Richard Clarke is not an operational guy. He survived from Bush Sr., to Clinton, to Bush Jr. No one does that without being an experienced political bureaucrat. He was definitely good for raising visibility but, as the Department of Homeland Security moved to operational, he's not the guy.
Howard Schmidt, when he took the job, I wrote that this was a great thing. The most attacked domain name in the world is Microsoft.com [Schmidt was the former chief security officer at Microsoft Corp.], and he had experience defending that. The heavy lifting is going to be done by private industry. The government side will have two aspects. One is the moral suasion side: talking, keeping visibility up. The other is the bureaucratic in-fighting side of a brand new department trying to gain control. And Howard wasn't either of those guys. I think Richard Clarke could have stayed around to be the external face inside the government, but he's going to make a lot more from lucrative speaking fees.
Where a lot of the squawking has been is the talk about not burying it four layers down, that it needs to be at the president's level. I think that's totally wrong. You know what the most effective thing we have in critical infrastructure security is? It's been there for 15 years and it's called NSTAC [National Security Telecommunications Advisory Committee].
FEEDBACK: Is Gartner's John Pescatore on the mark about security spending, security hardware and cyberterrorism?
Send your feedback to the SearchSecurity.com news team.
Pre dot-com crash, very different security questions. Since the bubble burst, how much has changed? In that time, I think we've definitely seen disillusionment with intrusion detection. Two years ago, people were asking us, 'Which IDS is better? Cisco, ISS or Enterysys?' Now they are asking, 'Should I really do this?' That's changed.
We're seeing a lot more willingness to change user behavior. In the dot-com days, you couldn't hire people fast enough; we couldn't annoy users that much. If we put some onerous security in front of the user, the VP would complain, and the CIO would say 'What are you? Nuts?' Now that the economy is tougher and people can't change jobs as well, we're seeing enterprises be willing to block attachments, force users to go to Windows 2000, lock into their PCs.
The security group has a lot more power now and, because of that, we're seeing them trying to centralize security management more. The danger is that, when the economy comes back, if the security guys are not used to moving quickly, they'll be left behind again.
What has matured during that time frame?
We've definitely seen maturity in several spaces: firewall and antiviral, for example. But maturity doesn't mean commodity quite yet in those areas. There's still room for new guys to come along and blow the incumbents away. Spending on security in the enterprise is either on the rise or flat, according to most accounts. What are companies spending money on?
If you look at the total spending on security, it's definitely going up strongly. We look at it as a percent of the IT budget. So, in 2001, the industry average was 3.3% of the IT budget toward security. In 2002, it went up to 4.3%. We're projecting for this year, 5.4%. Some segments, such as government, are going to grow faster. Government is going to grow faster than anybody because of the [Department of Homeland Security]. Places like universities are also bumping their budgets up because they're getting killed by places like the recording industry for piracy. The interesting thing for 2003, it's the first year ever that, when the CIO looks at the pie chart of where his money went, security will have its own label on the chart. It won't be lumped in with 'other.'
Now, what are they spending it on? In the IT security side, we're seeing a lot of firewall refresh. For example, in 1999 [and] 2000, with all the Y2K money, a lot of people upgraded Windows, NT, Solaris and got a new firewall. Now they're all replacing those and getting a firewall appliance. Because of Code Red, Nimda and Slammer, we see expenditures on antiviral going up. Spending on security audits and services like penetration testing [have] definitely gone up. So what we've seen with the economy, the growth in security spending has been on the keep-the-bad-guys-out side, traditional firewall, antivirus, vulnerability assessment tools and services. The good-guy-in side, like authentication, PKI, access control, that kind of spending has been flat to down, namely because companies aren't spending on new applications, because the whole IT world has been in a slump.
The third area of spending has been on the keep-the-wheels-on side, where you manage all your security stuff. There's been strong growth there this year. Tools that help enterprises manage firewalls, antivirus [and] intrusion detection, and help make sense of all the data, that's been a strong spend area.
In what areas has spending slowed down?
Intrusion detection. Most companies have said, 'This isn't helping me. It's just drowning me in false alarms.' PKI has experienced a slowdown with many of those companies up for sale. At the RSA Conference, you predicted this would be the decade of security hardware. Can you explain what you meant?
We see a lot of discrete security functions: firewalls, intrusion detection, gateway-side antivirus, vulnerability assessment, even URL blocking. These are functions that look at stuff on the network and make decisions on what to do. That might be five different boxes an enterprise would have to manage. We're seeing this move toward network security platforms, which is fewer boxes, and that reduces the cost of ownership.
