Net security chief leaves too many questions unanswered

[InfoSec News <isn () c4i org>]

http://www.boston.com/dailyglobe2/287/business/Net_security_chief_leaves_too_many_questions_unanswered+.shtml

By Hiawatha Bray
Globe Staff
10/14/2002

When President Bush's Internet security chief Richard Clarke visits
MIT on Wednesday, he'll probably receive a polite and courteous
response.

And that's a shame. Nothing against Clarke, mind you. He's saddled
with the massive responsibility of protecting the nation's sensitive
computer systems from attack by terrorists and criminals. It's a tough
job and he deserves a sympathetic hearing. But we should also lob some
hard questions his way, questions that go unanswered in the document
that Clarke is coming to discuss.

It's called ''The National Strategy to Secure Cyberspace.'' As an
overview of the challenges involved, it's pretty good stuff. Download
a copy at www.whitehouse.gov/pcipb, and see for yourself. As a road
map for action, though, it's like a sip of weak tea. Imagine a World
War II strategy document in which Eisenhower suggests that it might be
nice to invade Normandy, and you'll get the general tone.

''There's nothing in there to offend anybody,'' said Mark Rasch, a
former computer crime prosecutor for the Justice Department and now
chief security counsel for Solutionary Inc., an Omaha computer
security firm. ''They've just said, `Let's all hold hands and sing
`Kumbaya.'''

Hardly an appropriate attitude if the computer networks that drive our
economy and our government are open to devastating attacks by the sort
of thugs who killed thousands last year on Sept. 11. You'd think
securing that infrastructure would be one of the nation's highest
priorities. Surely high enough to justify at least a partial retreat
from the administration's bias against government mandates and
compulsion. But virtually every recommendation in the strategy report
is voluntary, and the plan calls for ''regulation only in the face of
a material failure of the market to protect the health, safety, or
well being of the American people.''

The administration has taken a very different tack on the question of
war with Iraq. Bush is unwilling to wait until ''a material failure''
of UN diplomacy results in a mushroom cloud over Tel Aviv or
Washington. Why wait until enemy hackers black out our cities or shut
down our airports?

Besides, we've already given the free market a chance to stamp out
hack attacks, viruses and the like. How's it doing? Just consider how
many copies of the Klez virus you've received in the past month.  
Granted, if you're sensible enough to use antivirus software, Klez is
no big deal. But millions of users don't bother, and they're the ones
whose computers keep trying to infect everybody else's.

If the threat came only from nuisance viruses, we could live with it.  
But what about the millions of home computer users connected to the
Internet through high-speed, always-on connections? Each of these
machines represents a possible way for malicious attackers to raid
other, more sensitive systems. The White House strategy report warns
against this, but to what effect? Computer security is like Oscar
Wilde's opinion of socialism; it takes up too many evenings. Most
people haven't the time, training or desire to get it right, and it'll
take more than a lecture from Richard Clarke to close this security
loophole.

For that matter, the same problem occurs in corporations and even
government agencies. With so many high-priority issues clamoring for
attention, network security often gets nudged to the bottom of the
list. That won't be helped by well-meaning, toothless sermonettes from
1600 Pennsylvania Avenue.

All this being said, it's hard to imagine much good coming from some
monstrous new bureaucracy, riding herd on computer hardware and
software makers, and users too, compelling us all to live under some
strict and narrow standard of digital security. Such a system would
likely smother under its own paperwork, even as it snuffed out the
creative vitality of the nation's tech industries.

What, then, shall we do? One of Rasch's ideas offers a glimmer of
hope. Let's unleash the trial lawyers.

Presently, the licenses for most computer software products absolve
companies of liability because of bugs or security flaws. ''There's no
real economic incentive on the part of software manufacturers to make
their products much more secure,'' Rasch noted. ''They don't bear the
cost when it fails.''

Maybe it's time to change that. Computer companies could be forced to
modify their licenses to accept liability for security flaws that put
their customers at risk. Once this is done, the free market in
ambulance-chasing would take care of the rest. Suddenly, companies
like Microsoft, which have habitually peddled untrustworthy products,
would learn a new reverence for computer security.

Obviously, this isn't a total solution. Network administrators and
home hobbyists alike must still do their part. But there's little help
in the banalities of Clarke's current plan, which in its lack of
urgency reads as if it were written before 9/11.

So a few tough questions are in order for Mr. Clarke. It might remind
him that there's a war on.

Hiawatha Bray can be reached at bray () globe com.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.