[ISN] White House cybersecurity chief defines cyberthreat

From: InfoSec News (isnat_private)
Date: Sun Sep 08 2002 - 23:16:54 PDT

  • Next message: InfoSec News: "[ISN] Linux Advisory Watch - September 6th 2002"

    SEPTEMBER 06, 2002
    Richard Clarke, chairman of the president's Critical Infrastructure
    Protection Board, recently spoke with Computerworld reporter Dan
    Verton about the nature and potential of the threat to the nation's
    critical infrastructure and what he sees as his biggest challenges
    with respect to national cybersecurity.
    Excerpts from the interview follow:
    Q: Can you briefly explain the cybersecurity threat for those who
    still may not be sure who or what the enemy is?
    A: There's a spectrum of threats out there, some of which we
    experience every day. That spectrum runs from [individuals] who simply
    vandalize Web pages to those who conduct nuisance denial-of-service
    attacks. That's on the low end, which is usually conducted by young
    hackers -- so-called script kiddies.
    In the middle, you have criminals who conduct fraud and industrial
    espionage online. The middle range of threats is usually carried out
    by organized crime, companies and also nation-states.
    On the high end, however, you face people who potentially could
    conduct attacks to destroy or stop things from working. At the high
    end, it's potentially nation-states or terrorist groups. These attacks
    could be conducted in isolation or in conjunction with a physical
    I think we have to anticipate that a smart opponent would use some of
    these asymmetric tactics against us. In the larger scenarios, the
    private sector would be the targets for attack, either by terrorist
    groups or nation-states because those groups would seek to disrupt the
    national economy.
    Q: What are the greatest challenges facing the private sector in terms
    of cybersecurity, particularly with respect to your mission of
    building an effective public-private partnership that can provide for
    a common defense?
    A: The first problem we've always had was awareness. However, the
    awareness problem has diminished greatly for two reasons. People in
    boardrooms asked themselves after Sept. 11, "How secure is our
    company?" Also, there have been a lot of cyberattacks, which have
    doubled in the last year.
    The second problem facing companies is determining what is a good
    product, who's a good service provider and what they should be asking
    for. Most people think the first thing to do is to run out and buy a
    firewall or an intrusion detection system. But that doesn't even begin
    to solve your problems. You need to have a continuous process of
    looking for vulnerabilities and you need to have a layered defense. We
    passed the 2,000 mark a few months ago in terms of known
    vulnerabilities that we have to deal with.
    Q: What are the key obstacles that government agencies -- federal,
    state and local -- have to overcome before a national cybersecurity
    plan can truly be effective?
    A: Part of the problem facing the state and local level is revenue.  
    Almost every state is running a deficit. For them to initiate new
    programs is difficult right now. The states also have a difficult time
    retaining trained cybersecurity expertise.
    At the federal level, the president has asked Congress for $4.5
    billion to secure federal IT systems. That's a 64% increase. In fiscal
    years 2004 through 2006, the government will spend nearly $20 billion
    on IT security. That's a major commitment.
    Q: Are you satisfied with the level of effort expended to date at the
    regional infrastructure level by the various levels of government and
    the private sector?
    A: I'm never satisfied. I'm feeling good about the federal
    government's own activities and that major sectors of the private
    sector are taking action. For example, the banking and finance sector
    is doing a great deal; the electric power grid is for the first time
    thinking about encryption; and the IT sector itself is beginning to
    talk about quality software development and making security a design
    criteria. Companies like Oracle [Corp.], Sun [Microsystems Inc.],
    Microsoft [Corp.] and Cisco [Systems Inc.] are leading that effort. IT
    security is also a top issue in the private sector.
    We also are looking for input from small and medium-size IT companies.  
    A lot of good ideas are found in the garage, as [Hewlett-Packard Co.]
    discovered. We've proactively sought them out and met with them
    Q: You recently said that although the government has no plans to
    regulate cybersecurity, there is a middle ground between regulation
    and doing nothing. Can you clarify what that means for the private
    companies that own and operate the networks and systems that make up
    our national information infrastructure?
    A: There are laws already on the books, such as HIPAA [Health
    Insurance Portability and Accountability Act] and the Banking
    Modernization Act, that already have provisions to protect privacy
    information and generally require IT security measures. We're not
    going to propose additional regulations. But where there are already
    regulations pertaining to IT security, we'll be working with the
    regulators to help them develop regulations that make sense.  
    Industries can also regulate themselves. For example, the banking
    industry is creating [its] own standards. That's happening in the
    electric power industry as well. We'd like to see that happen
    elsewhere in industry.
    Q: Does the White House have any important initiatives under way or
    planned, other than the upcoming release of the national plan?
    A: The national plan is the major focus, and that will be released at
    a ceremony in the Silicon Valley on Sept. 18. We are also seriously
    considering expanding the Defense Department's IT acquisition policy
    [which requires all IT acquisitions to be tested for security prior to
    purchase] to all of government.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Mon Sep 09 2002 - 01:35:11 PDT