Computer Czar Issues Warning

[InfoSec News <isn () c4i org>]

http://www.washingtonpost.com/wp-dyn/articles/A35215-2002Feb19.html

By Matthew Fordahl
AP Technology Writer
Tuesday, February 19, 2002; 7:18 PM 

SAN JOSE, Calif. -- Much like the airline industry before Sept. 11,
high-tech companies, customers and government agencies are well aware
of security vulnerabilities but are reluctant to pay to fix them,
President Bush's top computer security adviser said Tuesday.

It's just a matter of time before terrorists use those flaws to launch
a cyberspace equivalent of the Sept. 11 attacks on critical national
infrastructure such as the electricity grid, said Richard Clarke, the
Bush administration's cyber security czar.

"They will look for the seams. They will look to where our
infrastructure is fragile," he said during the RSA Conference, the
world's largest gathering of computer security experts. "Our
infrastructure is fragile."

Clarke said the airlines had known for years about weaknesses in the
industry's security mechanisms but chose not to address them. There
was no intelligence suggesting an attack might occur, and nobody
wanted to shoulder the cost or risk inconveniencing passengers.

"This industry runs the same risks as the aviation industry," he said.  
"For years, people in the aviation industry knew there were security
vulnerabilities - big ones. They convinced each other and themselves
that those vulnerabilities would never be used against the industry or
against the country."

After all, no hijackings had occurred for decades in the United States
before Sept. 11. As a result, no one wanted to pay to explore how
vulnerabilities might be exploited, he said.

But the information technology industry must work quickly and not
dwell on the past. Scenarios must be modeled and everyone – including
government, businesses and other customers - must work together and
share the costs.

President Bush is proposing a 64 percent increase in spending for
computer and network security, from $2.7 billion in fiscal year 2002
to $4.2 billion in fiscal year 2003.

RSA Conference organizers, who have been quick to criticize government
security initiatives in previous years, agreed with Clarke's comments
and many of the new post-Sept. 11 measures.

"Today, the threats to the critical infrastructure are no longer
theoretical," said Jim Bidzos, chairman of the one-week conference.

Bruce Heiman, an attorney and executive director of Americans for
Computer Privacy, also said he could not disagree with much of
Clarke's speech but said a balance must be struck between security and
privacy.

Clarke's proposal for government-industry cooperation, for instance,
could work well as long as it remains voluntary. Still, Heiman asked,
what would happen in the aftermath of a real cyber attack?

"If exhortation fails, regulation can't be far behind," he said.

Despite the government's voluntary approach so far, Heiman fears
government could indirectly force technology standards on the industry
if businesses can't agree on their own.

Heiman also questioned Clarke's suggestion that the government form
its own private network called GOVNET so as to escape the problems of
the Internet.

"Is that approach just throwing up your hands?" Heiman said. "GOVNET
says we can't make it secure - we will just have our own system."

Clarke, who has served under every president since Ronald Reagan, was
picked in October to advise the government and private businesses on
cyber security issues. In his talk Tuesday, he said the government is
a model of how not to address cyber security.

Clarke also suggested moving away from connecting everything to the
Internet. He said details of the nation's air traffic control system
could be made available to Web surfers in the Middle East.

Unless action is taken soon, the information technology industry will
suffer the same fate as the aviation industry, he said.

"The vulnerabilities are too well known for someone not use them in a
big way that make Nimda and Code Red look like small fries," Clarke
said of two worms, which last year tied up Internet traffic worldwide
by exploiting well-known software vulnerabilities.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.