[ISN] Former White House cybersecurity czar calls for security audit standards

From: InfoSec News (isn@private)
Date: Tue Oct 21 2003 - 03:10:52 PDT

  • Next message: InfoSec News: "[ISN] Student Charged in Airport Scheme"

    http://www.computerworld.com/securitytopics/security/story/0,10801,86242,00.html
    
    Story by Matt Hamblen 
    OCTOBER 20, 2003 
    COMPUTERWORLD 
    
    LAKE BUENA VISTA, Fla. -- Former White House cybersecurity expert
    Richard Clarke yesterday urged for stronger standards for security
    audits of U.S. companies, saying congressional action is needed.
    
    "The Securities and Exchange Commission thinks it can [require audits]
    under its existing authority, but what I'm predicting is it will be a
    very vague statement and there will be no real auditing against that
    standard," Clarke told reporters at the opening of Gartner Symposium
    ITxpo 2003 here. Clarke is now a private security consultant, serving
    as chairman of Good Harbor Consulting LLC in Arlington, Va. He joined
    Good Harbor in July.
    
    "You've got to have a relatively specific standard ... with some real
    probability that someone will show up at the door to audit. That will
    take a congressional act," he said.
    
    Clarke also said standards should encourage automatic audits, so
    network probes could quickly determine security levels, "instead of
    bringing in PriceWaterhouse for $500,000," to do the audit.
    
    Similar to banking audits, only 90% of what will be audited should be
    known, so companies won't prepare only for audits and nothing else, he
    said.
    
    Clarke, who resigned from his U.S. government cybersecurity role in
    January after serving in three administrations, made his comments
    after being asked about Sarbanes-Oxley Act and Health Insurance
    Portability and Accountability Act security requirements. Both federal
    mandates require companies to provide security certification. But
    "what do they certify, and who is going to say that they are wrong?"  
    Clarke asked.
    
    He also criticized Homeland Security Secretary Tom Ridge's
    recommendations for security certification as ineffective. "Frankly,
    it was Tom Ridge's idea that there be a Y2k-like statement [about
    security protection steps] to the SEC, but if that happens, it is
    going to be at such a high level of aggregation that you are never
    going to know what it means," Clarke said.
    
    During year 2000 IT modifications, the SEC required Y2k certification
    by public companies. "We got away with that because it was a one-year
    trick, and you can trick people for one year," Clarke said. That Y2k
    certification was a "device" to get CIOs in front of their boards of
    directors to provide funds for date change fixes, he said.
    
    Asked if cybersecurity failures could have caused the power blackout
    in Canada and the Northeast in August, Clarke ticked off a string of
    power outages and attacks on energy systems globally in recent months,
    including the loss of power throughout Italy in September. "We don't
    what caused any of these so far," he said. "We do know that Norway and
    Israel at least are saying there were cyber-hacking attempts to bring
    down the power grids in their countries.
    
    "If the Aug. 14 outage was not caused by a hack attack, could it have
    been?'' Clarke said. "Could you bring down the power grid with a hack
    attack? I fully believe the answer is yes."
    
    Clarke also endorsed new technology from PGP Corp. in Palo Alto,
    Calif., and is expected to take part in a presentation on behalf of
    that company today at the symposium. PGP last month announced the
    first version of its Universal product, which is designed to
    automatically provide end-to-end e-mail security. The burden of
    protecting critical information resides on the network and not a
    user's desktop, reducing the security burden on end users, Clarke and
    company officials said.
    
    Generally, IT managers need to make security encryption as automatic
    as possible, he said. "The key here is whoever makes the decision to
    use encryption in the organization [so] that after that, it becomes
    automatic," Clarke said. "Establishing elaborate systems [for
    security] is a pain in the ass, frankly, and they require lots of
    people to run them, and that's why they don't work and why people
    don't do them."
    
    Clarke also noted a humorous personal problem with unsolicited
    commercial e-mail, saying that last week he got a spam from himself.  
    He said it was obviously because somebody or some program had spoofed
    his e-mail address and then sent the spam with his address back to
    him.
    
    Clarke said it would be "really easy" for e-mail users to start their
    personal "do not call" lists for e-mail by taking any of several
    programs now available to allow e-mail only from certain people, which
    could be combined with e-mail encryption to provide a private system.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Oct 21 2003 - 10:30:49 PDT