Clarke: Outdated cyber defense leaves US open to attack

The nation’s cyber defenses now lag the capabilities of those attacking our online assets, leaving critical infrastructure and data vulnerable to increasingly sophisticated attacks, said former presidential adviser Richard Clarke.

The recent string of high-profile breaches of government and corporate IT systems illustrates the evolving threat landscape in which the advantage has shifted to the offense, Clarke told Government Computer News. “I don’t think it’s a rosy picture, for the government or the private sector,”

Most enterprises still rely on static, first-generation IT security tools to secure an increasingly porous and ill-defined perimeter and do not protect against a new generation of advanced persistent threats, Clarke said.

Related stories:

Advanced threats: The enemy is already within

IT security: Too big for government

“What it means is that attacks have gotten qualitatively better,” he said. “If someone wants to get into your network, they can get in. All the money you spent on antivirus software and firewalls won’t stop it.”

Those who want to get into U.S. networks often are well-financed criminal organizations or nation-states, which have siphoned terabytes of data in the past several years. “A lot of it is junk,” Clarke said. But a lot of proprietary corporate or mission-critical government information also has been gathered, damaging the nation’s security and economic competitiveness.

Clarke served on the National Security Council under presidents George H.W. Bush and Bill Clinton, and was special adviser on cybersecurity to President George W. Bush before leaving government in 2003 to join Good Harbor Consulting. He is joining the board of directors of Bit9, an application whitelisting security company whose endpoint security he says is an approach needed in government.

Clarke is a longtime critic of U.S. security policy and in 2010 with Robert K. Knake wrote “Cyber War: The Next Threat to National Security and What to do About It,” in which he wrote that cyber war is real and already has begun, and that the nation is not yet prepared to wage it.

He wrote that the country’s reliance on a high-tech critical infrastructure puts it at risk in this asymmetrical type of attack. “While it may appear to give America some sort of advantage, in fact cyber war places this country at greater jeopardy than it does any other nation.”

The apparent success of the Stuxnet worm, a sophisticated software weapon that targeted and damaged Iranian uranium enrichment facilities, illustrates some of the challenges of waging cyber war. The source of Stuxnet is not known, although analysts said it is the work of a well-funded, long-term project. There is speculation that it was created by Israel and/or the United States. But although the worm appears to have succeeded in its mission, it also has spread around the world and is widely available for analysis.

“Whoever did Stuxnet should have learned a big lesson from it,” Clarke said. Unless developers want to give their secrets to everyone, they need to implement better time-to-live controls in cyber weapons.

Another challenge to waging cyber war is the ability to determine the source of attacks. Although there is growing evidence that other nations, most notably China, are involved in malicious cyber activities targeting U.S. resources, quickly and accurately attributing the source still is difficult, making responses tricky and putting a premium on defensive capability.

However, “we can have an offensive capability,” Clarke said. Attribution is “a significant but not insurmountable” problem.

On the defensive side, the need to continuously defend legacy systems has taken attention away from basic research into new, more secure infrastructure, Clarke said. “There are not a lot of people thinking about how to fundamentally change the systems.”

These new systems could take the form of separate networks for mission-critical activities, he said, either physically separated from existing infrastructure or using a different set of protocols from the TCP/IP now underlying the Internet and associated networks.

In the meantime, officials should look for and encourage new and innovative technologies being developed in entrepreneurial start-up companies and be careful about expanding the scope and functionality of existing networks too quickly.

“Don’t introduce new vulnerabilities,” into your network by welcoming technologies such as powerful but unmanaged mobile devices, Clarke said. “Decrease the vulnerable surface” rather than expand it.

Finally, he advised, “realize you can’t defend your whole network. Figure out what you’ve got that really counts and concentrate on defending that.”


About the Author

William Jackson is a Maryland-based freelance writer.

inside gcn

  • analytics (Wright Studio/

    3 data strategies to help crackdown on internal corruption

Reader Comments

Wed, Sep 28, 2011

First of all, the advantage has always been with the offense in the cyber threat environment. Protecting against emerging threats and technology will always be a game of catch-up. The fact that effective defense is most often put in place "after the fact" should indicate a focus on detection, rapid response and more importantly, trying to make any accessible data unusable through things like creative storage techniques and encryption. Also, let's not forget the internal threat. That has the potential for the most damage. There are solutions to be sure but they might require a more hard line approach to authorizations and access. Difficult problems, no quick fixes.

Tue, Sep 20, 2011

The attack surface is being increased exponentially as mobile hardware is now being used in tactical environments, classified facilities, etc. This equipment is manufactured by our primary nation-state adversary and has built-in GPS and (potentially) built-in phone home capability. We aren't being remotely serious about security. We are inviting risk, not defending against.

Mon, Sep 19, 2011 gatomalo Rhode Island

Stuxnet change the face of warfare. Cyber warfare is very different from conventional warfare. Missile or aircraft takes time to respond cyber warfare happens in seconds. We live with the UN charter that regulate the actions between states. So if someone launches a distributed denial of service attack, you are not supposed to retaliate with a nuclear missile into an industry complex. It’s issue is one of proportionality. My 2© cents – gatoMalo_at_uscyberlabs_dot_com

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group