IP: Interesting Clarke interview in case you missed it

[David Farber <dave () farber net>]

> Richard Clarke's New Team
> by Bara Vaida
>
> Howard Schmidt, Microsoft's chief security officer, is expected to leave
> within the next month to join the Bush administration and work with White
> House cyber-security adviser Richard Clarke, according to sources in the
> computer-security industry.
> Mark Sachs, a U.S. Army major who is an operations analyst at the Joint
> Task Force for Computer Network Operations, also expected to join Clarke's
> team. The task force Sachs currently works for oversees the Pentagon's
> global information systems, sources said.
> Clarke was named last month to head a new White House Office of Cyberspace
> Security that is to focus on developing a plan for protecting the nation's
> critical infrastructure
>
> Transcript: Clarke Talks Cyber Security
>
> Bara Vaida, a senior writer with National Journal's Technology Daily,
> interviewed White House cyber-security adviser Richard Clarke before the
> Thanksgiving holiday last week. Below are excerpts from that
> question-and-answer session:
>
> BV: Since today is the deadline for Govnet proposals, can you tell me
> whether any patterns have emerged and how many [companies] have sent in
> proposals?
>
> RC: I don't see them. They go into the General Services Administration,
> which runs the federal telecommunications system. ... [W]e have put
> together an interagency team of experts to evaluate them, and that will
> take about two months to do that.
>
> BV: So you have no idea as of yet?
>
> RC: No. I do know that 152 companies came to the [request-for-information]
> meeting, and [government officials] did over 70 one-on-one meetings.
>
> BV: Critics of Govnet have asked, "Why does this system need to be built?
> Why not use virtual private networks, or why not use the Defense
> Department's system?"
>
> RC: We have virtual private networks already. ... All a virtual private
> network is is a tunnel through the Internet. It goes through the same
> routers and switches that every other communication does, and those routers
> and switches are vulnerable to denial-of-service attacks, as well as to
> viruses and worms.
> The neat thing about a closed loop that doesn't touch the Internet is [that
> it is] likely to be invulnerable to denial-of-service attack. Now you can
> still possibly get a virus, but it is much easier to deal with a virus on a
> network because our experience is that viruses occur there about 5 percent
> of the time, and they occur there a day or two later than they occur on the
> Internet. ...
> The other question you had: Why don't we just use the Defense Department
> system? We could. I think it is better to have multiple systems that give
> you more redundancy and survivability. What we are trying to get away from
> is putting all your eggs in one basket, and right now with the Internet,
> all of our eggs are in one basket.
>
> BV: How would you be able to share information across agencies?
>
> RC: Using the Internet.
>
> BV: But then how do you get the information to the secure network?
>
> RC: You don't. The secure network is only for corporate intranet purposes.
> Almost every agency and every big company has an intranet. What Govnet is
> is a vehicle to carry government agencies' intranets. ... All I'm proposing
> is that federal agencies' intranets be made more secure and reliable by
> running them on fiber that doesn't touch the Internet routers. ...
>
> BV: What about cross-government secure information? Right now, secure
> information can't be sent across agencies.
>
> RC: You can already. Look, I have e-mail from the CIA, FBI, Defense. ...
>
> BV: But why is there this perception that agencies aren't sharing
> information and that it is difficult to do so?
>
> RC: That is a perception among people who aren't in the agencies -- more of
> the old saws of criticism, which may have been true five years ago. But
> criticisms never die, even when the facts change.
>
> BV: Previously, your title was head of counter-terrorism and critical
> infrastructure. How much time were you able to devote to cyber security?
>
> RC: It varied enormously depending on what was going on in cyber security
> and what was going on in terrorism, but there was never any normal day or
> week. ... I would say probably about 25 or 30 percent of my time was on
> cyber security. Now being able to do 100 percent of my time on cyber
> security will make a difference I hope.
>
> BV: What are you building on from that 30 percent?
>
> RC: Well, a number of things. We created the ISACs [information sharing and
> analysis centers]; we developed the national strategy that we issued last
> year. We have ISACs now in banking, railroads, telephones, IT, electric
> power. We started the cyber-corps scholarship program.
>
> BV: In the past month, what have you developed besides Govnet?