Then we saw some innovative companies start to build these ASICs [application-specific integrated circuits] and network-security processors that said 'There's some common processing going on in these boxes. Let's put it in hardware.' Put all the repetitive, heavy-lifting stuff in hardware so that I go much faster. We've seen three different architectures come out for small, medium enterprises (100 MB and less), large enterprises (100 MB to a gigabyte per second) and carrier-class (1 gigabyte per second and above).
In the large enterprise space, you'll have a blade approach where, instead of throwing a box at a problem, plug in a new appliance in a blade so that I can scale on one box, as opposed to multiple boxes. Above that, this is where the ASIC-based approach is for the top, large enterprises and carrier class. What we mean by hardware is the ability to do repetitive, network-stack processing, parsing of XML and decrypting Secure Sockets Layer (SSL). That's gotta be done in hardware to get to the speeds needed by the large enterprise and carrier classes. That's where the innovation is. With software, we'll see some innovation with algorithms for doing behavior-based or anomaly-based attack detection, but most of the innovation is at wire speeds.
When the National Strategy to Secure Cyberspace was released, it was criticized for its lack of mandates, or 'teeth.' Do you agree? Should it have had more 'teeth'?
No. Gartner came out with the first take, saying it did exactly what it should have done. Private industry will make the Internet more secure. Regulations, at best, will not hurt and, at worst, cause tremendous problems.
An example I always use: Back in 1995, Sen. Sam Nunn formed a committee to investigate the possibility of a digital Pearl Harbor. He used that term in 1995. If the government had dictated things back then, it would have said things like 'You better not let strong crypto get out because the bad guys are going to have it.' We would have been mandated 40-bit crypto be built in everywhere. If the government had passed regulations, Amazon.com would be taking orders by fax. It would never have taken off.
The government cannot legislate security in. You can't put a hierarchal solution on a distributed problem. The major people complaining are the security vendors. It was going to be like Christmas if the government mandated everybody needs a personal firewall.
What should government do then?
What [Richard] Clarke and [Howard] Schmidt came up with did a pretty good job of doing what we said, which is that government should use its market power. You want to make the Internet more secure? Every government agency should be buying denial-of-service protection with their Internet connectivity. Every government agency should make sure that every employee and every vendor who works for the government has a personal firewall installed on their PC. That drives the market more so than some government regulation. The government should be a model citizen on this. It should be the most secure industry segment, the most secure piece of critical infrastructure. And it's not today. It's not!
We need to see the government's strategy for securing the government's sector of cyberspace. Putting more pressure on the other critical segments, like telecoms, power and energy, and transportation to improve cybersecurity, is a good thing. But those critical infrastructures first better worry about physical security, because that's what terrorists do. They blow things up. They attack physically to cause terror. Blue screens of death don't cause terror.
So we don't need a recognizable name to lead the way?
No, I don't think so. We tend to mistake light for heat, if you know what I mean. If we hear the noise, and Richard Clarke is out squawking every week, you think something is getting done -- whereas it's time for heavy lifting. There's enough press coverage of every security incident. It's not like people don't hear about security incidents. Know what a good indicator is? Look at Symantec's stock price. It's going up and up. Know why? Consumer antiviral purchases are going up and up. There's awareness. Now the issue is: How do we make it easier for businesses to reach the next level of security? Evangelism can never hurt, but if I had to pick evangelism or implementation right now, I'd pick implementation. What should the enterprise take away from the talk about cyberterrorism?
Terrorism is a real threat. We're going to get hit again. I worked for the Secret Service years ago, and the biggest thing we used to worry about was the Radio Shack criminal, the one who gets his technology at Radio Shack. You cannot plan for al Qaeda-type events. You have to protect against the most likely type of threat and hope they go bother somebody else.
As far as what the typical enterprise should do, there's a lot of simple things you need to make sure you're doing right.
Everyone has antiviral and firewalls, but how often do you update antivirus signatures? How often do you test if your firewall policy is what it should be? No. 1 thing, the way any cyberattack works, the bad guys check for vulnerabilities and then they attack. You need to check for vulnerabilities before the bad guys. If hackers are rattling your doorknobs, if they're open, the hacker is going to come in. You should rattle your doorknobs first, [do] more frequent vulnerability assessments to block those attacks. Doesn't matter if it's a terrorist, pimply faced 14-year-old or a cybercriminal trying to steal credit card numbers or medical records, they're all going to come in the same way.
Sixty-five percent of attacks exploit misconfigured systems, and only 30% exploit known vulnerabilities where there's a patch out. Only 5% exploit things we didn't know where there was a problem. Address the 65% and check that things are configured right and you've just eliminated two-thirds of your problem. Focus on patch management and forcing software vendors to write better software and you've got the other 30% taken care of. Then, later on, worry about the 5% of evil geniuses who are attacking us with zero-day attacks.