[ISN] Net security chief leaves too many questions unanswered

From: InfoSec News (isnat_private)
Date: Wed Oct 16 2002 - 00:22:10 PDT

  • Next message: InfoSec News: "[ISN] Spam Masquerades as Admin Alerts"

    By Hiawatha Bray
    Globe Staff
    When President Bush's Internet security chief Richard Clarke visits
    MIT on Wednesday, he'll probably receive a polite and courteous
    And that's a shame. Nothing against Clarke, mind you. He's saddled
    with the massive responsibility of protecting the nation's sensitive
    computer systems from attack by terrorists and criminals. It's a tough
    job and he deserves a sympathetic hearing. But we should also lob some
    hard questions his way, questions that go unanswered in the document
    that Clarke is coming to discuss.
    It's called ''The National Strategy to Secure Cyberspace.'' As an
    overview of the challenges involved, it's pretty good stuff. Download
    a copy at www.whitehouse.gov/pcipb, and see for yourself. As a road
    map for action, though, it's like a sip of weak tea. Imagine a World
    War II strategy document in which Eisenhower suggests that it might be
    nice to invade Normandy, and you'll get the general tone.
    ''There's nothing in there to offend anybody,'' said Mark Rasch, a
    former computer crime prosecutor for the Justice Department and now
    chief security counsel for Solutionary Inc., an Omaha computer
    security firm. ''They've just said, `Let's all hold hands and sing
    Hardly an appropriate attitude if the computer networks that drive our
    economy and our government are open to devastating attacks by the sort
    of thugs who killed thousands last year on Sept. 11. You'd think
    securing that infrastructure would be one of the nation's highest
    priorities. Surely high enough to justify at least a partial retreat
    from the administration's bias against government mandates and
    compulsion. But virtually every recommendation in the strategy report
    is voluntary, and the plan calls for ''regulation only in the face of
    a material failure of the market to protect the health, safety, or
    well being of the American people.''
    The administration has taken a very different tack on the question of
    war with Iraq. Bush is unwilling to wait until ''a material failure''
    of UN diplomacy results in a mushroom cloud over Tel Aviv or
    Washington. Why wait until enemy hackers black out our cities or shut
    down our airports?
    Besides, we've already given the free market a chance to stamp out
    hack attacks, viruses and the like. How's it doing? Just consider how
    many copies of the Klez virus you've received in the past month.  
    Granted, if you're sensible enough to use antivirus software, Klez is
    no big deal. But millions of users don't bother, and they're the ones
    whose computers keep trying to infect everybody else's.
    If the threat came only from nuisance viruses, we could live with it.  
    But what about the millions of home computer users connected to the
    Internet through high-speed, always-on connections? Each of these
    machines represents a possible way for malicious attackers to raid
    other, more sensitive systems. The White House strategy report warns
    against this, but to what effect? Computer security is like Oscar
    Wilde's opinion of socialism; it takes up too many evenings. Most
    people haven't the time, training or desire to get it right, and it'll
    take more than a lecture from Richard Clarke to close this security
    For that matter, the same problem occurs in corporations and even
    government agencies. With so many high-priority issues clamoring for
    attention, network security often gets nudged to the bottom of the
    list. That won't be helped by well-meaning, toothless sermonettes from
    1600 Pennsylvania Avenue.
    All this being said, it's hard to imagine much good coming from some
    monstrous new bureaucracy, riding herd on computer hardware and
    software makers, and users too, compelling us all to live under some
    strict and narrow standard of digital security. Such a system would
    likely smother under its own paperwork, even as it snuffed out the
    creative vitality of the nation's tech industries.
    What, then, shall we do? One of Rasch's ideas offers a glimmer of
    hope. Let's unleash the trial lawyers.
    Presently, the licenses for most computer software products absolve
    companies of liability because of bugs or security flaws. ''There's no
    real economic incentive on the part of software manufacturers to make
    their products much more secure,'' Rasch noted. ''They don't bear the
    cost when it fails.''
    Maybe it's time to change that. Computer companies could be forced to
    modify their licenses to accept liability for security flaws that put
    their customers at risk. Once this is done, the free market in
    ambulance-chasing would take care of the rest. Suddenly, companies
    like Microsoft, which have habitually peddled untrustworthy products,
    would learn a new reverence for computer security.
    Obviously, this isn't a total solution. Network administrators and
    home hobbyists alike must still do their part. But there's little help
    in the banalities of Clarke's current plan, which in its lack of
    urgency reads as if it were written before 9/11.
    So a few tough questions are in order for Mr. Clarke. It might remind
    him that there's a war on.
    Hiawatha Bray can be reached at brayat_private
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Oct 16 2002 - 03:06:19 PDT