Clarke: Outdated cyber defense leaves US open to attack

• By William Jackson
• Sep 19, 2011

The nation’s cyber defenses now lag the capabilities of those attacking our online assets, leaving critical infrastructure and data vulnerable to increasingly sophisticated attacks, said former presidential adviser Richard Clarke.

The recent string of high-profile breaches of government and corporate IT systems illustrates the evolving threat landscape in which the advantage has shifted to the offense, Clarke told Government Computer News. “I don’t think it’s a rosy picture, for the government or the private sector,”

Most enterprises still rely on static, first-generation IT security tools to secure an increasingly porous and ill-defined perimeter and do not protect against a new generation of advanced persistent threats, Clarke said.

Related stories:

Advanced threats: The enemy is already within

IT security: Too big for government

“What it means is that attacks have gotten qualitatively better,” he said. “If someone wants to get into your network, they can get in. All the money you spent on antivirus software and firewalls won’t stop it.”

Those who want to get into U.S. networks often are well-financed criminal organizations or nation-states, which have siphoned terabytes of data in the past several years. “A lot of it is junk,” Clarke said. But a lot of proprietary corporate or mission-critical government information also has been gathered, damaging the nation’s security and economic competitiveness.

Clarke served on the National Security Council under presidents George H.W. Bush and Bill Clinton, and was special adviser on cybersecurity to President George W. Bush before leaving government in 2003 to join Good Harbor Consulting. He is joining the board of directors of Bit9, an application whitelisting security company whose endpoint security he says is an approach needed in government.

Clarke is a longtime critic of U.S. security policy and in 2010 with Robert K. Knake wrote “Cyber War: The Next Threat to National Security and What to do About It,” in which he wrote that cyber war is real and already has begun, and that the nation is not yet prepared to wage it.

He wrote that the country’s reliance on a high-tech critical infrastructure puts it at risk in this asymmetrical type of attack. “While it may appear to give America some sort of advantage, in fact cyber war places this country at greater jeopardy than it does any other nation.”

The apparent success of the Stuxnet worm, a sophisticated software weapon that targeted and damaged Iranian uranium enrichment facilities, illustrates some of the challenges of waging cyber war. The source of Stuxnet is not known, although analysts said it is the work of a well-funded, long-term project. There is speculation that it was created by Israel and/or the United States. But although the worm appears to have succeeded in its mission, it also has spread around the world and is widely available for analysis.

“Whoever did Stuxnet should have learned a big lesson from it,” Clarke said. Unless developers want to give their secrets to everyone, they need to implement better time-to-live controls in cyber weapons.

Another challenge to waging cyber war is the ability to determine the source of attacks. Although there is growing evidence that other nations, most notably China, are involved in malicious cyber activities targeting U.S. resources, quickly and accurately attributing the source still is difficult, making responses tricky and putting a premium on defensive capability.

However, “we can have an offensive capability,” Clarke said. Attribution is “a significant but not insurmountable” problem.

On the defensive side, the need to continuously defend legacy systems has taken attention away from basic research into new, more secure infrastructure, Clarke said. “There are not a lot of people thinking about how to fundamentally change the systems.”

These new systems could take the form of separate networks for mission-critical activities, he said, either physically separated from existing infrastructure or using a different set of protocols from the TCP/IP now underlying the Internet and associated networks.

In the meantime, officials should look for and encourage new and innovative technologies being developed in entrepreneurial start-up companies and be careful about expanding the scope and functionality of existing networks too quickly.

“Don’t introduce new vulnerabilities,” into your network by welcoming technologies such as powerful but unmanaged mobile devices, Clarke said. “Decrease the vulnerable surface” rather than expand it.

Finally, he advised, “realize you can’t defend your whole network. Figure out what you’ve got that really counts and concentrate on defending that.”