U.S. cybersecurity czar urges more spending

U.S. cybersecurity czar Richard Clarke said Wednesday that cyberattacks on the nation’s critical IT infrastructure could potentially cause “catastrophic damage to the economy” and urged more spending on IT infrastructure and security.

Clarke, whose formal title is chairman of the president’s Critical Infrastructure Protection Board, also told a gathering here of about 150 security and privacy experts from business and government that he opposes a national ID card and wants to reduce the opportunities for anonymity on the Internet.

Speaking at the Trusted Computing Conference, which was hosted by Microsoft Corp., Clarke also strongly defended the proposed GovNet project, which would build a closed-loop government agency network that would be isolated from the Internet.

“We are not abandoning the Internet,” he said, adding that he envisions a GovNet system where workers would have more than one PC on their desktops – one a system open to the Internet and the other closed off and highly classified. Clarke stressed that if the GovNet proposal turns out to be a vast expense, it won’t be pursued, and he urged the audience to get involved in the request-for-information process under way this month.

In his first speech since the Sept. 11 terrorist attacks, Clarke said spending around IT security and infrastructure protection has to increase in both the private and government sectors. “Freedom isn’t free, and security isn’t free, either,” he said, adding that compared with six weeks ago, “no one is saying we shouldn’t pay more for security now.”

He said cyberattacks on the nation’s critical IT infrastructure could potentially cause “catastrophic damage to the economy,” akin to the “functional equivalent of 767s crashing into buildings.”

“I was surprised by his opposition to the national ID card, but that’s welcome news to us,” said privacy advocate Ari Schwartz, associate director of the Center for Democracy and Technology in Washington, D.C. The still-forming plans around GovNet remain a concern, however, he said. Schwartz said the message from Clarke seemed to be that government would be making the process more secret while inviting industry to “try and monitor us.”

“I’m impressed with his understanding of IT security issues. I’ve never seen that from the Executive Office before,” said Chris Wysopal, director of research and development at @Stake in Cambridge, Mass. He added that recognizing the vulnerability of the critical business IT infrastructure – and declaring its intent to protect it – was a reassuring step forward for the government.

Others at the conference praised the leadership role that the federal government seems to be taking in IT security, particularly in light of the embarrassing security breaches of prominent government Web sites such as NASA, the Pentagon and the CIA.

“If we in the U.S. can’t protect ourselves, what message does that send to the rest of the world?” said Christopher Klaus, founder and chief technology officer of Internet Security Systems in Atlanta.

“Concrete partnerships are forming here between government and business leaders in the privacy and security community,” said Alan Wiseman, an economist at the Federal Trade Commission in Washington.

Several attendees, however, said they found Clarke’s statements vague in terms of how the private sector can coordinate its IT efforts on security and privacy with the government.

“Market forces are not necessarily going to protect the infrastructure,” observed one attendee from a large West Coast financial institution, who asked not to be named. “I’m suggesting that counter to regulation, or even coinciding with regulation, that the government offer incentives for us to be good citizens, like tax cuts for those who conduct assessments and develop recovery procedures.”

Building trust into computing and protecting critical infrastructures were the dominant themes of this year’s conference, and regulation came up most often as the way to curtail rising cybercrime. “We’re just barely holding back government regulation. Just barely the war on terrorism is turning technology into surveillance tools. Just barely because of the fragile nature of Internet security,” said Michael O’Neill, a partner at law firm Preston Gates & Ellis and former general counsel to the CIA. A deep-seated reluctance by business to share vulnerability information and the reality of malicious hackers posting their attack methods on the Web makes the environment ripe for legislation, even without a specific cyberterrorist attack, he added.

On the business and consumer side, some regulation is already going on, such as the Gramm-Leach-Bliley Act and the Children’s Online Protection Act, but more regulation may be needed, said Federal Trade Commissioner Mozelle Thompson. Citing a Forrester Research Inc. study that found that US$15 billion worth of e-commerce transactions go unrealized, he said e-business is suffering from a lack of trust, both from a business-to-consumer and business-to-business standpoint.

“The yield on Internet investment won’t be realized until middle America feels comfortable and safe in an e-environment,” he said. “So I feel some federal legislative backstop would be helpful because consumers are judging the entire industry on those businesses doing the wrong thing.”

But privacy advocates like Alan Baudson, at the Center for Freedom and Democracy, cautioned against hastily prepared legislation, saying it could do more harm than good. For example, he said the Homeland Security Act’s technical mandates to make the Internet “surveillance ready” could have a chilling effect on business and consumer use of the Internet. And he said the same back doors the government wants, including key escrow, traffic channeling and caller ID requirements, could be used by criminals.

“These are all well-intended ideas, but we must understand what the long-term impacts of these government decisions will be,” Baudson said.

All agreed that more cooperation and discussion between private and government sectors will be required, and instead of waiting around for next year’s Trusted Computing conference, many said they plan to continue discussions over the next few months.