SAN JOSE, Calif. -- White House cybersecurity czar, Richard Clarke, put forth a challenge to big business, IT security vendors and critical infrastructure owners and operators -- join forces to secure American critical infrastructure, despite the cost and the bottom line.
Clarke delivered that message during his keynote Tuesday morning at the RSA Conference 2002, an annual gathering of 10,000 IT managers and security professionals. His comments were met with cynicism by IT pros.
"Government has great ideas, but who's going to pay for it," said one government employee who asked to not be identified. "Theoretically, it's a good idea, but I don't see it happening. Companies won't put up the money."
"Government alone cannot defend us. The private sector alone cannot defend us," Clarke said. "A public-private partnership is the only way to defend us."
Clarke drew an analogy between the aviation industry and IT. Prior to September 11, aviation knew its industry was vulnerable but convinced itself that those vulnerabilities would never be exploited, Clarke said. Why? Fixing the problem requires spending money. "And who was going to pay for it?" Clarke asked.
"If IT collectively continues to say, 'Yeah, there are vulnerabilities. Yeah, the Internet was not designed with security in mind' and not do anything about it because it's going to cost money and inconvenience them," Clarke said, "then IT is going to suffer the same fate as aviation in ways that will make Code Red and Nimda seem like small fries."
Clarke urged those in charge of critical infrastructures -- like energy, water, financials and government -- to look beyond their enterprise. "You have to say, 'It's not my company's problem, it's my industry's problem.' Don't wait for government to identify vulnerabilities. Organize in information sharing and participate in developing a national strategy for dealing with cybersecurity."
Plea to vendors
Clarke also asked the industry to pressure vendors to make security the No. 1 design criteria for vendors. Vendors, Clarke said, say they can do this, but costs will skyrocket and the industry is too cost-conscious to support that kind of security out-of-the-box. Infrastructure operators, meanwhile, are telling Clarke that vendors won't sell secure software.
"Someone isn't telling the truth," Clarke deadpanned. "We have to end this dialog of the deaf. Security has to be the No. 1 design criteria, not an add-on. And industry has to spend the money to deploy security."
Clarke spelled out the threat in vivid detail, starting with September 11, a date that proved the United States still has formidable enemies, enemies IT cannot underestimate just because they may originate in a third-world country, Clarke said.
"Our enemies will use our technology against us to attack our people," he said. "Our technology is open to the world and that means anyone can come to the U.S. and learn about it. Our enemies will look for seams where our infrastructure is fragile."
Compounding the problem is that interdependence of American infrastructure, Clarke said. An attack on 16 acres of land in Manhattan, the Pentagon and Pennsylvania took 3,000 lives and rippled down to industry after industry causing unemployment spikes, halting any economic recovery in the U.S. and worldwide.
What D.C.'s doing
Clarke said that Washington is already taking steps with President Bush's call to develop a national strategy for cybersecurity, calling on each sector to author its own chapters of that draft. "The modules of this draft will change in real time because it will be in cyberspace," Clarke said.
He also pointed out that government must be a model for cybersecurity and right now it's failing miserably. To that end, Clarke said that $4 billion, or 8.1%, of the 2003 budget, if approved, will be devoted to IT security.
"I hope that happens. It's time for our leaders to lead," said attendee Eric Wong, a Unix, Linux and NT security manager with Amerada Hess of Houston.
Also part of the White House plan: a set of best practices for Tier 1 Internet service providers; fewer bureaucratic walls in D.C.; federally funded scholarship money to entice college students to study IT security; an early warning for cybersecurity vulnerabilities and attacks; GovNet, a secure network for government agency use; understanding the interdependence of infrastructure and educating home users who frequently become pawns in distributed denial-of-service attacks (DDoS).
FOR MORE INFORMATION: