
    Many tech companies are extremely reticent to report or acknowledge
    security breaches on their networks for fear of calling attention to
    weaknesses or making themselves a more prominent target. If the CIA or
    the NSA or any other government agency has already been compromised,
    would the government acknowledge it?
    
    To the extent that we do know what's happening, we are required to
    disclose and discuss it. There's no knowledge of a breach that we have
    that you don't have. But the problem is, how do you know there's been
    a breach? If they're really good, you will not know. You almost have
    to assume it's happened, even though you can't prove it.
    
    How far along are you with the plans for Govnet, a closed, secure
    federal network to parallel the Internet.
    
    Govnet is a concept right now. We've issued a request for information.
    The concept is a series of intranets for federal departments so that
    people in a particular department could talk securely to other people
    in that department. The agencies would be walled off from each other.
    
    What did we learn about the vulnerability of information
    infrastructure immediately after Sept. 11?
    
    Well, the telephone networks didn't do very well right after Sept. 11.
    Cellular phones all overloaded rapidly and there was no way for
    emergency personnel who needed cellular phones to get access. The
    Internet worked fine. What we're trying to do now is create a national
    system for emergency priority use on cell phones.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Nov 06 2001 - 04:01:33 PST