Cyber Security Chief Says Software Needs Improvement


"The software industry has an obligation to do a better job in producing software that works," said Richard Clarke, President Bush's special advisor on cyberspace security, in the opening keynote Wednesday at the Black Hat Briefings.

"It is no longer acceptable that we can buy software ... that is filled with glitches," he said. "It is no longer acceptable that the number of vulnerabilities is going up."

Clarke's remarks were greeted with applause by the crowd of about 1,500 security professionals gathered for the conference, but his reference to Microsoft's security initiative drew ripples of laughter. Microsoft Chairman and Chief Software Architect Bill Gates earlier this year directed employees to make security a priority in product development.

"Rather than rejecting Gates' statement that he's making security job one, I welcome it and will hold him to it," he said.

Clarke added that the software industry could also help by testing security patches in more applications and systems than the ones for which they're designed. Systems administrators need to know how a patch will work in their environment, hence they may delay applying patches before they test them, he said.

But software developers aren't the only ones who need to step up to the plate to secure cyberspace, he said.

"Each of us has an obligation to help secure the part of cyberspace we depend on," he said, warning that the country needs to take action before an attack.

"Although it may not look like it, this is still a nation at war," he said.

Clarke chastised the wireless LAN industry and those that deploy wireless LANs to communicate sensitive data, in light of the security issues surrounding the technology.

"Until we have a better, proven track record with wireless LANs, we better all shut them off," he said.

And broadband providers need to ensure security with their service, considering the risks posed by always-on connections, he said.

ISPs and others "should offer firewalls and a system that regularly updates that firewall," he said, adding that it's too much to expect a home user to keep track of security patches and antivirus updates.

While he doesn't want the government "involved in controlling or regulating the Internet," Clarke said there has to be some way that the government can help academics and others in maintaining the health of the Web.

"There's got to be a middle ground where government doesn't walk away," he said.

He noted that President Bush has proposed a center of excellence for cyberspace security as a key component in the new Department of Homeland Security.

Clarke also said that a national strategy for cyber security is scheduled to be released in mid-September. The plan includes separate strategies to protect individual industries, written by experts in private sectors such as finance, oil and gas, and telecommunications, he said.