Clarke advocates grass-roots action to protect critical IT

Clarke advocates grass-roots action to protect critical IT

Calling the Homeland Security Department 'incapable of doing anything to save the civilian IT infrastructure,' former White House cybersecurity czar Richard Clarke today called on software users and buyers to set security standards themselves.

'You can't count on the government to defend critical networks,' Clarke said at the National Information Assurance Leadership Conference in Washington sponsored by the SANS Institute of Bethesda, Md.

'I thought it was impossible to put together five cybersecurity organizations [in DHS] and get less than the sum of their parts, but the agencies have played games,' Clarke said in a keynote speech. 'The Defense Department and FBI have held back billets or have nobody in them. The National Infrastructure Protection Center and National Communications System are less today than they were a year ago. DHS can't find anyone to fill the only full-time job in IT security.'

So far, vendors have done no better, he said. 'They won't stop thinking about their selfish interests and form a joint test bed for patches for all their applications,' which means network administrators must duplicate each other's efforts to test patches for safety and local compatibility.

He urged user groups, large enterprises, universities and organizations such as SANS to band together to build a national patch test bed and forge standards for software quality assurance. Outside auditors should verify that new software releases meet these standards, he said.

Finally, Clarke said, users need to 'smash the widget paradigm' of buying dozens of disparate firewall, antivirus, intrusion detection and access control products from multiple vendors, and then trying to get them to work 'all kludged together. Users need to demand defense-in-depth integration from the gateway to the network to the PC. Users need to start smashing pumpkins.'

At the conference, SANS presented leadership awards for operating system and network security to:

  • Dell Inc., for the 'baked-in security' of its Microsoft Windows 2000 Professional systems, which arrive with vulnerable features turned off

  • OpenBSD, for effective OS security testing

  • Microsoft Corp., for automating security patching of Windows XP

  • MCI, for effective defense against distributed denial-of-service attacks and rapid action to stop Internet worm damage.
  • Stay Connected

    Sign up for our newsletter.

    I agree to this site's Privacy Policy.