[ISN] Computer Czar Issues Warning

From: InfoSec News (isnat_private)
Date: Wed Feb 20 2002 - 00:17:14 PST

  • Next message: InfoSec News: "[ISN] Alleged Hacker Charged In Australia"

    By Matthew Fordahl
    AP Technology Writer
    Tuesday, February 19, 2002; 7:18 PM 
    SAN JOSE, Calif. -- Much like the airline industry before Sept. 11,
    high-tech companies, customers and government agencies are well aware
    of security vulnerabilities but are reluctant to pay to fix them,
    President Bush's top computer security adviser said Tuesday.
    It's just a matter of time before terrorists use those flaws to launch
    a cyberspace equivalent of the Sept. 11 attacks on critical national
    infrastructure such as the electricity grid, said Richard Clarke, the
    Bush administration's cyber security czar.
    "They will look for the seams. They will look to where our
    infrastructure is fragile," he said during the RSA Conference, the
    world's largest gathering of computer security experts. "Our
    infrastructure is fragile."
    Clarke said the airlines had known for years about weaknesses in the
    industry's security mechanisms but chose not to address them. There
    was no intelligence suggesting an attack might occur, and nobody
    wanted to shoulder the cost or risk inconveniencing passengers.
    "This industry runs the same risks as the aviation industry," he said.  
    "For years, people in the aviation industry knew there were security
    vulnerabilities - big ones. They convinced each other and themselves
    that those vulnerabilities would never be used against the industry or
    against the country."
    After all, no hijackings had occurred for decades in the United States
    before Sept. 11. As a result, no one wanted to pay to explore how
    vulnerabilities might be exploited, he said.
    But the information technology industry must work quickly and not
    dwell on the past. Scenarios must be modeled and everyone  including
    government, businesses and other customers - must work together and
    share the costs.
    President Bush is proposing a 64 percent increase in spending for
    computer and network security, from $2.7 billion in fiscal year 2002
    to $4.2 billion in fiscal year 2003.
    RSA Conference organizers, who have been quick to criticize government
    security initiatives in previous years, agreed with Clarke's comments
    and many of the new post-Sept. 11 measures.
    "Today, the threats to the critical infrastructure are no longer
    theoretical," said Jim Bidzos, chairman of the one-week conference.
    Bruce Heiman, an attorney and executive director of Americans for
    Computer Privacy, also said he could not disagree with much of
    Clarke's speech but said a balance must be struck between security and
    Clarke's proposal for government-industry cooperation, for instance,
    could work well as long as it remains voluntary. Still, Heiman asked,
    what would happen in the aftermath of a real cyber attack?
    "If exhortation fails, regulation can't be far behind," he said.
    Despite the government's voluntary approach so far, Heiman fears
    government could indirectly force technology standards on the industry
    if businesses can't agree on their own.
    Heiman also questioned Clarke's suggestion that the government form
    its own private network called GOVNET so as to escape the problems of
    the Internet.
    "Is that approach just throwing up your hands?" Heiman said. "GOVNET
    says we can't make it secure - we will just have our own system."
    Clarke, who has served under every president since Ronald Reagan, was
    picked in October to advise the government and private businesses on
    cyber security issues. In his talk Tuesday, he said the government is
    a model of how not to address cyber security.
    Clarke also suggested moving away from connecting everything to the
    Internet. He said details of the nation's air traffic control system
    could be made available to Web surfers in the Middle East.
    Unless action is taken soon, the information technology industry will
    suffer the same fate as the aviation industry, he said.
    "The vulnerabilities are too well known for someone not use them in a
    big way that make Nimda and Code Red look like small fries," Clarke
    said of two worms, which last year tied up Internet traffic worldwide
    by exploiting well-known software vulnerabilities.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Feb 20 2002 - 03:36:35 PST