http://www.boston.com/dailyglobe2/287/business/Net_security_chief_leaves_too_many_questions_unanswered+.shtml By Hiawatha Bray Globe Staff 10/14/2002 When President Bush's Internet security chief Richard Clarke visits MIT on Wednesday, he'll probably receive a polite and courteous response. And that's a shame. Nothing against Clarke, mind you. He's saddled with the massive responsibility of protecting the nation's sensitive computer systems from attack by terrorists and criminals. It's a tough job and he deserves a sympathetic hearing. But we should also lob some hard questions his way, questions that go unanswered in the document that Clarke is coming to discuss. It's called ''The National Strategy to Secure Cyberspace.'' As an overview of the challenges involved, it's pretty good stuff. Download a copy at www.whitehouse.gov/pcipb, and see for yourself. As a road map for action, though, it's like a sip of weak tea. Imagine a World War II strategy document in which Eisenhower suggests that it might be nice to invade Normandy, and you'll get the general tone. ''There's nothing in there to offend anybody,'' said Mark Rasch, a former computer crime prosecutor for the Justice Department and now chief security counsel for Solutionary Inc., an Omaha computer security firm. ''They've just said, `Let's all hold hands and sing `Kumbaya.''' Hardly an appropriate attitude if the computer networks that drive our economy and our government are open to devastating attacks by the sort of thugs who killed thousands last year on Sept. 11. You'd think securing that infrastructure would be one of the nation's highest priorities. Surely high enough to justify at least a partial retreat from the administration's bias against government mandates and compulsion. But virtually every recommendation in the strategy report is voluntary, and the plan calls for ''regulation only in the face of a material failure of the market to protect the health, safety, or well being of the American people.'' The administration has taken a very different tack on the question of war with Iraq. Bush is unwilling to wait until ''a material failure'' of UN diplomacy results in a mushroom cloud over Tel Aviv or Washington. Why wait until enemy hackers black out our cities or shut down our airports? Besides, we've already given the free market a chance to stamp out hack attacks, viruses and the like. How's it doing? Just consider how many copies of the Klez virus you've received in the past month. Granted, if you're sensible enough to use antivirus software, Klez is no big deal. But millions of users don't bother, and they're the ones whose computers keep trying to infect everybody else's. If the threat came only from nuisance viruses, we could live with it. But what about the millions of home computer users connected to the Internet through high-speed, always-on connections? Each of these machines represents a possible way for malicious attackers to raid other, more sensitive systems. The White House strategy report warns against this, but to what effect? Computer security is like Oscar Wilde's opinion of socialism; it takes up too many evenings. Most people haven't the time, training or desire to get it right, and it'll take more than a lecture from Richard Clarke to close this security loophole. For that matter, the same problem occurs in corporations and even government agencies. With so many high-priority issues clamoring for attention, network security often gets nudged to the bottom of the list. That won't be helped by well-meaning, toothless sermonettes from 1600 Pennsylvania Avenue. All this being said, it's hard to imagine much good coming from some monstrous new bureaucracy, riding herd on computer hardware and software makers, and users too, compelling us all to live under some strict and narrow standard of digital security. Such a system would likely smother under its own paperwork, even as it snuffed out the creative vitality of the nation's tech industries. What, then, shall we do? One of Rasch's ideas offers a glimmer of hope. Let's unleash the trial lawyers. Presently, the licenses for most computer software products absolve companies of liability because of bugs or security flaws. ''There's no real economic incentive on the part of software manufacturers to make their products much more secure,'' Rasch noted. ''They don't bear the cost when it fails.'' Maybe it's time to change that. Computer companies could be forced to modify their licenses to accept liability for security flaws that put their customers at risk. Once this is done, the free market in ambulance-chasing would take care of the rest. Suddenly, companies like Microsoft, which have habitually peddled untrustworthy products, would learn a new reverence for computer security. Obviously, this isn't a total solution. Network administrators and home hobbyists alike must still do their part. But there's little help in the banalities of Clarke's current plan, which in its lack of urgency reads as if it were written before 9/11. So a few tough questions are in order for Mr. Clarke. It might remind him that there's a war on. Hiawatha Bray can be reached at brayat_private - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Oct 16 2002 - 03:06:19 PDT