Experts disagree on how to shore up cybersecurity
- By Susan M. Menke, Wilson P. Dizard III
- Jul 25, 2003
Vendors 'won't stop thinking about their selfish interests and form a joint test bed for patches,' former White House cybersecurity czar Richard Clarke said.
Henrik G. de Gyor
Software vulnerabilities remain a major threat to cybersecurity, but experts last week suggested opposing approaches to closing the loopholes.
Speaking at the National Information Assurance Leadership Conference in Washington sponsored by SANS Institute of Bethesda, Md., former White House cybersecurity czar Richard Clarke said government isn't up to the task. Instead, Clarke called on software users and buyers to set security standards themselves.
But another expert with the National Security Agency told the House Homeland Security Subcommittee on Cybersecurity, Science, Research and Development, that a government office should coordinate software security efforts.
'There is little coordinated effort today to develop tools and techniques to examine effectively either source or executable software,' Daniel G. Wolf, NSA's director of information assurance, said. 'I believe this problem is significant enough to warrant a considerable effort coordinated by a truly national software assurance center.'
But Clarke said, 'You can't count on the government to defend critical networks.' He specifically took aim at the Homeland Security Department, calling it 'incapable of doing anything to save the civilian IT infrastructure.'
In the end, his preconceptions about combining cybersecurity organizations under DHS have proven true, Clarke said. 'The National Infrastructure Protection Center and National Communications System are less today than they were a year ago. DHS can't find anyone to fill the only full-time job in IT security.'
And vendors are doing little more, he said. 'They won't stop thinking about their selfish interests and form a joint test bed for patches for all their applications,' which means network administrators must duplicate one another's efforts to test patches for safety and local compatibility, Clarke said.
Wolf said NSA is working on a Trusted Microelectronics Capability to assure that state-of-the-art hardware will be available for critical national security systems.
He suggested that the increasing use of foreign-made microelectronics components jeopardizes that capability.
Wolf said the highest payoff for improving cybersecurity would be to adopt an interoperable authentication system across the government and extend it to first responders and groups that maintain the nation's critical infrastructures.
'A national public-key infrastructure system is required that allows for strong authentication in cyberspace for homeland security,' Wolf said. 'It is also important to note here that the most critical infrastructures, like a PKI, should be built using U.S. technology. I have concerns with foreign software of unknown trust and quality being integrated into U.S. systems.''Smash the widget paradigm'
Clarke urged user groups, large enterprises, universities and organizations such as SANS to band together to build a national patch test bed and set standards for software quality assurance. Outside auditors should verify that those standards are met in new software releases, he said.
Finally, Clarke said, users need to 'smash the widget paradigm' of buying dozens of disparate firewall, antivirus, intrusion detection and access control products from multiple vendors, and then trying to get them to work 'all kludged together. Users need to demand defense-in-depth integration from the gateway to the network to the PC.'