Czar of Cyber Security Defends Easing of Rules
Federal cyber security czar Richard Clarke fired back Tuesday at critics who have lambasted his national strategy for cyberspace security as weak and meaningless, saying that government regulation would only make the problem worse.
“Why are we requesting that industry help us, rather than demanding it?” Clarke asked. “Industry frequently knows better than government about the [information technology] infrastructure.”
Clarke argued that the problem of cyber security is so complex that it defies a centralized approach. Any regulatory process would be outdated before it took force in the fast-moving world of technology.
The National Strategy to Secure Cyberspace, set for release today, and previewed Tuesday to some experts and members of the media, emphasizes recommendations for better security practices and guidelines for detecting and repelling hackers. It contains no proposals for tax incentives, regulations or legislation to compel businesses or other organizations to safeguard their networks, and thereby increase the nation’s overall cyber security.
Experts say there has been a litany of similar reports in recent years, and Clarke’s 65-page document adds few new ideas or incentives for industry to patch its security holes.
The Bush administration backed away from several tougher steps, including requiring Earthlink, America Online and other Internet service providers to include security technology with their software, said Michael A. Aisenberg, a director of public policy for VeriSign Inc., a leading security software firm.
White House officials also dropped plans to restrict the use of wireless networks because of rampant security holes, according to industry sources.
Critics have charged that Clarke abandoned those initiatives because of intense lobbying from technology firms, which have wanted to remain free of potentially costly government restrictions.
Clarke denied allegations of undue pressure but would not comment further on earlier drafts of the report.
Some leading security experts rejected the entire report as irrelevant.
“It’s not a law. Who cares what it says?” said Bruce Schneier, chief technology officer for Counterpane Internet Security, based in San Jose. “A bunch of voluntary recommendations won’t work,” given financial pressures in a down economy.
The report, which will be sent to the president in about two months, urges increased public awareness and personal responsibility as a way to create market pressure for better security products and services.
The strategy repeatedly mentions the vulnerability of America’s computer networks to cyber attacks by terrorists; much of the urgency behind the report was generated by fears that terrorist organizations may use cyberspace to enhance their attacks in the physical world--a point some security experts say has been vastly exaggerated by government officials.
But Clarke downplayed the terrorist threat as one among many.
“Stop worrying about threats and start worrying about vulnerabilities,” he said, noting that perpetrators for many of the most destructive computer viruses and worms--such as Nimda, which was unleashed one year ago and caused billions of dollars of damage--have never been discovered.
“It doesn’t really matter if the person who attacked your operation is Al Qaeda ... a criminal cartel or a nation state,” Clark added.
Alan Paller, research director for the Sans Institute, a cooperative nonprofit security research organization that works with industry and government agencies, applauded the new emphasis on vulnerabilities and praised the report as a good first step.
But he remains skeptical that a purely voluntary approach will have enough impact in the long run.
Cyber attacks are increasing year by year, despite prior warnings, in part because “whenever there is a perceived conflict between self interest and the national interest, industry has acted in its self interest,” he said.
*
Piller reported from San Francisco, Shiver from Washington.
