Bush's Cybersecurity Czar Speaks Out


Richard Clarke, chairman of President Bush's critical infrastructure protection board, said Friday that wireless LANs are not properly secured from hacker threats.

In an interview with CRN, Clarke reiterated comments he made at the Black Hat briefings in Las Vegas in July, where he railed against wireless vendors and users for failing to make the technology more impervious to intruders.

"I stand by my statements," Clarke said Friday. "The vast majority of wireless LANs in this country are wide open. It's very irresponsible of people to put up wireless LANs and not make them secure because it throws open the entire company behind the firewall and makes them vulnerable.

"CIOs often don't even know that there is a wireless LAN" in use at their company, Clarke said.

Unlike Congress' debate over allowing the president to use force against Iraq, which many observers say has fallen prey to partisan politics and elected officials' concern about how their vote on the matter would affect their re-election campaigns, concerns about cybersecurity transcends party loyalty, Clarke said.

"Both President Clinton and President Bush have given a very big priority to cybersecurity, and if you look at leadership on the Hill, it's both parties," Clarke said. "In the Senate, you have people like Senator [Robert Bennett (R-Utah) and Senator [Jon Kyl (R-Ariz.) very concerned on the Republican side, but you also have Senator [Joseph Lieberman (D-Conn.) and Senator [Charles Schumer (D-N.Y.) on the Democratic side who are also very concerned," Clarke said. "It's really a bipartisan issue."

Clarke said that town hall meetings he has led in Philadelphia, Atlanta, Chicago and other cities in recent months to talk about the proposed National Strategy to Secure Cyberspace he is charged with developing have been productive.

"They are very receptive audiences," he said, though he admitted with a touch of disappointment that few "average citizens" are attending the events. "It's in some ways unfortunate because we want to be reaching out to the general population."

Attendees at the events are mostly IT managers from companies, universities and government agencies, Clarke said.

The draft version of the plan is available at www.securecyberspace.gov until Nov. 18; anyone may comment on the specifics of the draft. Clarke said a lot of responses have been coming in, some from individuals and some from companies and other organizations.

But it will never be known for sure whether the plan has succeeded, Clarke said.

"We'll never know whether or not we are entirely successful because we are not measuring success by whether there are cyberattacks. We are measuring it by whether we have identified and mitigated vulnerabilities," he said.

"It takes so long to repair some vulnerabilities that if you wait until you get the threat warning, you don't have time," Clarke said. "Frankly, it doesn't matter whether it's al Qaeda or Iraq or some hacker in Brazil coming after you; they can do the same amount of damage to your company. Start immediately looking into your own organization and find the vulnerabilities. That has to be an ongoing, constant process because the vulnerabilities change all the time."