Patching Holes in the Net
Cyberspace security often seems reminiscent of the movie “Groundhog Day,” in which a TV weatherman played by Bill Murray wakes up and relives the same day over and over.
After each massively disruptive software infection or hacking episode, users and computer administrators briefly get security religion, swearing that this time they really will take precautions and get things fixed. But such vigilance soon returns to sleepy complacency, only to be followed by a rude awakening with the next big breach.
Richard A. Clarke, appointed in October as a special advisor to President Bush on cyberspace security and chairman of the newly established Critical Infrastructure Protection Board, is at the heart of the government’s efforts to interrupt that cycle and guard against online crime and mischief. He reports to both National Security Advisor Condoleezza Rice and Thomas J. Ridge, head of the new Office of Homeland Security.
The need for Internet security is huge. Analysts estimate that attacks by hackers cost American businesses billions of dollars annually in lost revenue and productivity. And since Sept. 11, security experts have warned that terrorist hackers may be targeting U.S. commerce, telecommunications and utility grids.
Officials hope America’s new security consciousness will lead to real improvements in online security.
Clarke--a veteran national security and counter-terrorism expert who has served four presidential administrations--has a strong background to lead that charge. But with no authority to enforce new security practices or policies, he must rely on moral suasion and the power of the White House. Clarke talked with The Times about key priorities for Internet security.
*
Question: Government and private industry networks seem wide open to cyber attacks from hackers. What are the keys to improving the situation?
Answer: The first step is to admit we have problems. A lot of people in the private sector and the government haven’t been willing to admit that until recently. Part of the reason is that they assumed that a certain amount of disruption in their information technology--IT--systems was a cost of doing business, and a cost that they could afford.
In the last six to nine months, the costs have gotten much higher. The sophistication and frequency of viruses, worms and denial-of-service attacks, as well as hacks, has gotten to the point where everyone realizes that we can’t afford the level of damage that is being done. And in the wake of Sept. 11, it’s not just a matter of damage that has been done in the past but the possibility of much greater damage in the future.
The second step is to develop a partnership between the private sector and the government.
*
Q: You recently said that on average, corporations spend only about .0025% of revenue on IT security--less than they spend on coffee for employees. How much should industry be spending on improvements?
A: There’s not a direct, one-to-one correlation between how much money you spend and what you get for it. But every manager, every CEO, every member of a board of corporate directors ought to ask themselves, “How much importance are we giving to IT security?”
*
Q: Given your small staff and lack of direct control over federal agencies’ policies, how will you push the agenda?
A: The president created the Critical Infrastructure Protection Board in October. That board is made up of senior people from various federal departments.... [On the advice of that board], this year, for the first time, departments had their budgets returned to them by the White House and were instructed to increase the amount of funding for IT security. As a result, the overall federal budget for 2003 has a 64% increase for IT security [to $4 billion].
*
Q: Will that be sufficient to make major improvements in the government’s cyber security?
A: It will take that level of investment for several years before we are feeling more comfortable.
*
Q: Would it be fair to say that the hundreds of security holes in Microsoft’s nearly ubiquitous software products pose the biggest computer security threat today?
A: Microsoft [recently] made a decision to change the way they do business, to make IT security the No. 1 design criterion and subordinate other functionality to security in future products.
A lot of people greet that announcement with cynicism and doubt because of the problems that Microsoft has had in the past with security. It would be more constructive if we all said that we welcome the new policy and will work with them to make sure it happens. Because you’re right--given the ubiquity of Microsoft software, if there are problems in Microsoft, there are problems throughout our infrastructure.
*
Q: What should Microsoft do differently?
A: All software manufacturers need to design security into their products rather than [putting] it on as an afterthought. Default settings should have unnecessary programs and functions turned off. Things should come out of the box with high security settings--the customer would have to make an intentional decision to lower the security.... Any software company now that brings products to market riddled with security vulnerabilities risks losing market share.
*
Q: Yet given Microsoft’s monopolies, competitive pressures haven’t done much to improve its security record. Should the government require security reviews or product certification?
A: When the federal government gets into regulation, it frequently gets ham-handed, and out of a wealth of good intentions becomes clumsy and counterproductive.
*
Q: You’ve been a big backer of GovNet--the plan to create a super-secure, government-only network. What are its advantages?
A: Think of GovNet as a question rather than as a program. Are there functions so critical that you don’t want them connected to a worldwide network that anyone can get into?... Where has it been written that the control of the electric power grid should be dependent on the Internet?
*
Q: Much of the power grid management system is already separate from the Internet, so why is this a problem?
A: Electric power generation, distribution and transmission systems, because of deregulation, are increasingly using Internet connectivity. Even when they think they have networks that are not connected to the Internet, when we do security audits we find out that they are connected--for diagnostic purposes, repair purposes.... In general, there are some functions that are so critical that [they should be on a separate] system. That’s what we’re exploring.
