My post from March 5 about cybersecurity experts anticipating a "Pearl Harbor"-level attack on computer networks sparked considerable discussion from readers.
The post concerned a cybersecurity panel discussion at the RSA Conference 2010 featuring some heavy-hitters in the field: Michael Chertoff, former secretary of the Department of Homeland Security; Richard Clarke, a partner in Good Harbor Consulting and former presidential security adviser; and, representing privacy concerns in the security debate, Marc Rotenberg, executive director of the Electronic Privacy Information Center.
Microsoft also came up in the discussion.
The gist of my report was that the panel, primarily Clarke and Chertoff, felt not enough is being done to protect cyberspace from hackers or the threat of cyberwar.
"We have no public strategy about how to fight a cyberwar. In fact I don't think we have a private strategy either," said Clarke. "We've got to start talking about this," added Chertoff, who warned that it may take the cyber equivalent of the Pearl Harbor attack on the U.S. of 1941 to wake us up.
This prompted one reader to write a comment titled "red herrings": "A cyber 'Pearl Harbor?' sounds like the security industry is using hyperbole to try to get some government 'attention' (read: public funds)."
To be sure, the panel was addressing a convention of network security vendors, so you might expect they'd try to inspire the troops. You would expect a cybersecurity vendor to hype the need for security at a security convention the same way a car alarm salesman would inspire the audience at a car alarm makers convention. Fair enough, anonymous poster, alarms about cybersecurity risks from those who might benefit from increased cybersecurity spending should be taken with a grain of salt.
But a look back at a scene on President George W. Bush's ranch in August 2001 shows the danger of not taking threats seriously. When presented with a classified report titled "Bin Laden determined to strike inside the U.S.," Bush told the aides, "Okay, you've covered your ass now."
Another commentor pointed out a conflict of interest involving Chertoff that wasn't brought up in the panel discussion. After the thwarted terrorism bombing of an airliner headed for Detroit on Christmas Day, 2009, Chertoff made the rounds of several media outlets arguing for adoption of the full-body scanner at airports as an added security measure to catch the next underwear bomber. Only when he got to CNN was he forced to admit that one of the clients of his new Chertoff Group security consulting firm was a California company called Rapidscan. Wanna guess what they make? Full-body scanners.
Although the RSA discussion was about cybersecurity, not airport security, I noticed that panel moderator, Forbes magazine National Editor Quentin Handy, didn't introduce the panelists to the audience. True, they were all pretty well known and their names and titles were in the conference program, but that might have been an opportunity for fuller disclosure of the panelists ties to the cybersecurity industry. Clarke's consulting firm has aviation and cybersecurity clients among others. Disclosure is always good.
Lastly, commenter "Mach C" wrote that I overlooked the best part of the presentation, a proposal by Clarke for collaboration among nations to secure cyberspace.
"You could have an international treaty that puts an obligation on every country to police its own cyberspace," a move that he said would deal with the thorny issue of "attribution," the difficulty of identifying exactly who orchestrated a cyberattack. It wouldn't matter if a foreign government launched an attack or whether individual criminals did, he said; if it was traced to their country, they'd have to do something about it
"We talk to Russia and China about lots of things," Clarke said, referring to two countries he says either conduct or condone cyberattacks launched from within their borders. "But we don't ever make this a big issue and we've never tried to structure an international solution getting any other countries involved."
There were a lot of good points made in that presentation including that one. It's the writer's lament: "Too much information, too little space."
One other clarification: In my earlier post I mentioned that Clarke was an advisor to Presidents Clinton and Bush 43, but not that he also served as a counter-terrorism adviser to Bush 41, George H.W. Bush.