Former Presidential Security Advisor On Playing It Safe

In his first public speech since leaving his advisory, Clarke told attendees at InformationWeek's Spring Conference that now is the time to work hard to get the government to fund anti-terrorism research, pay for awareness training, and provide information--even classified data--to the private sector about threats in an effort to secure cyberspace.

Terrorism, the potential war in Iraq, and the country's cyber-vulnerability all came under Clarke's scrutiny. Referring to the arrest this weekend of al-Qaida's Khalid Shaikh Mohammed, said to be the mastermind of the Sept. 11, 2001, attacks, he said that the terrorist group might use cyberspace to attack the country's infrastructure. He notes that it was clear from confiscated computers that the group was using the Internet to do "virtual reconnaissance" on our infrastructure--not only on companies but also on dams and power plants and the software that runs them--and downloading hacker tools from Web sites

According to Clarke, some of the recent attacks, such as the DNS (denial-of-service) attacks of a few months ago and the recent Slammer worm, seem to be evidence of "some funny things happening in cyberspace" that stopped short of being seriously destructive. "It looked to me like people were seeing what you could do to be really destructive but not being really destructive--yet."

Even companies that have managed to avoid cyberinjury so far need to care about vulnerabilities in the DNS as well as in the border gateway portals because "the chances of being hit in the next 24 months are high" no matter how good a job a company is doing with security. More importantly, he says, such attacks hurt the economy. The $17 billion lost in 2001 as a result of cyberattacks may be a drop in the bucket in a $17 trillion economy, but Clarke says that's just the tip of the iceberg: "We'll see more destructive attacks."

Clarke offers suggestions including:

• Ask software companies to come up with best practices for code drafting so things such as buffer overflows can be avoided;
• Have the federal government offer tax credits to get companies to get rid of old edge routers that aren't equipped to secure border gateway portals;
• Have broadband providers make sure to include firewalls as part of the broadband-access packages they sell to consumers so their PCs can't be overtaken for use in denial-of-service attacks;
• Have Internet service providers follow FCC voluntary rules, posted a few months ago, to ensure security and interoperability;
• Improve wireless phone security.

To keep on top of what's happening in the government sector, sign up for our weekly newsletter VARBusiness Government Insider