>
> RC: ... We have started the process on cell-phone emergency priority. One
> of the things we learned on [the terrorist attacks of] 9/11 was that while
> we have an emergency priority system for landlines, we don't have one for
> cell phones. I think we are spending $60 million this year, and we will
> begin it in three cities in 90 days, and we'll bring it nationwide by the
> end of the year.
> The major initiative, though, is the new Bush national strategy [on cyber
> security], and the difference between that and the Clinton national plan is
> significant. The Clinton national plan was written by a bunch of
> bureaucrats, and it was a coffee-table book. It was a document that came
> out at a fixed point of time. The Bush national strategy will be different
> in a number of respects.
> First of all, it will be written by the stakeholders. ... There will be
> several chapters written by those industries and those stakeholders
> themselves. The other significant difference is that it won't be a thick
> coffee-table book. It will be a cyberspace document ... and the virtue of
> that is it is modular and the modules can change at any time, not on an
> annual basis, or when you get enough money to publish another version. The
> modules will change based on the changes in the threat, changes in the
> technology and new ideas that come along or recognition that the ideas we
> are pursuing have failed. It will be much more of a living document. ...
>
> BV: One of the ideas you proposed during the Clinton administration was
> FIDNet [Federal Intrusion Detection Network], which was controversial. What
> did you learn from that experience?
>
> RC: I learned that civil liberties groups don't read what we write. The
> critics of that program defined it on their own without any relationship of
> the definition we gave to it, and then they attacked it. And if it were
> what they said it was, I'd have attacked it, too. It was a rather simple
> concept, which the Defense Department has already implemented, and no one
> has attacked that. It was the notion of taking all the intrusion-detection
> systems that are deployed by the federal government and creating a database
> about what they are recording. ... Who is trying to make these intrusions?
> ... What time of the day? What day of the week? What technique do they use?
> What vulnerabilities do they go after? What sites are they interested in?
> So [Defense] is now able to do all of that kind of analysis. ... We can't
> do it across all civilian agencies yet. ...
>
> BV: Do you plan to revive that idea again? ...
>
> RC: Yeah, at some date. It's not among my top five priorities, but I do
> think it is something we need to do and hopefully we'll get around to doing
> it.
>
> BV: Can you help me better understand the structure of your office?
>
> RC: For the first time, we have one board [the White House Critical
> Infrastructure Protection Board] within the government that has ... a
> mandate to know everything and see everything that any agency is doing, or
> any subcommittee or subordinate organization in the area of cyber security,
> and all of the existing committees were either abolished or subordinated to
> the board. So I think the problems we've had in the past, where people were
> going off in different directions and not knowing what other people were
> doing, should relatively soon come to an end. ...
> If someone is tasked in the area of incident response and public outreach,
> the board will give that task to head of NIPC [the FBI's National
> Infrastructure Protection Center] or CIAO [the Commerce Department's
> Critical Infrastructure Assurance Office], and they will be accountable for
> accomplishing that mission. ... And if they are unable to accomplish that
> mission because they don't get cooperation from some other federal
> component ... then the board solves that problem.
>
> BV: So in the past there was no institutional way of doing things?
>
> RC: No institutional way of accountability, no institutional way of
> reporting an issue up chain for higher-level decisions. This is a structure
> that is fairly unique in government, and it is one born of a lot of
> experience in interagency process. It allows us to have personal
> accountability so when something doesn't happen, we know whom to look to.
>
> BV: Well, that reminds me of you saying that you agreed the government
> deserved failing grades for computer security. And you said the best way to
> solve that is to enforce the law. Who is responsible for that?
>
> RC: OMB. ... I think you'll see Mark Forman [the associate director for
> e-government and information technology at the White House Office of
> Management and Budget] has a lot of ideas about how to do that for the
> first time, and I think you'll see a lot of progress in the first year. ...
>
> BV: Is that a money problem or an organizational problem?
>
> RC: It is both. I think most agencies don't put enough money into IT at
> large, let alone for IT security. But even those that do want to do the
> right thing often don't know what the right thing is. So what we are going
> to try to do is set up a system so the standards are more clear, and we'll
> need to reach out to the experience of other agencies and experience of the
> private sector on this.
>
> BV: What do you think of the top things that Congress can do?
>
> RC: The first thing we want them to do is to amend the Freedom of
> Information Act. Sen. [Robert] Bennett has legislation. ...
