U.S. official urges better cybersecurity standards

Software vendors, Internet service providers (ISPs), wireless network vendors and the U.S. federal government all need to improve the security of their IT products and networks to help ensure that the U.S.’ cyberspace is secure, said Richard Clarke, presidential advisor on cybersecurity, in his keynote that opened the Black Hat security conference Wednesday.

Since the spike in interest in cybersecurity caused by the Sept. 11 terrorist attacks, “we’ve done a very good job of beginning to secure the infrastructure of the United States,” he said.

However, “why is it that it always has to be that we do a good job after we’ve been hit,” he asked. “Why is it that we have to wait for the disaster?”

To avoid relying on future disasters to spur action and to drive proactive security measures, the President’s Critical Infrastructure Protection Board, created by President Bush, will release a federal strategy for cybersecurity in mid-September, he said. That strategy, and what recommendations should be in it, was one subject of a report released by the U.S. General Accounting Office earlier in July. [See ” Study: Cybersecurity confusion hampers government,” July 23.]

The strategy is the result of a series of questions sent to security experts across the country since the beginning of the year, he said. The answers make up a document that currently stands at over 2,800 pages, with sections in it on how to secure different types of businesses written by people who work in those areas, he said. The cybersecurity strategy will be updated a few times a year and will include new markets and business types with those updates, he added.

Instead of waiting for the document’s release in September, though, Clarke outlined five groups that he said should change their practices to ensure better security.

Clarke took the first such area, the software industry, to task over buggy products and difficult patch management systems.

“The software industry has an obligation to do a better job at producing software that works,” he said, drawing applause from the audience.

“It is no longer acceptable that each year the number of identified vulnerabilities goes up,” he said. New statistics released two weeks ago by the federally-funded computer security group the CERT Coordination Center (CERT/CC) showed that the total number of vulnerabilities identified in software in 2002 so far is nearly equal to the total from 2001. [See ” CERT: Security incidents up sharply in 2002,” July 18.]

The patches for those vulnerabilities, and how they are applied, is also a problem, he said. Patches are not applied quickly because administrators need to test them to determine what effect they will have on their networks when applied, he said. One way around that delay in patching could be to ask software vendors to test their patches with a suite of commonly-used enterprise applications, not just with their own products, he said.

The second group that should reassess its security posture are the vendors and users of wireless networks, Clarke said.

Wireless networks have had a history on lax security and are not being armed with the proper security precautions in enterprises, he said. Part of the blame lays with vendors of wireless network equipment, he said.

“Why is it that companies have sold products that they know aren’t secure or that they know are so hard to secure that no one will ever do it,” he asked.

“Until we have a better track record with wireless LANs, we all ought to shut them off,” he said.

Another group of companies that aren’t offering their customers strong enough security measures are the ISPs, telephone companies and cable companies that sell high-speed Internet access, he said. When users connect to high-speed, always-on networks, they quickly become exposed to identity theft and system compromise without their knowledge, he said.

The companies selling the high-speed connections also ought to do a better job educating their customers about the risks of such connections, as well as how to defend themselves, he said. Such ISPs ought to at least offer frequently-updated personal firewalls to their customers, and maybe even a patch-management system and antivirus software, he said.

Clarke also broached an idea that has long been anathema to many in the Internet community: that the federal government might have a role to play in the administration of the Internet.

Though there are bodies such as the Internet Engineering Task Force and the Internet Society that work to secure the protocols and standards that the Internet runs on, there is no mechanism to hold these groups accountable or to make sure that they work quickly, he said. The lack of such oversight has led to a lot of talk about new, more secure Internet technologies, such as SecureDNS (Domain Name System) and IPv6 (Internet Protocol version 6, a new iteration of the protocol that undergirds Internet traffic), but to little action, he said.

“Is there a role for the federal government … to try to maintain the health and security of the Internet,” he asked, stressing that if there were such a role, the government should not seek to control the Internet.

“There’s got to be a middle ground where the government doesn’t walk away (from the Internet),” he said.

Lastly, the federal government itself has to work harder to secure its networks and to drive better security in the technology industry, he said.

The government has taken some steps to boost its cybersecurity, raising the amount it will be spending on cybersecurity in fiscal year 2003 by 64 percent, he said.

The government, however, could have an even broader impact on computer security with its purchasing power, he said. With US$20 billion set to be spent on IT over the next three years, the government could drive better security in products across the board if it required its agencies to only purchase products that met certain security standards, he said.

Clarke closed his remarks by urging attendees to agitate within their companies and organizations for greater security.

“You all have a responsibility … to (say) ‘we’re vulnerable and we need to invest more money in training and technology,’ so that when a cyberwar comes — and it will come — we … will win that war,” he said.