You make some interesting points... I completely agree with your point about adding a security expert to development teams. As anyone in the computer industry knows, it is much easier (and cheaper) to resolve issues (be they bugs, flaws, or security problems) in the R&D stage than after the product is on the shelf.

I would like to add one thing. You can't solve the computer security problem by hiring more computer security investigators (etc.), as the current government is suggestion. That isn't how it works. As a matter of fact, Kevin Poulsen neglected to mention one statement Mr. Clarke made on the topic during his InfoWarCon speech (paraphrased): If the nation lacked front door locks, the solution is not to hire more police officers. Current initiatives in Congress to fund more DoJ/FBI tech crime training would be just that sort of solution.

I do want to counter one statement that you made about Mr. Clarke's speech being an attempt to increase the Clinton Administration's power. I felt such impression in his message. His suggestion for the government was not to increase its power with a massive new centralized agency, as you seem to imply. He suggested the creation of new ISACS (information sharing centers), already used in the Banking and Finance industry, where businesses could report intrusions and attacks and allow the vulnerabilities to be passed on (without the name of the company).

Another major point he made: Congress needs to fund higher education and training via "scholarship for service" programs to prevent the massive (though unsurprising) brain drain of IT specialists from lesser-paying government jobs to big $$ private sector positions.

In short, the speech was excellent. He laid out a clear list of actionable items for government and private industry. If do actually want to know what Mr. Clarke said, so you won't make such rash judgements based on one short article*, please e-mail me at gwenwyn (at) geeklife (dot) com [email concealed] and I can provide as many additional details as you see fit.

* I don't mean put down the quality of the article, which is a perfectly fine news brief-summary of the speech... though I must say that Richard Clarke's proper title is "National Coordinator for Security, Infrastructure Protection, and Counter-terrorism" - see biography at http://www.info-sec.com/ciao/bioclarke.html for more details - not just a "top aid (sic)."

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/85/3367#3367