On TV.com: JESSICA ALBA photos

Search:
Go!


Today on CNET
Reviews
News
Downloads
Tips & Tricks
CNET TV
Compare Prices
Blogs
Cell phones| Desktops| Digital cameras| Laptops| MP3 players| TVs| All Categories


Click Here
Security Watch : Don't get burned by viruses and hackers.
How we could have benefited from Richard Clarke's passion
E-mail to a friend
Send us feedback
By Robert Vamosi 
Senior associate editor, CNET Reviews
March 29, 2004

I find it ironic that former U.S. counterterrorism czar Richard Clarke is in the news (free registration required) at the same time that a major swarm of new viruses are circulating on the Net and the first task forces from the National Strategy to Secure Cyberspace (NSSC) are reporting their recommendations.

Clarke, as cybersecurity adviser to President Bush from 2001 to 2003, chaired the first committee to draft this strategy, which contained practices that could have minimized some of the recent virus attacks. But after most of his proposals did not make it into the final document, Clarke left his post in early 2003 and ended 30 years of government service.

I think the Internet would be a much safer place...had Washington paid more attention to Clarke back in 2002.
I have not always agreed with Clarke's politics, nor do I think he's right that a digital Pearl Harbor is forthcoming, but I do admire his dedication and passion to cybersecurity. And in retrospect, I think the Internet would be a much safer place, with fewer viruses and scams, had Washington paid more attention to Clarke back in 2002.

I say this as, a little more than a week ago, the first two reports from the Awareness and Outreach Task Force and the Cyber Security Early Warning Task Force were released to the public. Both committees were created based on recommendations from the NSSC. There are a total of five task forces, comprising mainly probusiness interests. Because of this, many independent security experts see these committees as a thrifty way for large corporations to dodge their responsibility to create secure products while giving their own marketing departments bragging rights that they are securing the Internet for us all.

I first interviewed Clarke in 2002, shortly before the draft proposal for the NSSC came out, and I have heard him speak over the last two years at several computer security events. The Clarke who recently testified before the 9/11 commission is entirely consistent with the Clarke I've seen up close: calm, knowledgeable, and diplomatic to a fault.

That's why I disagree with the recent characterization from the White House that Clarke is little more than a disenfranchised former staff member who was often out of the loop. Clarke, as outlined in his book Against All Enemies,  fought a losing battle over terrorism against a disinterested White House; his decision to leave his counterterrorism position in 2001 in favor of a newly created cybersecurity position seems entirely consistent with his desire to do the greatest good for the most people. As Clarke told the 9/11 committee, "I thought perhaps I could make a contribution if I worked full time on [cybersecurity]."

At the Black Hat Briefings in Las Vegas in the summer of 2002, Clarke gave a keynote address in which he outlined several bold ideas to secure the Internet. Clarke drew a round of applause from the gathered security professionals when he said the software industry "has an obligation to provide software that works." He further called upon software makers to ship products with unused processes turned off by default. And he suggested that broadband suppliers supply their customers with firewalls and antivirus protection--a recommendation I still think should be implemented.

More daring, however, was Clarke's suggestion that the U.S. government could lead a security revolution by procuring only computer products certified by the National Intergovernmental Audit Forum (NIAF) testing program. While this satisfied the current administration's desire to let the marketplace decide which products it wants to use, NIAF testing apparently sounded like too much government regulation. In the end, this proposal was not in the final document signed by President Bush.

In fact, at that same 2002 Black Hat Briefing, Marcus Sachs and others from the White House went out of their way to say that the administration would not enforce any of the guidelines in the NSSC; it would be merely a recommendation  for computer hardware and software vendors to follow if they so chose.

Since 2001, the current administration has taken a decidedly hands-off attitude toward Internet security, as I've written about before. For instance, during last year's SQL/Slammer outbreak, the staff of the National Infrastructure Protection Center (NIPC), once part of the FBI but now part of the Department of Homeland Security, took several hours to respond. Today, NIPC's successor, the Department of Homeland Security's Directorate of Information Analysis and Infrastructure Protection, or IAIP, remains largely understaffed, underfunded, and unable to recruit the brightest computer security talent.

Had Clarke's proposals been taken seriously, all broadband users would have antivirus and firewall protection.
Had Clarke's proposals been taken seriously, all broadband users would have antivirus and firewall protection, and we might not have endured the MSBlast worm meltdown in August of 2003 nor be dealing with these pesky e-mail viruses right now. Microsoft might also be talking about releasing a version of Windows XP that had been independently proven to be secure (instead of us just taking the company's word that it's secure). In retrospect, we're no better off today, and perhaps we're actually worse off, than before the NSSC existed.

We need someone with vision and passion to implement software and hardware standards at the government level--but it won't be Clarke. He's resigned from public service, and unfortunately, there's no one around these days with his level of expertise and commitment--or if there is, he or she isn't stepping up to take the job.

For you and me, of course, this means there's no one watching out for us online. And it's up to each of us to protect our own little corner of cyberspace, by patching our software and being wary of unsolicited e-mail.




Security Center
Top antivirus apps
From CNET Reviews
Top antispyware apps
From CNET Reviews
Virus and security alert forums
From CNET Message Boards




3/22/04
How you can foil virus writers
Virus writers seem to be trying every trick they can these days to infect our computers, but we can fight back. Find out how.

3/15/04
Don't be duped by hackers without computers
Your company has a firewall, but criminal hackers often access internal networks without a computer. Learn the subtleties of social engineering attacks and how to protect yourself.

3/10/04
Could you get caught in a virus gang war?
More than two-dozen viruses have circulated the Net in recent weeks. What gives? Gangs of virus writers are trying to outdo one another and protect their turf. Robert has the story.

More commentary


More commentary
Buzz Report
Molly Wood
Taking a bite out of hype.
Security Watch
Robert Vamosi
Don't get burned by viruses and hackers.
Fully Equipped
David Carnoy
The electronics you lust for.
On Call
Kent German
Solutions for your wireless woes.
Driving It
Wayne Cunningham
What's hot and what's not in car tech.

Help Center|Newsletters|Corrections|What's New|All Product Reviews|
Search:
Go!

Popular topics: Apple | Antivirus | Cell Phones | Dell | Digital Camera | Firefox 3 | Games | iPhone | iPod | iTunes | Laptops | Norton | PS3 | Verizon | Wii | Xbox 360
CNET.com
About CNET|Today on CNET|Reviews|News|Compare prices|Tips & Tricks|Downloads|CNET TV
Popular on CBS sites: World News | Fantasy Football | Amy Winehouse | Baseball | E3 | Batman | Firefox 3 | iPhone 3G
About CNET Networks | Jobs | Advertise


© 2008 CNET Networks, Inc., a CBS Company. All rights reserved. | Privacy Policy | Terms of Use