But Richard Clarke, the newly appointed special adviser to the president for cybersecurity, is one of those few.
Leading the government's charge to secure critical components of the Internet, Clarke doesn't think the past is any indication of what might happen in the future. As more companies put increasingly important data on the Internet, Clarke thinks it's only a matter of time before an individual or group takes advantage of the United States' poor security.
That's why the secretary of homeland security, Thomas Ridge, appointed Clarke as the cyberterrorism czar, making him responsible for finding weaknesses in the Internet and ensuring they aren't exploited.
The role is a familiar one for Clarke, who served under President Clinton as the national coordinator for security, infrastructure protection and counterterrorism. On the National Security Council staff since 1992, he has handled the reform and reduction in the cost of U.N. peacekeeping, the restoration of democracy in Haiti, Persian Gulf security, and international crime control in his role as special assistant to the president for global affairs.
CNET News.com tracked down Clarke just before his speech at Microsoft's Trusted Computing Conference to talk to the presidential adviser about the proposal for a separate "Govnet," cyberterrorism, and how to protect the Internet in a newly uncertain world.
Q: When you announced Govnet, it was a project that you had been talking about for a while. Are you essentially saying that you can't secure the Internet?
A. No. What I am saying is that for some federal agencies, they may want to put some of their mission-critical, private communications--their intranet--onto a system that is not going to be as subjected to viruses and worms, and not be subjected at all to denial-of-service attacks.
Several government agencies have it already to a limited degree. The Department of Energy has three national laboratories on a private line. It is something that the government has in the past gone away from because it was too expensive. I think we may be at a time when we can return to that and not have it be too expensive. But it is only for internal communications...and each agency that chooses to participate would have its own LAN (local area network) and its own fiber. So it's not for multiple-agency communications.
So it wouldn't be connecting two agencies together or various government agencies?
No. It's not meant to replace the Internet. The kind of system we have in mind is akin to what I have on my desk now. I've got three PCs on my desk right now and one monitor. By using Shift-F1, -F2, -F3, I switch between networks; two of those networks are closed and the other is the Internet.
The key is to make sure that your own network doesn't touch somebody else's routers or a public switch. You can do a better job monitoring the activity on the network because you can tell all your employees, "We will be monitoring your activity on this net," and you have a higher standard of security access.
A virus is unlikely to get onto a closed-loop network like that as rapidly as it goes around the Internet. It's still possible to get a virus on the (intranet), but it will be hours, if not days, after it was loosed in the wild. During that time, you are going to be able to filter the viruses out, develop an antivirus program, change your antivirus files--and you will catch it. So there are certain protections in terms of reliability and security that you get that you wouldn't get on a public system.
After Sept. 11 there has been a lot of focus on cybersecurity, even though to my knowledge there has been no connection between what happened and the Internet. So as we are talking about terrorists and people who might want to attack the critical infrastructure, what does the United States have to do to protect its information-technology infrastructure?
A number of things. And it's not the kind of thing that you solve, and you've solved it. So we have to make some long-term investments because this is a problem that is going to be with us for a long time. Some investments won't bear fruit for a while. Then there are some short-term investments.
I think the most critical thing we need to do is increase our investments in training, education and awareness programs. That does two things: One, it gives us more trained IT and security personnel. All of our studies in the government and the private sectors say there is a relative dearth compared to the real need. Where the awareness part gets us is, the manager, system administrators and individuals who use systems (should be)...conscious of the risks of not using good security practices, (such as) not changing passwords, not updating their antivirus software, not updating operating-system patches or application patches. Ninety percent of the hacks on government systems occur because people haven't updated the patches on their operating systems or applications. So we can buy a lot in terms of the number of attacks by doing things like that. The No. 1 priority is training, education and awareness.
After that, we need to start thinking about what the network is today and where the network will be in three to five years. It's hard to affect security on systems that are already deployed and don't have security built in. What we'd like to be able to do is work with the industry and see where networks, hardware and software are going over the next three to five years, and to begin to identify the potential security vulnerabilities in these new systems and the evolving systems--start working now to identify those vulnerabilities and fix them before they go to market.
Page 1 | 2