Clarke previews national cyberstrategy
LAS VEGAS -- Presidential adviser Richard Clarke last month told a gathering of 1,500 computer security experts that they have a duty to be gadflies.
'We have done a good job of beginning to secure the critical infrastructure,' Clarke said at the Black Hat Briefings. But security still is an afterthought in most software and hardware, he added. It's the job of all security programmers to make themselves nuisances and to keep harping away about systems vulnerabilities, Clarke said.
Clarke, who heads the president's Critical Infrastructure Protection Board, drew applause when he said the software industry has an obligation to do a better job of development, and again when he said government should not control the Internet.
'I don't trust the government to regulate the Internet,' he said, 'but it can't just walk away' from its responsibility to preserve what has become a vital global infrastructure.
Clarke previewed the National Strategy for Securing Cyber Space, a 2,800-page report scheduled for release Sept. 18. Chances are, we will get it wrong in some aspects the first time around, Clarke said.
Clarke outlined several areas the plan emphasizes:
- The process of developing software is not working, he said.
Vendors need to do a better job of ensuring their products not only work but work securely. He praised vendor efforts to patch security holes but said patches ought to come with guarantees that they will work with other applications and services.
- Wireless LANs are notoriously unsecure, and we might all have to shut them off until security gets better, Clarke said. It is a failure of the government that we have let security awareness get so low as to allow deployment of systems with known vulnerabilities.
- Telecommunications companies and Internet providers should supply firewalls and other security services to users of always-on connections, which are vulnerable to attack.
- The federal government should take a stronger role in advancing its own security. Clarke said the strategy will discuss implementation of IPv6, the new IP version that promises better security.
- The government should be a role model for best practices, and agencies must put their money into the improved products they are encouraging industry to produce.
William Jackson is a senior writer of GCN and the author of the CyberEye blog.