Clarke: Outdated cyber defense leaves US open to attack

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By William Jackson
 

Connecting state and local government leaders

By William Jackson

|

Former presidential adviser Richard Clarke says cybersecurity has been static in both the public and private sectors and that "if someone wants to get into your network, they can get in."

The nation’s cyber defenses now lag the capabilities of those attacking our online assets, leaving critical infrastructure and data vulnerable to increasingly sophisticated attacks, said former presidential adviser Richard Clarke.

The recent string of high-profile breaches of government and corporate IT systems illustrates the evolving threat landscape in which the advantage has shifted to the offense, Clarke told Government Computer News. “I don’t think it’s a rosy picture, for the government or the private sector,”

Most enterprises still rely on static, first-generation IT security tools to secure an increasingly porous and ill-defined perimeter and do not protect against a new generation of advanced persistent threats, Clarke said.

Related stories:

Advanced threats: The enemy is already within

IT security: Too big for government

“What it means is that attacks have gotten qualitatively better,” he said. “If someone wants to get into your network, they can get in. All the money you spent on antivirus software and firewalls won’t stop it.”

Those who want to get into U.S. networks often are well-financed criminal organizations or nation-states, which have siphoned terabytes of data in the past several years. “A lot of it is junk,” Clarke said. But a lot of proprietary corporate or mission-critical government information also has been gathered, damaging the nation’s security and economic competitiveness.

Clarke served on the National Security Council under presidents George H.W. Bush and Bill Clinton, and was special adviser on cybersecurity to President George W. Bush before leaving government in 2003 to join Good Harbor Consulting. He is joining the board of directors of Bit9, an application whitelisting security company whose endpoint security he says is an approach needed in government.

Clarke is a longtime critic of U.S. security policy and in 2010 with Robert K. Knake wrote “Cyber War: The Next Threat to National Security and What to do About It,” in which he wrote that cyber war is real and already has begun, and that the nation is not yet prepared to wage it.

He wrote that the country’s reliance on a high-tech critical infrastructure puts it at risk in this asymmetrical type of attack. “While it may appear to give America some sort of advantage, in fact cyber war places this country at greater jeopardy than it does any other nation.”

The apparent success of the Stuxnet worm, a sophisticated software weapon that targeted and damaged Iranian uranium enrichment facilities, illustrates some of the challenges of waging cyber war. The source of Stuxnet is not known, although analysts said it is the work of a well-funded, long-term project. There is speculation that it was created by Israel and/or the United States. But although the worm appears to have succeeded in its mission, it also has spread around the world and is widely available for analysis.

“Whoever did Stuxnet should have learned a big lesson from it,” Clarke said. Unless developers want to give their secrets to everyone, they need to implement better time-to-live controls in cyber weapons.

Another challenge to waging cyber war is the ability to determine the source of attacks. Although there is growing evidence that other nations, most notably China, are involved in malicious cyber activities targeting U.S. resources, quickly and accurately attributing the source still is difficult, making responses tricky and putting a premium on defensive capability.

However, “we can have an offensive capability,” Clarke said. Attribution is “a significant but not insurmountable” problem.

On the defensive side, the need to continuously defend legacy systems has taken attention away from basic research into new, more secure infrastructure, Clarke said. “There are not a lot of people thinking about how to fundamentally change the systems.”

These new systems could take the form of separate networks for mission-critical activities, he said, either physically separated from existing infrastructure or using a different set of protocols from the TCP/IP now underlying the Internet and associated networks.

In the meantime, officials should look for and encourage new and innovative technologies being developed in entrepreneurial start-up companies and be careful about expanding the scope and functionality of existing networks too quickly.

“Don’t introduce new vulnerabilities,” into your network by welcoming technologies such as powerful but unmanaged mobile devices, Clarke said. “Decrease the vulnerable surface” rather than expand it.

Finally, he advised, “realize you can’t defend your whole network. Figure out what you’ve got that really counts and concentrate on defending that.”

 

NEXT STORY: Does keeping cyberattacks secret endanger US?

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.