15 February 2002
Source: http://usinfo.state.gov/cgi-bin/washfile/display.pl?p=/products/washfile/latest&f=02021402.tlt&t=/products/washfile/newsitem.shtml


US Department of State
International Information Programs

Washington File
_________________________________

14 February 2002

White House Advisor Richard Clarke Briefs Senate Panel on Cybersecurity

(NSC staff aide shares his views with Senate Judiciary Committee)
(990)
By Jeff Wynne
Washington File Staff Writer

Richard Clarke, White House special advisor for Cyberspace Security,
met February 13 with the Senate Judiciary subcommittee on
Administrative Oversight and the Courts to discuss the status of
cyberspace security in the United States.

Senator Charles Schumer (Democrat-New York), chairman of the
subcommittee, described the answers to the questions he has researched
about cybersecurity as "very, very worrisome." Access to servers,
networks, digital controls, air traffic control, and entire regional
power grids is entirely too easy, he said.

Schumer said these problems must be fought on two fronts. First, the
United States must protect against physical vulnerability, in other
words, the fact that the hardware (servers, networks, cables) is
amassed in very few places. The Senator used the example of last
year's train accident in Baltimore that slowed considerably the
Internet traffic in Chicago. Furthermore, all the fiber optic cables
that traverse the Atlantic Ocean come together in only one or two
places on Manhattan Island.

Secondly, the U.S. must protect against technological vulnerability.
Both the public and private sector must safeguard themselves against
viruses that affect or have the capability to shut down commerce. The
last four viruses have caused over $12 billion worth of damage. One
virus in particular took down over 350,000 servers.

In his briefing for the committee, White House advisor Clarke outlined
what the Critical Infrastructure Board has done in the past 90 days to
begin strengthening cybersecurity. The Critical Infrastructure Board
is composed of 10 operating committees and 23 federal agencies. Like
the Homeland Security Council, the Critical Infrastructure Board
coordinates the cybersecurity activities of government agencies
already underway.

Clarke outlined 10 programs that have been implemented or adjusted in
the past 90 days:

-- A national strategy for cybersecurity in accordance with the
private sector and the academic community. This strategy will be
formulated through an open, transparent process. The result will be a
living document that can change as rapidly as Internet technology.

-- The President's proposed FY-2003 budget includes a dramatic 64%
increase for network security, now approaching about $4 billion.

-- A fundamental change of thinking has occurred within IT firms to
alter products to give more attention to security.

-- Security of IT Internet Services has also improved.

-- Due to the Critical Infrastructure Board, bureaucracies are
coordinated better and are working together more closely now.

-- Implementation of a "Cybercorps", or IT security scholarships,
granted by the government. These scholarships work toward a bachelor
or master's degree in IT security. For every year of scholarship
granted, one year of service in the federal government is required.

-- Implementation of a cyberintelligence warning network to bring to
light extraordinary and specific vulnerabilities in the cyber system.
This information is shared between the public and private sector.

-- Over 150 private IT companies are working together to further
enhance cybersecurity.

-- Implementation of a modeling and simulation center to plan
reactions to attacks on the cyber system and failure of cybersecurity.

-- Implementation of a cyberspace security public campaign, with help
from such IT firms as AOL, Cisco, and Microsoft, to educate, warn, and
prevent the public from cyberspace attacks.

Clarke said he prefers not to use the term "cyberterrorism", but
instead favors use of the term "information security" or "cyberspace
security". Most terrorist groups have not engaged in information
warfare, Clarke said, except for some very minor infractions. Instead,
terrorist groups have thus far only used the Internet for propaganda,
communications, or fundraising.

Instead of concentrating on who may engage in information warfare,
Clarke said, one must concentrate on the vulnerabilities of cyberspace
security. The spectrum of who can hack into vital information systems
is enormous. It can range from a 14-year-old boy to a nation-state. So
worrying about who could do such a thing is much less efficient than
taking care of cyberspace vulnerabilities.

Clarke also pointed out the extreme significance of the cyberspace
infrastructure. In the past ten years, every sector of the U.S.
economy and government has moved onto network systems. Everybody
relies on networks, and nothing can operate unless the networks are
functioning correctly. However, Clarke said, none of these things were
designed "with security in mind."

In the private sector, the amount of money spent on IT security is
roughly .0025% of total revenue, said Clarke. That is less than the
amount of money spent on coffee in the same companies.

There is "lots of low hanging fruit," said Clarke, meaning there are
many very easy things that can be done to disrupt the cyber system.
Changes need to be made.

One example is Microsoft. Bill Gates, head of Microsoft, ordered his
company to stop writing and designing new products for 30 days, Clarke
said. Instead, the company must retool their existing products to
become more secure. Even if 30 days does not seem to be long enough to
accomplish that task, it will make program designers concentrate more
on security when writing future products.

To illustrate the possible effect of a cyber attack, Clarke pointed to
his discussion with the CEO of a major railroad company. Even an
enterprise as old as railroads is based on electronic controls. The
company's network lets them know the necessary information of where
every train and boxcar is at every minute. If this network were
attacked and the relaying of information stopped, the CEO said that he
would be forced to order every train to stop, completely devastating
the railroad system.

Senator Schumer noted that if this were the expected effect for a
railroad company, the effects of a network shutdown of a regional
power grid or an air traffic control grid would be staggering.

(The Washington File is a product of the Office of International
Information Programs, U.S. Department of State. Web site:
http://usinfo.state.gov)