http://www.siliconvalley.com/docs/news/svfront/clrkqa110301.htm Mercury News Friday, Nov. 2, 2001 President Bush last month named Richard Clarke to the newly created post of cyberspace-security adviser to the president. Clarke will report to both the Office of Homeland Security and national security adviser Condoleezza Rice. Clarke, who served as a White House counterterrorism adviser in two previous administrations, also will head a new federal cyber-security group, the Critical Infrastructure Protection Board, composed of members from 28 federal agencies. Clarke, currently in Silicon Valley to confer with tech industry leaders, met with the Mercury News on Thursday to discuss cyber-security threats and responses. This is an edited transcript of his remarks. Why are you here in the valley this week? I'm trying to meet with everyone from the big multinationals to some of the niche security companies and at least one little start-up, plus academics at Berkeley and Stanford. I'm telling them how the government's cyber-security structure is organized and asking them what they've seen and where they think we're going. I'm also inviting them to join us in drafting a national strategy to secure cyberspace. It's what can they do for us and what can we do for them. What was the state of awareness and preparedness on these issues prior to Sept. 11? Hasn't the federal government been building some effort to address strategic vulnerability for some time? The Clinton administration issued a plan in January of 2000. A perfectly nice plan, written by the government with some consultation with the private sector -- but not a lot. Prior to Sept. 11, although most sectors had some planning, there was also a lack of belief that this was a real threat. In the past, there was a belief that the kind of damage that could be done by non-state terrorists against us, or even nations, was a nuisance. We've never had a framework before where all activity on this issue is brought together. We had a myriad of committees and groups that, frankly, didn't report to anybody. Our goal is a single, unitary structure to produce a national strategy. That strategy is designed to be written in concert with the private sector. What are you telling companies they must do on their own behalf to meet cyber-terror threats? It's been a chicken-and-egg problem. Hardware and software vendors have said that there's no market for security. And then when you talk to the people doing the buying for the finance industry, for the electric-power industry, they say, `We know the value of security, but we can't find anything to buy that has security in it.' There's a lot of truth on both sides of the argument. Our message is: Sector by sector, the industries need to get together, establish best practices, and then work with vendors to get it. We knew from the Y2K experience that some structure for centralized threat reporting was really important. Do we have a system where we can see a virtual attack in real time? Not a sufficient one. What we have are a network of information centers for various sectors. The structure is there for individual companies who are seeing a problem to report it. What warning systems are in place for the government to efficiently get the word of a threat out? Do we need the Internet equivalent of radio's Emergency Broadcast System? The Internet needs more than it has. What it has now is the National Communications System, where a telecom carrier can send up a red flag very quickly. What we haven't done yet is set this up so that if there is, say, a major denial-of-service attack, we can get information out quickly to companies. Up until now, most hackers haven't had much of a political agenda or state sponsorship. Are we entering an era of hacking warfare supported by hostile nations? We're aware of a number of countries who are creating offensive information warfare units. And I can't prove it, but I suspect a lot of the activity we see on our networks today is reconnaissance by those units. Many tech companies are extremely reticent to report or acknowledge security breaches on their networks for fear of calling attention to weaknesses or making themselves a more prominent target. If the CIA or the NSA or any other government agency has already been compromised, would the government acknowledge it? To the extent that we do know what's happening, we are required to disclose and discuss it. There's no knowledge of a breach that we have that you don't have. But the problem is, how do you know there's been a breach? If they're really good, you will not know. You almost have to assume it's happened, even though you can't prove it. How far along are you with the plans for Govnet, a closed, secure federal network to parallel the Internet. Govnet is a concept right now. We've issued a request for information. The concept is a series of intranets for federal departments so that people in a particular department could talk securely to other people in that department. The agencies would be walled off from each other. What did we learn about the vulnerability of information infrastructure immediately after Sept. 11? Well, the telephone networks didn't do very well right after Sept. 11. Cellular phones all overloaded rapidly and there was no way for emergency personnel who needed cellular phones to get access. The Internet worked fine. What we're trying to do now is create a national system for emergency priority use on cell phones. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Nov 06 2001 - 04:01:33 PST