I find it ironic
that former U.S. counterterrorism czar Richard Clarke is in the news
(free registration required) at the same time that a major swarm of new viruses are circulating on the Net and the first task forces from the National Strategy to Secure Cyberspace (NSSC) are reporting their recommendations.
Clarke, as cybersecurity adviser to President Bush from 2001 to 2003, chaired the first committee to draft this strategy, which contained practices that could have minimized some of the recent virus attacks. But after most of his proposals did not make it into the final document, Clarke left his post in early 2003 and ended 30 years of government service.
I think the Internet would be a much safer place...had Washington paid more attention to Clarke back in 2002.
I have not always agreed with Clarke's politics, nor do I think he's right that a digital Pearl Harbor
is forthcoming, but I do admire his dedication and passion to cybersecurity. And in retrospect, I think the Internet would be a much safer place, with fewer viruses and scams, had Washington paid more attention to Clarke back in 2002.
I say this as, a little more than a week ago, the first two reports
from the Awareness and Outreach Task Force and the Cyber Security Early Warning Task Force were released to the public. Both committees were created based on recommendations from the NSSC. There are a total of five task forces, comprising mainly
probusiness interests. Because of this, many independent security experts see these committees as a thrifty way for large corporations to dodge their responsibility to create secure products while giving their own marketing departments bragging rights that they are securing the Internet for us all.
I first interviewed Clarke in 2002, shortly before the draft proposal for the NSSC came out, and I have heard him speak over the last two years at several computer security events. The Clarke who recently testified
before the 9/11 commission is entirely consistent with the Clarke I've seen up close: calm, knowledgeable, and diplomatic to a fault.
That's why I disagree with the recent characterization from the White House that Clarke is little more than a disenfranchised former staff member who was often out of the loop. Clarke, as outlined in his book Against All Enemies
, fought a losing battle over terrorism against a disinterested White House; his decision to leave his counterterrorism position in 2001 in favor of a newly created cybersecurity position seems entirely consistent with his desire to do the greatest good for the most people. As Clarke told the 9/11 committee, "I thought perhaps I could make a contribution if I worked full time on [cybersecurity]."
At the Black Hat Briefings in Las Vegas in the summer of 2002, Clarke gave a keynote address
in which he outlined several bold ideas to secure the Internet. Clarke drew a round of applause from the gathered security professionals when he said the software industry "has an obligation to provide software that works." He further called upon software makers to ship products with unused processes turned off by default. And he suggested that broadband suppliers supply their customers with firewalls and antivirus protection--a recommendation I still think should be implemented.
More daring, however, was Clarke's suggestion that the U.S. government could lead a security revolution by procuring only computer products certified by the National Intergovernmental Audit Forum (NIAF) testing program. While this satisfied the current administration's desire to let the marketplace decide which products it wants to use, NIAF testing apparently sounded like too much government regulation. In the end, this proposal was not in the final document signed by President Bush.
In fact, at that same 2002 Black Hat Briefing, Marcus Sachs and others from the White House went out of their way to say that the administration would not enforce any of the guidelines in the NSSC; it would be merely a recommendation
for computer hardware and software vendors to follow if they so chose.
Since 2001, the current administration has taken a decidedly hands-off attitude toward Internet security, as I've written about
before. For instance, during last year's SQL/Slammer outbreak
, the staff of the National Infrastructure Protection Center (NIPC), once part of the FBI but now part of the Department of Homeland Security, took several hours to respond. Today, NIPC's successor, the Department of Homeland Security's Directorate of Information Analysis and Infrastructure Protection, or IAIP, remains largely understaffed, underfunded, and unable to recruit the brightest computer security talent.
Had Clarke's proposals been taken seriously, all broadband users would have antivirus and firewall protection.
Had Clarke's proposals been taken seriously, all broadband users would have antivirus and firewall protection, and we might not have endured the MSBlast worm meltdown in August of 2003 nor be dealing with these pesky e-mail viruses right now. Microsoft might also be talking about releasing a version of Windows XP that had been independently proven to be secure (instead of us just taking the company's word that it's secure). In retrospect, we're no better off today, and perhaps we're actually worse off, than before the NSSC existed.
We need someone with vision and passion to implement software and hardware standards at the government level--but it won't be Clarke. He's resigned from public service, and unfortunately, there's no one around these days with his level of expertise and commitment--or if there is, he or she isn't stepping up to take the job.
For you and me, of course, this means there's no one watching out for us online. And it's up to each of us to protect our own little corner of cyberspace, by patching our software and being wary of unsolicited e-mail.