Former White House cybersecurity czar calls for security audit standards

[InfoSec News <isn () c4i org>]

http://www.computerworld.com/securitytopics/security/story/0,10801,86242,00.html

Story by Matt Hamblen 
OCTOBER 20, 2003 
COMPUTERWORLD 

LAKE BUENA VISTA, Fla. -- Former White House cybersecurity expert
Richard Clarke yesterday urged for stronger standards for security
audits of U.S. companies, saying congressional action is needed.

"The Securities and Exchange Commission thinks it can [require audits]
under its existing authority, but what I'm predicting is it will be a
very vague statement and there will be no real auditing against that
standard," Clarke told reporters at the opening of Gartner Symposium
ITxpo 2003 here. Clarke is now a private security consultant, serving
as chairman of Good Harbor Consulting LLC in Arlington, Va. He joined
Good Harbor in July.

"You've got to have a relatively specific standard ... with some real
probability that someone will show up at the door to audit. That will
take a congressional act," he said.

Clarke also said standards should encourage automatic audits, so
network probes could quickly determine security levels, "instead of
bringing in PriceWaterhouse for $500,000," to do the audit.

Similar to banking audits, only 90% of what will be audited should be
known, so companies won't prepare only for audits and nothing else, he
said.

Clarke, who resigned from his U.S. government cybersecurity role in
January after serving in three administrations, made his comments
after being asked about Sarbanes-Oxley Act and Health Insurance
Portability and Accountability Act security requirements. Both federal
mandates require companies to provide security certification. But
"what do they certify, and who is going to say that they are wrong?"  
Clarke asked.

He also criticized Homeland Security Secretary Tom Ridge's
recommendations for security certification as ineffective. "Frankly,
it was Tom Ridge's idea that there be a Y2k-like statement [about
security protection steps] to the SEC, but if that happens, it is
going to be at such a high level of aggregation that you are never
going to know what it means," Clarke said.

During year 2000 IT modifications, the SEC required Y2k certification
by public companies. "We got away with that because it was a one-year
trick, and you can trick people for one year," Clarke said. That Y2k
certification was a "device" to get CIOs in front of their boards of
directors to provide funds for date change fixes, he said.

Asked if cybersecurity failures could have caused the power blackout
in Canada and the Northeast in August, Clarke ticked off a string of
power outages and attacks on energy systems globally in recent months,
including the loss of power throughout Italy in September. "We don't
what caused any of these so far," he said. "We do know that Norway and
Israel at least are saying there were cyber-hacking attempts to bring
down the power grids in their countries.

"If the Aug. 14 outage was not caused by a hack attack, could it have
been?'' Clarke said. "Could you bring down the power grid with a hack
attack? I fully believe the answer is yes."

Clarke also endorsed new technology from PGP Corp. in Palo Alto,
Calif., and is expected to take part in a presentation on behalf of
that company today at the symposium. PGP last month announced the
first version of its Universal product, which is designed to
automatically provide end-to-end e-mail security. The burden of
protecting critical information resides on the network and not a
user's desktop, reducing the security burden on end users, Clarke and
company officials said.

Generally, IT managers need to make security encryption as automatic
as possible, he said. "The key here is whoever makes the decision to
use encryption in the organization [so] that after that, it becomes
automatic," Clarke said. "Establishing elaborate systems [for
security] is a pain in the ass, frankly, and they require lots of
people to run them, and that's why they don't work and why people
don't do them."

Clarke also noted a humorous personal problem with unsolicited
commercial e-mail, saying that last week he got a spam from himself.  
He said it was obviously because somebody or some program had spoofed
his e-mail address and then sent the spam with his address back to
him.

Clarke said it would be "really easy" for e-mail users to start their
personal "do not call" lists for e-mail by taking any of several
programs now available to allow e-mail only from certain people, which
could be combined with e-mail encryption to provide a private system.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.