One of the most interesting lectures at the Sixth National Colloquium on Information Systems Security Education last month in Seattle was given by Dick Clarke, special advisor to the president on cyberspace security.
He said cyberspace security would depend primarily on the private sector and that academia will play a vital role in raising the level of security in the U.S. in research and education.
Clarke began his federal service in 1973 in the Office of the Secretary of Defense as an analyst on nuclear weapons and European security issues. Last October, he was appointed to his current post, where he coordinates interagency efforts to secure information systems, particularly in the event of a disruption. He strongly supports the private sector, which owns and operates the vast majority of America's critical infrastructure.
Clarke said this year has seen many changes in security thinking. After the events of last September, security rose to top priority in everyone's mind. However, he opposes the use of the word " cyberterrorism " because it suggests that known terrorist groups will use information warfare techniques against us.
This is a limitation in our thinking, according to Clarke. We have never seen terrorist groups apply information warfare against us. They use it for communications and recruitment, but never for direct attacks.
In any case, it doesn't matter who's causing damage to our information infrastructure. We're never going to be able to tell people in advance on a consistent basis who's going to attack what, when and how - so let's worry about the vulnerabilities, not the threats. Clarke asserted that private-sector organizations don't need to wait for the intelligence services to find attackers. Do your vulnerability analysis, rank the vulnerabilities, and start solving the problems step by step.
" The problem is yours, not ours. It's a problem where law enforcement, the military and the government cannot secure your systems. We're never going to allow the FBI or the U.S. Army to tell a bank how to configure their networks, " Clarke said.
As for federal government efforts, after 9/11 agencies examined the vulnerability assessments for a number of agencies and discovered that many of them were _not_ planning for remediation. The requests were sent back to the agencies and the result is a 64% increase in IT security spending - a $4.5 billion increase in the budget. So, there's going to be a significant spike in security spending this fall as the budgets move through the process.
In the next article, I'll report on Clarke's comments about the role of higher education in national information assurance.
RELATED LINKS
Announcement of Clarke's new position
Microsoft needs help for security plan to fly
Network World, 07/01/02
Security pros being rewarded
Network World, 07/01/02
DNS risks lurk in corporate networks
Network World, 07/01/02
NEW! 18-month online Master of Science in Information Assurance offered by Norwich University.
Look for the “Computer Security Handbook, 4th Edition” edited by Seymour Bosworth and Michel E. Kabay; Wiley (New York), ISBN 0-4714-1258-9. Available now at your technical bookstore or from Amazon.
M. E. Kabay, Ph.D., CISSP, is Associate Professor in the Department of Computer Information Systems at Norwich University in Northfield, Vt. Mich can be reached by e-mail and his Web site.
