The cyberterrorism czar: What's next?

[InfoSec News <isn () c4i org>]

Forwarded from: Justin Lundy <jbl () subterrain net>

http://news.cnet.com/news/0-1014-201-7853990-0.html

The cyberterrorism czar: What's next? 
By Robert Lemos
Special to CNET News.com
November 13, 2001, 4:00 a.m. PT

Anyone following cybercrime may think the whole concept of
"cyberterrorism" is an overhyped myth. With Web defacements and short
denial-of-service attacks the norm, few fear a future attack from the
Net.

But Richard Clarke, the newly appointed special adviser to the
president for cybersecurity, is one of those few.

Leading the government's charge to secure critical components of the
Internet, Clarke doesn't think the past is any indication of what
might happen in the future. As more companies put increasingly
important data on the Internet, Clarke thinks it's only a matter of
time before an individual or group takes advantage of the United
States' poor security.

That's why the secretary of homeland security, Thomas Ridge, appointed
Clarke as the cyberterrorism czar, making him responsible for finding
weaknesses in the Internet and ensuring they aren't exploited.

The role is a familiar one for Clarke, who served under President
Clinton as the national coordinator for security, infrastructure
protection and counterterrorism. On the National Security Council
staff since 1992, he has handled the reform and reduction in the cost
of U.N. peacekeeping, the restoration of democracy in Haiti, Persian
Gulf security, and international crime control in his role as special
assistant to the president for global affairs.

CNET News.com tracked down Clarke just before his speech at
Microsoft's Trusted Computing Conference to talk to the presidential
adviser about the proposal for a separate "GovNet," cyberterrorism,
and how to protect the Internet in a newly uncertain world.

Q: When you announced GovNet, it was a project that you had been
talking about for a while. Are you essentially saying that you can't
secure the Internet?
 
A. No. What I am saying is that for some federal agencies, they may
want to put some of their mission-critical, private
communications--their intranet--onto a system that is not going to be
as subjected to viruses and worms, and not be subjected at all to
denial-of-service attacks.

Several government agencies have it already to a limited degree. The
Department of Energy has three national laboratories on a private
line. It is something that the government has in the past gone away
from because it was too expensive. I think we may be at a time when we
can return to that and not have it be too expensive. But it is only
for internal communications...and each agency that chooses to
participate would have its own LAN (local area network) and its own
fiber. So it's not for multiple-agency communications.

So it wouldn't be connecting two agencies together or various
government agencies?

No. It's not meant to replace the Internet. The kind of system we have
in mind is akin to what I have on my desk now. I've got three PCs on
my desk right now and one monitor. By using Shift-F1, -F2, -F3, I
switch between networks; two of those networks are closed and the
other is the Internet.

The key is to make sure that your own network doesn't touch somebody
else's routers or a public switch. You can do a better job monitoring
the activity on the network because you can tell all your employees,
"We will be monitoring your activity on this net," and you have a
higher standard of security access.

Including viruses?

A virus is unlikely to get onto a closed-loop network like that as
rapidly as it goes around the Internet. It's still possible to get a
virus on the (intranet), but it will be hours, if not days, after it
was loosed in the wild. During that time, you are going to be able to
filter the viruses out, develop an antivirus program, change your
antivirus files--and you will catch it. So there are certain
protections in terms of reliability and security that you get that you
wouldn't get on a public system.

After Sept. 11 there has been a lot of focus on cybersecurity, even
though to my knowledge there has been no connection between what
happened and the i Internet. So as we are talking about terrorists and
people who might want to attack the critical infrastructure, what does
the United States have to do to protect its information-technology
infrastructure?

A number of things. And it's not the kind of thing that you solve, and
you've solved it. So we have to make some long-term investments
because this is a problem that is going to be with us for a long time.
Some investments won't bear fruit for a while. Then there are some
short-term investments.

I think the most critical thing we need to do is increase our
investments in training, education and awareness programs. That does
two things: One, it gives us more trained IT and security personnel.
All of our studies in the government and the private sectors say there
is a relative dearth compared to the real need. Where the awareness
part gets us is, the manager, system administrators and individuals
who use systems (should be)...conscious of the risks of not using good
security practices, (such as) not changing passwords, not updating
their antivirus software, not updating operating-system patches or
application patches. Ninety percent of the hacks on government systems
occur because people haven't updated the patches on their operating
systems or applications. So we can buy a lot in terms of the number of
attacks by doing things like that. The No. 1 priority is training,
education and awareness.

Anything else?

After that, we need to start thinking about what the network is today
and where the network will be in three to five years. It's hard to
affect security on systems that are already deployed and don't have
security built in. What we'd like to be able to do is work with the
industry and see where networks, hardware and software are going over
the next three to five years, and to begin to identify the potential
security vulnerabilities in these new systems and the evolving
systems--start working now to identify those vulnerabilities and fix
them before they go to market.


-- 
"Paper money eventually returns to its intrinsic value - zero." -Voltaire       
HTTP: www.subterrain.net/~jbl/ % GPG key: www.subterrain.net/~jbl/jbl.gpg       
%% GPG key fingerprint: 7F63 6DF4 B2F8 31F7 5219 8E0B 602F C8C8 D77E FFDF



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.