[ISN] The cyberterrorism czar: What's next?

From: InfoSec News (isnat_private)
Date: Wed Nov 14 2001 - 07:22:26 PST

  • Next message: InfoSec News: "[ISN] Increased Security A Threat To Laptops"

    Forwarded from: Justin Lundy <jblat_private>
    The cyberterrorism czar: What's next? 
    By Robert Lemos
    Special to CNET News.com
    November 13, 2001, 4:00 a.m. PT
    Anyone following cybercrime may think the whole concept of
    "cyberterrorism" is an overhyped myth. With Web defacements and short
    denial-of-service attacks the norm, few fear a future attack from the
    But Richard Clarke, the newly appointed special adviser to the
    president for cybersecurity, is one of those few.
    Leading the government's charge to secure critical components of the
    Internet, Clarke doesn't think the past is any indication of what
    might happen in the future. As more companies put increasingly
    important data on the Internet, Clarke thinks it's only a matter of
    time before an individual or group takes advantage of the United
    States' poor security.
    That's why the secretary of homeland security, Thomas Ridge, appointed
    Clarke as the cyberterrorism czar, making him responsible for finding
    weaknesses in the Internet and ensuring they aren't exploited.
    The role is a familiar one for Clarke, who served under President
    Clinton as the national coordinator for security, infrastructure
    protection and counterterrorism. On the National Security Council
    staff since 1992, he has handled the reform and reduction in the cost
    of U.N. peacekeeping, the restoration of democracy in Haiti, Persian
    Gulf security, and international crime control in his role as special
    assistant to the president for global affairs.
    CNET News.com tracked down Clarke just before his speech at
    Microsoft's Trusted Computing Conference to talk to the presidential
    adviser about the proposal for a separate "GovNet," cyberterrorism,
    and how to protect the Internet in a newly uncertain world.
    Q: When you announced GovNet, it was a project that you had been
    talking about for a while. Are you essentially saying that you can't
    secure the Internet?
    A. No. What I am saying is that for some federal agencies, they may
    want to put some of their mission-critical, private
    communications--their intranet--onto a system that is not going to be
    as subjected to viruses and worms, and not be subjected at all to
    denial-of-service attacks.
    Several government agencies have it already to a limited degree. The
    Department of Energy has three national laboratories on a private
    line. It is something that the government has in the past gone away
    from because it was too expensive. I think we may be at a time when we
    can return to that and not have it be too expensive. But it is only
    for internal communications...and each agency that chooses to
    participate would have its own LAN (local area network) and its own
    fiber. So it's not for multiple-agency communications.
    So it wouldn't be connecting two agencies together or various
    government agencies?
    No. It's not meant to replace the Internet. The kind of system we have
    in mind is akin to what I have on my desk now. I've got three PCs on
    my desk right now and one monitor. By using Shift-F1, -F2, -F3, I
    switch between networks; two of those networks are closed and the
    other is the Internet.
    The key is to make sure that your own network doesn't touch somebody
    else's routers or a public switch. You can do a better job monitoring
    the activity on the network because you can tell all your employees,
    "We will be monitoring your activity on this net," and you have a
    higher standard of security access.
    Including viruses?
    A virus is unlikely to get onto a closed-loop network like that as
    rapidly as it goes around the Internet. It's still possible to get a
    virus on the (intranet), but it will be hours, if not days, after it
    was loosed in the wild. During that time, you are going to be able to
    filter the viruses out, develop an antivirus program, change your
    antivirus files--and you will catch it. So there are certain
    protections in terms of reliability and security that you get that you
    wouldn't get on a public system.
    After Sept. 11 there has been a lot of focus on cybersecurity, even
    though to my knowledge there has been no connection between what
    happened and the i Internet. So as we are talking about terrorists and
    people who might want to attack the critical infrastructure, what does
    the United States have to do to protect its information-technology
    A number of things. And it's not the kind of thing that you solve, and
    you've solved it. So we have to make some long-term investments
    because this is a problem that is going to be with us for a long time.
    Some investments won't bear fruit for a while. Then there are some
    short-term investments.
    I think the most critical thing we need to do is increase our
    investments in training, education and awareness programs. That does
    two things: One, it gives us more trained IT and security personnel.
    All of our studies in the government and the private sectors say there
    is a relative dearth compared to the real need. Where the awareness
    part gets us is, the manager, system administrators and individuals
    who use systems (should be)...conscious of the risks of not using good
    security practices, (such as) not changing passwords, not updating
    their antivirus software, not updating operating-system patches or
    application patches. Ninety percent of the hacks on government systems
    occur because people haven't updated the patches on their operating
    systems or applications. So we can buy a lot in terms of the number of
    attacks by doing things like that. The No. 1 priority is training,
    education and awareness.
    Anything else?
    After that, we need to start thinking about what the network is today
    and where the network will be in three to five years. It's hard to
    affect security on systems that are already deployed and don't have
    security built in. What we'd like to be able to do is work with the
    industry and see where networks, hardware and software are going over
    the next three to five years, and to begin to identify the potential
    security vulnerabilities in these new systems and the evolving
    systems--start working now to identify those vulnerabilities and fix
    them before they go to market.
    "Paper money eventually returns to its intrinsic value - zero." -Voltaire       
    HTTP: www.subterrain.net/~jbl/ % GPG key: www.subterrain.net/~jbl/jbl.gpg       
    %% GPG key fingerprint: 7F63 6DF4 B2F8 31F7 5219 8E0B 602F C8C8 D77E FFDF
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Nov 14 2001 - 09:37:42 PST