Clarke: Outdated cyber defense leaves US open to attack
- By William Jackson
- Sep 19, 2011
The nation’s cyber defenses now lag the capabilities of those
attacking our online assets, leaving critical infrastructure and data
vulnerable to increasingly sophisticated attacks, said former
presidential adviser Richard Clarke.
The recent string of high-profile breaches of government and
corporate IT systems illustrates the evolving threat landscape in which
the advantage has shifted to the offense, Clarke told Government
Computer News. “I don’t think it’s a rosy picture, for the government or
the private sector,”
Most enterprises still rely on static, first-generation IT security
tools to secure an increasingly porous and ill-defined perimeter and do
not protect against a new generation of advanced persistent threats,
Clarke said.
Related stories:
Advanced threats: The enemy is already within
IT security: Too big for government
“What it means is that attacks have gotten qualitatively better,” he
said. “If someone wants to get into your network, they can get in. All
the money you spent on antivirus software and firewalls won’t stop it.”
Those who want to get into U.S. networks often are well-financed
criminal organizations or nation-states, which have siphoned terabytes
of data in the past several years. “A lot of it is junk,” Clarke said.
But a lot of proprietary corporate or mission-critical government
information also has been gathered, damaging the nation’s security and
economic competitiveness.
Clarke served on the National Security Council under presidents
George H.W. Bush and Bill Clinton, and was special adviser on
cybersecurity to President George W. Bush before leaving government in
2003 to join Good Harbor Consulting. He is joining the board of
directors of Bit9, an application whitelisting security company whose
endpoint security he says is an approach needed in government.
Clarke is a longtime critic of U.S. security policy and in 2010 with
Robert K. Knake wrote “Cyber War: The Next Threat to National Security
and What to do About It,” in which he wrote that cyber war is real and
already has begun, and that the nation is not yet prepared to wage it.
He wrote that the country’s reliance on a high-tech critical
infrastructure puts it at risk in this asymmetrical type of attack.
“While it may appear to give America some sort of advantage, in fact
cyber war places this country at greater jeopardy than it does any other
nation.”
The apparent success of the Stuxnet worm,
a sophisticated software weapon that targeted and damaged Iranian
uranium enrichment facilities, illustrates some of the challenges of
waging cyber war. The source of Stuxnet is not known, although analysts
said it is the work of a well-funded, long-term project. There is
speculation that it was created by Israel and/or the United States. But
although the worm appears to have succeeded in its mission, it also has
spread around the world and is widely available for analysis.
“Whoever did Stuxnet should have learned a big lesson from it,”
Clarke said. Unless developers want to give their secrets to everyone,
they need to implement better time-to-live controls in cyber weapons.
Another challenge to waging cyber war is the ability to determine the
source of attacks. Although there is growing evidence that other
nations, most notably China, are involved in malicious cyber activities
targeting U.S. resources, quickly and accurately attributing the source
still is difficult, making responses tricky and putting a premium on
defensive capability.
However, “we can have an offensive capability,” Clarke said. Attribution is “a significant but not insurmountable” problem.
On the defensive side, the need to continuously defend legacy systems
has taken attention away from basic research into new, more secure
infrastructure, Clarke said. “There are not a lot of people thinking
about how to fundamentally change the systems.”
These new systems could take the form of separate networks for
mission-critical activities, he said, either physically separated from
existing infrastructure or using a different set of protocols from the
TCP/IP now underlying the Internet and associated networks.
In the meantime, officials should look for and encourage new and
innovative technologies being developed in entrepreneurial start-up
companies and be careful about expanding the scope and functionality of
existing networks too quickly.
“Don’t introduce new vulnerabilities,” into your network by welcoming
technologies such as powerful but unmanaged mobile devices, Clarke
said. “Decrease the vulnerable surface” rather than expand it.
Finally, he advised, “realize you can’t defend your whole network.
Figure out what you’ve got that really counts and concentrate on
defending that.”
About the Author
William Jackson is a Maryland-based freelance writer.