Securing your share of cyberspace

BOSTON – The federal government needs to set an example for industry and flex its $52-billion a year IT spending muscle to raise standards, so vendors build security into technology rather than rushing products to market. A concerted effort is needed from everyone who depends on the Internet, to take ownership, to look for and fix the vulnerability on individual networks. Otherwise, industry won’t flourish and the economy and the nation will remain at risk.

That’s what Richard Clarke, special advisor to the President for Cyberspace Security told attendees at the recent Next Generation Networks conference. While Clarke reiterated some previous themes on the public-private partnership outlined in the Bush administration’s National Strategy for securing cyberspace, he pointed to our collective responsibility to put a light on vulnerabilities that are known, specifying nine areas that need to be addressed. 

“It’s like the emperor’s new clothes, we don’t talk about it. IT will never reach its full promise until we address security. We need to do it in our job everyday,” says Clarke. “Don’t assume the level of threats-worms…etc., will be the level of future threats. As long as we have vulnerabilities, enemies will use these. Because the U.S. stands for equality, unity and justice, people will attack.”

With the U.S. economy as the engine for the world’s economy, the Federal government also needs to raise awareness on a global level to establish international cooperation for setting a common standard of what is and is not legal so that violators can be prosecuted, he says.

But Clarke stresses that strong action needs to start on the home front. While the government will continue its role in funding IT security research, the Bush administration has made a strong commitment with the President asking for $4.5 Billion, a 64% increase in security funds this year for Federal IT security.

The government plans to set the pace by only buying hardware and software that is certified by the National Infrastructure Assurance Council standards for ensuring that security has been built in from the ground up.

But with the Internet being an interdependent network of government, finance, manufacturing, etc., information systems, every dependency is obligated to secure their own piece of cyberspace by addressing nine vulnerability areas: 

The first is that a vendor build-in and customers demand routers and switches that are designed with security in mind, such as routers with capability to authenticate. These devices are shipped with passwords that are widely known and most often never changed, shipped with vulnerabilities that get exploited, Clarke says.

The next three security areas that Clarke says need addressing are the DNS, IPv6 protocols and Border Gateway Protocol vulnerability in the address security space. “There are firewalls and Intrusion detection systems that are widely deployed and not working with IPv6.”

Fifth on Clarke’s focus list is to think about the physical security of networks where critical collocated resources are located, that we add diversity and redundancy to secure these resources.  

The next vulnerability issue is in the move to increase speed on the backbone, that ISPs need to not just pass on packets, but have a responsibility to know what’s in the packets. An ISP needs to take responsibility, instead of passing along denial-of-service packets, and charging us for them, says Clarke. “They are actually making money,” and the government will help by funding this effort though using through Homeland Security research and development monies.

The seventh issue is a need develop a method to look at the state of the network, to get a holistic look at all of cyberspace, a synoptic, holistic, real-time view of the health of cyberspace, he says.

The eighth stumbling block to get over the belief that segmenting networks is a violation of religion. “We need ‘airgap’ networks,” says Clarke, such as the city of Chicago that has its own fiber, the stock market that is installing its own fiber, the department of energy, some banks, and intelligence agencies that have done the same. “We need to think seriously about what needs to be connected to the ‘network of networks.”

The final vulnerability area address is for having network systems that can adapt to new technologies, such as wireless systems and voice-over-IP systems, and avoid deploying these systems, and later discovering the insecurities.  Securing convergence technologies, and particularly against denial-of-service attacks needs to be addressed. The hardware and software needs to be made secure against these attacks with security that’s built in from the beginning.

Securing the Internet is a mission held in common, a general accountability, and responsibility that needs to be taken. With that action, Clarke also urges everyone to go to securecyberspace.gov to review the proposed security plan and give input.