>
> BV: What are the chances of it passing?
>
> RC: I have no idea, but we certainly wish him every bit of support.
>
> BV: Any other legislation?
>
> RC: Not yet. We are looking at a number of initiatives that we may announce
> in January or February. The only other thing that is currently on the Hill
> that we like a lot is that Sen. [Pete] Domenici has a piece of legislation
> that would create a national simulation center. ... We want to model the
> interactions and the interdependencies between the Internet, the telephone
> networks, the electric power grid, the gas pipelines. ... [W]e need an
> 'acupuncture lab' of the U.S. ... [In acupuncture], you put a needle in one
> part of the body, and the other part of the body hurts or gets better. I
> think the U.S. is like that too, where you put pressure on a tunnel in
> Baltimore, a fire in a tunnel, and the Internet slows in Minnesota. We need
> to know where those pressure points are and what part of the national body
> it effects, and we don't know that now.
>
> BV: Anything else Congress can do or not do?
>
> RC: Well, I'm sure there is. One thing we have been pretty consistent about
> telling them not to do is, "Don't try to regulate the Internet. Don't try
> to regulate IT security." ... IT almost by definition moves too fast for
> anyone to write regulations that could keep up with it. We don't want
> awkward and clunky government interference. We want to do this in
> partnership with the private sector, through persuasion and market forces. ...
>
> BV: The Council of Europe [cyber-crime treaty] we are signing on Friday: Do
> you know if Congress will have to pass new legislation to comply?
>
> RC: I don't know, I'll call Paul Kurtz, director for transnational threats.
>
> BV: While we are waiting, do you have any plans to change encryption policy?
>
> RC: No.
>
> BV: So you didn't support what Sen. [Judd] Gregg was talking about [earlier
> this year]?
>
> RC: It wasn't on my radar screen. ...
>
> [Paul Kurtz enters the room] RC: Paul, help.
>
> BV: We are signing the Council of Europe treaty Friday. Do we need to pass
> any legislation?
>
> Paul Kurtz: Right now, it appears as no. People are taking a look at that
> to make sure, but ... I think we are all covered, set to go. ...
>
> BV: Given that the vulnerability of the Internet lies beyond our borders,
> how can we achieve absolute security?
>
> RC: If you make the U.S. networks and major enterprises on those networks
> secure, it doesn't matter if those attacks come from the outside the U.S. ...
>
> BV: Do you think the U.S. should use the Internet to counterattack, rather
> than to just identify an attack?
>
> RC: If a major cyber attack were endangering the U.S., there is a whole
> range of things the president could authorize. We shouldn't rule out any
> response to a major attack.
>
> BV: One of the things we can't do is control the private sector. And many
> small and medium-sized companies remain vulnerable. Is that always going to
> be a back door into our network?
>
> RC: If a small or medium or even a large business doesn't do the right
> thing in terms of achieving cyber security, then that business is going to
> be at risk.
>
> BV: But doesn't that mean the whole of the Internet remains at risk?
>
> RC: No, I don't think so. ... We are never going to get 100 percent
> security, and I don't think we are shooting for that. What we are trying to
> do is have a system that is resilient and when it comes under a major
> attack it can't deal with ... degrades gracefully and then comes back up
> quickly so that any outages are limited in time and limited in scope. ...
>
> BV: How far along are you with creating an early warning system?
>
> RC: We are talking about creating the Cyber Warning Information Network
> (CWIN). Its first iteration would be a voice communications system that
> would link major network operation centers and ISACs. It is something we
> have today in the national security command center and has a different name
> -- NOIWAN, National Operations and Intelligence Watch Offices Network.
> It is cool, and it's very primitive technology. The senior duty officer in
> the situation room at the White House and the national military command
> center at the Pentagon, the national center at the State Department, the
> officer at the CIA and the national security office at National Security
> Agency -- five or six duty officers each have a phone on it that only
> connects them, and if one of them picks it up, it rings at all of the
> others' desk. ...
