Does the President's Special Advisor on security really understand the issues security professionals are dealing with?
Clarke's use of the term "Digital Pearl Harbor" is purely sensationalist rhetoric.
Unfortunately, when watching these presentations and testimonies, one starts to wonder how well Clarke truly understands the reality of the world's cyber-security situation - which is a frightening prospect given that he's the top cyber-cop in the nation and has President Bush's ear on the subject.
For example, last month, in a speech at George Mason University, Clarke declared that: "Digital Pearl Harbors are happening every day, and are happening to companies all across the country." He then noted that IT security events cost the national economy upwards of $15 billion in 2001.
A "Digital Pearl Harbor" Happens Every Day?
This claim is problematic in so many ways, it's hard to know where to start. But I'll try. First of all, how does one define such an event? We all know that networks get probed and scanned, and servers get pinged and defaced on a daily basis, but does that constitute a "Digital Pearl Harbor"? Whenever I hear that term used - particularly by government representatives - it automatically leads me to believe that the person speaking doesn't know what they are talking about.
Pearl Harbor is used as a touchstone of cataclysmic events for a reason. Not only did it have entail enormous loss, damages and casualties, it also serves as a crucial moment in history. If one looks at December 7, 1941 or September 11, 2001, it is clear that a digital event of the same magnitude would be major socio-political event. If such an event occurred, we wouldn't need a government mouthpiece to tell us about it. Even with the seemingly endless litany of Windows-based worms and viruses plaguing the Internet, nothing has come close to that level of electronic decimation, although Clarke claims is happening on a daily basis. Clarke's use of the term "Digital Pearl Harbor" is purely sensationalist rhetoric. Using it as flippantly and regularly as he does is not only inaccurate, it is also irresponsible and negligent.
Does his use of the term mean Clarke views such worms, viruses, and defacements as major security events? If so, we've got the wrong man for the job of developing national cyber-security strategies. The only thing he's doing is fear-mongering and, by doing so, obscuring the true issues we need to focus on.
A Brief Performance Review
Looking at Clarke's performance so far supports the position that he might not be the right man for the job. As readers will note, some of his major proposals to date show they're based on anything but reality.
In June 2001, Clarke suggested to industry leaders that in the interest of ensuring higher software security, products should automatically update themselves as necessary, regardless if whether the user - a corporation or consumer - wants the update. The goal of this idea is to reduce the number of viruses and worms circulating around the net.
While this sounds good on paper, what about those IT environments with existing security measures and strict change-control procedures? Will they have to redesign their corporate policies to comply with such call-home product features? More importantly, or perhaps more worrisome, what about the fact that such functionality would violate a cardinal rule of security: namely letting a remote party take automatic, arbitrary, and trusted control of a system. Aside from the fact that Clarke is essentially asking conscientious security professionals to accept something completely contrary to best security practices, having software constantly "calling home" to a "trusted root server" and updating itself within an organization is akin to the government mandating a single point of failure.
You Will be Hacked...and What's More, You'll Deserve It
More recently, at a San Jose conference on February 19, he accused industry leaders of spending more on coffee than on security. He then went on to famously say "You will be hacked...and what's more, you'll deserve it."
He's right, of course. Yet, rather than working to encourage corporate information security to prevent potentially catastrophic incidents, Clarke is working with insurance companies to develop "Cyber-security coverage" for companies that fall victim to cyber-attack.
This indicates a certain helpless fatalism. It is as though the top cop in the land, faced with increasing security threats, has thrown up his hands in surrender. The real issue, which Clarke does not seem to grasp, is that by the time the insurance company has been called in, the damage has been done. Besides, the loss of certain things simply cannot be insured against: proprietary information, corporate reputation, and customer trust being just a few (let alone civil unrest, economic loss, or mass casualties resulting from such potential incidents).
And these are the concerns of corporations alone. What if, as Clarke and his Homeland Security cronies are fond of telling the media, cyber-terrorists are able to successfully launch a fatal attack against a critical infrastructure? Does Mr. Clarke think that insurance benefits have eased the suffering or the trauma of anybody involved with the attacks on September 11. Surely not!
According to a June 27 Washington Post article entitled White House Advises "Cybersecurity" Insurance the market for such insurance would reach $2.5 billion in premiums annually. Thus, rather than holding vendors or security-lax corporations responsible - both criminally and civilly - when a significant problem arises, or implementing measures that would enhance security, Clarke is endorsing a purely reactive course of action that appears to many as a political ploy to curry favor with the insurance industry.
Is the Candidate Qualified for the Job?
At the heart of the issue is whether Richard Clarke has a real understanding of the critical issues that underlie information security, and, by extension, whether he is qualified to be the top cyber-cop. It should be noted that neither Clarke nor many on his staff in the Cyber-Security Office are technologists with real-world, operational experience. So it's not surprising that we see goofy proposals being floated around the country. They just don't know any better.
Career politicians, desk-bound analysts, and people lacking real-world operational IT experience are the wrong ones to be advising the President and working with industry leaders to develop stronger security programs.
A quote from the classic movie Doctor Strangelove appropriately - and unfortunately - describes this situation in plain, brutal truth: "War is too important to be left to politicians. They have neither the time, the training, nor the inclination for strategic thought."
Until those responsible for national cyber-security are fully qualified, willing, and able to begin examining and remedying security at a fundamental level, we will never see effective improvements of our national information security posture.