15 February 2002
Source:
http://usinfo.state.gov/cgi-bin/washfile/display.pl?p=/products/washfile/latest&f=02021402.tlt&t=/products/washfile/newsitem.shtml
US Department of State
International Information Programs
Washington File
_________________________________
14 February 2002
(NSC staff aide shares his views with Senate Judiciary Committee) (990) By Jeff Wynne Washington File Staff Writer Richard Clarke, White House special advisor for Cyberspace Security, met February 13 with the Senate Judiciary subcommittee on Administrative Oversight and the Courts to discuss the status of cyberspace security in the United States. Senator Charles Schumer (Democrat-New York), chairman of the subcommittee, described the answers to the questions he has researched about cybersecurity as "very, very worrisome." Access to servers, networks, digital controls, air traffic control, and entire regional power grids is entirely too easy, he said. Schumer said these problems must be fought on two fronts. First, the United States must protect against physical vulnerability, in other words, the fact that the hardware (servers, networks, cables) is amassed in very few places. The Senator used the example of last year's train accident in Baltimore that slowed considerably the Internet traffic in Chicago. Furthermore, all the fiber optic cables that traverse the Atlantic Ocean come together in only one or two places on Manhattan Island. Secondly, the U.S. must protect against technological vulnerability. Both the public and private sector must safeguard themselves against viruses that affect or have the capability to shut down commerce. The last four viruses have caused over $12 billion worth of damage. One virus in particular took down over 350,000 servers. In his briefing for the committee, White House advisor Clarke outlined what the Critical Infrastructure Board has done in the past 90 days to begin strengthening cybersecurity. The Critical Infrastructure Board is composed of 10 operating committees and 23 federal agencies. Like the Homeland Security Council, the Critical Infrastructure Board coordinates the cybersecurity activities of government agencies already underway. Clarke outlined 10 programs that have been implemented or adjusted in the past 90 days: -- A national strategy for cybersecurity in accordance with the private sector and the academic community. This strategy will be formulated through an open, transparent process. The result will be a living document that can change as rapidly as Internet technology. -- The President's proposed FY-2003 budget includes a dramatic 64% increase for network security, now approaching about $4 billion. -- A fundamental change of thinking has occurred within IT firms to alter products to give more attention to security. -- Security of IT Internet Services has also improved. -- Due to the Critical Infrastructure Board, bureaucracies are coordinated better and are working together more closely now. -- Implementation of a "Cybercorps", or IT security scholarships, granted by the government. These scholarships work toward a bachelor or master's degree in IT security. For every year of scholarship granted, one year of service in the federal government is required. -- Implementation of a cyberintelligence warning network to bring to light extraordinary and specific vulnerabilities in the cyber system. This information is shared between the public and private sector. -- Over 150 private IT companies are working together to further enhance cybersecurity. -- Implementation of a modeling and simulation center to plan reactions to attacks on the cyber system and failure of cybersecurity. -- Implementation of a cyberspace security public campaign, with help from such IT firms as AOL, Cisco, and Microsoft, to educate, warn, and prevent the public from cyberspace attacks. Clarke said he prefers not to use the term "cyberterrorism", but instead favors use of the term "information security" or "cyberspace security". Most terrorist groups have not engaged in information warfare, Clarke said, except for some very minor infractions. Instead, terrorist groups have thus far only used the Internet for propaganda, communications, or fundraising. Instead of concentrating on who may engage in information warfare, Clarke said, one must concentrate on the vulnerabilities of cyberspace security. The spectrum of who can hack into vital information systems is enormous. It can range from a 14-year-old boy to a nation-state. So worrying about who could do such a thing is much less efficient than taking care of cyberspace vulnerabilities. Clarke also pointed out the extreme significance of the cyberspace infrastructure. In the past ten years, every sector of the U.S. economy and government has moved onto network systems. Everybody relies on networks, and nothing can operate unless the networks are functioning correctly. However, Clarke said, none of these things were designed "with security in mind." In the private sector, the amount of money spent on IT security is roughly .0025% of total revenue, said Clarke. That is less than the amount of money spent on coffee in the same companies. There is "lots of low hanging fruit," said Clarke, meaning there are many very easy things that can be done to disrupt the cyber system. Changes need to be made. One example is Microsoft. Bill Gates, head of Microsoft, ordered his company to stop writing and designing new products for 30 days, Clarke said. Instead, the company must retool their existing products to become more secure. Even if 30 days does not seem to be long enough to accomplish that task, it will make program designers concentrate more on security when writing future products. To illustrate the possible effect of a cyber attack, Clarke pointed to his discussion with the CEO of a major railroad company. Even an enterprise as old as railroads is based on electronic controls. The company's network lets them know the necessary information of where every train and boxcar is at every minute. If this network were attacked and the relaying of information stopped, the CEO said that he would be forced to order every train to stop, completely devastating the railroad system. Senator Schumer noted that if this were the expected effect for a railroad company, the effects of a network shutdown of a regional power grid or an air traffic control grid would be staggering. (The Washington File is a product of the Office of International Information Programs, U.S. Department of State. Web site: http://usinfo.state.gov)