> Its been working for 20 years, so we'll try to do that in the first
> instance with the ISACs and the network operation centers, and within the
> next phase, I'd like to have it be a chat room. ... Let's say someone sees
> [the] "Nimda" [virus] spiking. They can pick up a phone and get most of the
> people that need to know right away. ... This is one of the cases where the
> government doesn't know best or first. You need somehow to do a
> public-private partnership to reach out to these nodes in the private
> sector. They are the canaries in the mines ... that see viruses first, that
> see tsunamis of [denial-of-service] attacks first. ...
>
> BV: What about a checklist you are setting up on who to call when you have
> an attack?
>
> RC: It doesn't have to be one answer. We'd like people to report intrusion
> attempts and other crimes to the FBI. Or if it's a financial crime, they
> can also report it to the Secret Service. If they don't feel comfortable
> with that, they can report it to their ISAC. If they are a defense
> contractor, they can report it to the task force at the Pentagon. ... I'm
> not going to tell people who they have to report it to ... but don't live
> in splendid isolation if you are getting attacked. Tell somebody.
>
> BV: Is there an Echelon?
>
> RC: No. I don't know anything called Echelon. I've never seen anything
> called Echelon. ...
>
> BV: How did you survive three different administrations?
>
> RC: President Carter created something called the senior-executive service
> because Carter had this notion that he wanted to do civil-service reform.
> ... Congress established this senior-executive service that was modeled
> after the British civil-servant system. It hasn't worked all that well. ...
> But there are a fair number of [us senior executives] in State and the
> intelligence community. ... It's a little unusual for that to happen in the
> White House, but I think it's a good idea. ...
>
> BV: Is there any difference between the Clinton and Bush administrations on
> [cyber security]?
>
> RC: No, not really. I think both administrations understood this was an
> important issue. Clinton came to it later, but I think they both understand
> the importance of it. They both want to use market forces. This is not a
> partisan issue. ...
>
> BV: What drew you to this issue?
>
> RC: I like to try to be a translator, a bridge between technologies and
> policies -- to try to be on the cutting edge of technology. ...
>
> BV: People told me they've worked with you in the past and you can be
> abrasive.
>
> RC: You bet. Absolutely. I'm sure some people do [say that]. I am very
> focused on having meetings that result in action. I don't like meetings for
> the sake of meetings. I like to focus on persona accountability, and I
> don't like it when they shirk it. If someone can't get something done, then
> they ought to come and say why they can't get it done, and if it isn't
> their fault, they ought to come to us and telling us who is preventing it. ...
>
> BV: How great is the [cyber-security] threat out there? People tell me
> there is so much malicious activity out there, a coordinated attacked
> wouldn't necessarily be worse than what is happening already. ...
>
> RC: Well, a coordinated attack would be different in that while the number
> of malicious events may not change, if you focus on the right places and
> its coordinated in that sense, if they went after a number of a different
> nodes and if they were more sophisticated in their applications, things
> could be much worse. The lesson I am trying to get out to people [is] that
> just as in terrorism ... people thought prior to the attacks of September
> that we had seen the worse terrorism could give us and it was tolerable.
> Some thought that. They were reasoning by analogy from the past. But what I
> want people to do is not to reason by analogy from the past but reason by
> analyzing vulnerabilities. ... As 9/11 proved, the worst case sometimes
> happens. We need to understand what the worst case is and then do prudent
> risk management so that you mitigate those possibilities. If you don't do
> it, then you don't know what the worst case is.
>
> BV: How do you get companies to spend on security when there is a recession
> out there?
>
> RC: What I am told by the people who are selling security is that they are
> doing pretty good business. If you compare IT investments over the past
> year with IT security investment over the past year, IT security is doing
> pretty well.

*************************************************************************************************************
FAIR USE NOTICE: This site contains copyrighted material the use of which 
has not always been specifically authorized by the copyright owner. We are 
making such material available in our efforts to advance understanding of 
environmental, political, human rights, economic, democracy, scientific, 
and social justice issues, etc. We believe this constitutes a 'fair use' of 
any such copyrighted material as provided for in section 107 of the US 
Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material 
on this site is distributed without profit to those who have expressed a 
prior interest in receiving the included information for research and 
educational purposes. For more information go to: 
http://www.law.cornell.edu/uscode/17/107.shtml

If you wish to use copyrighted material from this site for purposes of your 
own that go beyond 'fair use', you must obtain permission from the 
copyright owner.

For archives see:
http://www.interesting-people.org/archives/interesting-people/