U.S. cybersecurity czar tasks IT industry

To secure the national information infrastructure against future terrorist attacks, U.S. President George W. Bush’s cyberspace security advisor told an IT gathering Tuesday that his government will take steps toward greater information security, but the industry must do its part, too.

Speaking at the Business Software Alliance’s Global Tech Summit in Washington, D.C., Richard Clarke was upbeat about the technology industry’s near-term future, but also stressed that vulnerabilities exposed by the Sept. 11 terrorist attacks must be acknowledged and repaired.

“We’ve defeated the Taliban, we’re smashing al-Qaeda, and the economy will rebound,” he said, adding that the “full promise of information technology can and will be achieved. But we must understand the lessons of Sept. 11.”

Those lessons, according to Clarke, include realizing that the U.S. has, and will continue to have, enemies that will “use our technology against us,” he said, by exploiting fissures and seams in the nation’s technology infrastructure. To combat these enemies, the public and private sector must work in partnership, he said.

Acknowledging that there has been a “tradition of hostility” between the government and the IT industry, Clarke extended an olive branch by offering government assistance in a number of areas.

Perhaps most interesting to technology executives, Clarke said, the government is willing to back off regulating the industry.

“The government is willing to be guided by the principle that it won’t achieve IT security through regulation,” Clarke said. “Congress and the federal agencies should be discouraged from trying to craft IT regulation into law.”

The government can do research, he continued, noting with concern that private sector spending on security research and development is on the decline. Government resources can be channelled into areas where the industry has pulled back, such as security.

Supporting his statement, Clarke announced that the National Center for Infrastructure Simulation and Analysis will open as soon as next month. The center will simulate information networks as well as critical infrastructures such as power, gas, and telephone grids and “create an acupuncture map of the country” to determine what the affects are when excess pressure is put on one of those resources.

Sponsoring legislation to encourage information sharing between the private and public sectors is another thing government can do, Clarke said. Senator Robert Bennett, a Republican from Utah, in September proposed an act that would let IT companies share vulnerability information with the government without fear of public disclosure through the Freedom of Information Act, he said. President Bush has endorsed the measure, and Clarke said he hopes it will pass Congress before the holiday break.

The government should also set an example of deploying a high-level of information security, which Clarke admitted is not currently the case. He told the audience that Mitchell Daniels, director of the U.S. Office of Management and the Budget, will warn two federal agencies that if their budgets don’t include allocations for improving information security, the director will rewrite those budgets himself to funnel funds into improving technology.

“Those letters are going out to Cabinet members this week,” Clarke said.

There’s plenty that the technology industry can do, too, he said. The industry has to decide which IT security features will be built in and not included as afterthoughts, he said, adding that the default settings of software and hardware should take into account high security.

Technology companies must look beyond their own products and consider “end-to-end security” by working with other vendors. And software companies shouldn’t assume that their responsibility ends when they release a security patch to their products.

“When you announce the need for a patch, you should work with your customers to make sure those patches are applied,” he said.

More stable routers that can withstand distributed denial of service attacks are also needed. “I don’t believe that the IT industry can’t solve that problem,” Clarke said. ISPs (Internet Service Providers) and carriers should sell personal firewalls packaged with DSL (Digital Subscriber Line) or cable-modem connections, he added, since home users who are constantly connected using these technologies are largely unaware of their vulnerability to hackers overtaking their computers with malicious intent.

Looking forward, Clarke said the industry should envision the type of technology that will be available in 2005 and start doing vulnerability and security analysis on those products now, before they are deployed.

In closing, Clarke applied to the crowd’s patriotism.

“On behalf of President Bush, we invite your involvement in drafting a national plan for information technology security,” Clarke said. “We in this country continue to be targets, and we have to defend our cyberspace.”

The BSA, based in Washington, D.C., can be found on the Web at http://www.bsa.org/.