| Register/Subscribe Home |
|
|
ONLINE FEATURES
Book Reviews
BW Video
Columnists
Interactive Gallery
Newsletters
Past Covers
Philanthropy
Podcasts
Special Reports
BLOGS
Auto Beat
Bangalore Tigers
Blogspotting
Brand New Day
Byte of the Apple
Economics Unbound
Eye on Asia
Fine On Media
Green Biz
Hot Property
Investing Insights
Management IQ
NEXT: Innovation
NussbaumOnDesign
Tech Beat
Working Parents
TECHNOLOGY
J.D. Power Ratings
Product Reviews
Tech Stats
Wildstrom: Tech Maven
AUTOS
Home Page
Auto Reviews
Classic Cars
Car Care & Safety
Hybrids
INNOVATION
& DESIGN Home Page Architecture Brand Equity Auto Design Game Room SMALLBIZ Smart Answers Success Stories Today's Tip INVESTING Investing: Europe Annual Reports BW 50 S&P Picks & Pans Stock Screeners Free S&P Stock Report SCOREBOARDS Hot Growth 100 Mutual Funds Info Tech 100 S&P 500 B-SCHOOLS Undergrad Programs MBA Blogs MBA Profiles MBA Rankings Who's Hiring Grads | |
DECEMBER 6, 2001 MOVERS & SHAKERS The Race to Secure Cyberspace Richard Clarke, Bush's new Net security chief, discusses efforts (not easy or cheap) to protect America from digital destroyers
Six days later, Bush issued an executive order creating a Critical Infrastructure Board headed by Clarke. Comprising 26 federal agencies, it was formed to protect the information infrastructure controlling everything from financial systems to the power grid to telephone and Internet communications. The board is working with industry representatives to draft a national strategy for cybersecurity. Clarke reports to Homeland Security Office Director Tom Ridge and National Security Advisor Condoleeza Rice. Clarke already has made waves. On the day of his appointment, he put out for public comment a proposal to create GovNet, a secure federal network separate from the public Internet -- an idea that has already attracted criticism as an unnecessarily redundant network. In early November, he made a 10-day trip to Silicon Valley to solicit suggestions on cybersecurity from 18 top executives, including Cisco CEO John Chambers and Symantec CEO John Thompson. In addition to building a secure network for the government, Clarke is urging cell-phone companies to make wireless frequencies available to government emergency personnel during crises. And he's set to hire Microsoft Chief Security Officer Howard A. Schmidt to beef up his organization. Clarke recently spoke with BusinessWeek Correspondent Catherine Yang about his challenges, agenda, and some fresh initiatives. Here are edited excerpts of their conversation:
A: You shouldn't assume the future based on the past. Prior to September 11, a lot of people thought terrorism was a nuisance and a cost of doing business, because they looked only at what al Qaeda had done in the past. Al Qaeda had attacked two embassies and a destroyer. People assumed that's all that would ever happen. What is a better tactic is to look at your vulnerabilities and ask what could people do with what level of difficulty. If most companies and government agencies do that today, they'll find out they have a lot of vulnerabilities. People could do very significant damage with a moderate degree of difficulty. Q: Are we talking about al Qaeda and state-sponsored groups capable of cyberattacks -- or is this still in the realm of disgruntled teenagers, hackers, and criminals? A: Along one side of the spectrum are teenagers who typically deface Web pages, although we've had teenagers get into the controls of the dams in Arizona Central Project and then couldn't open the sluice gates. Higher up you've got professional hackers, who may do a bit of disruption. Then you have organized criminals who do fraud, extortion, and industrial espionage. We have not seen terrorists groups -- with the exception of the Tamil Tigers [a group fighting for independence in Sri Lanka], who have been using information warfare techniques to be a pain and nuisance, but nothing significant. You've also got nation-states doing espionage. Nation-states can also do information war, which can take place in conjunction with conventional war or stand-alone to take down infrastructure. But we haven't seen nation-states do information warfare yet.
A: The Critical Infrastructure Protection Board is supposed to worry about the security of the federal government's own systems and networks but also, and most important, work with the private sector on the security of their systems and networks. The trick is to do that without new regulation. We think the federal government is incapable of writing effective regulations in the era of cybersecurity. Q: Over the next several months, what specific steps will your office take to attack this problem? A: The President has asked us to draft a national strategy to defend America in cyberspace. He has asked us to do it in conjunction with the private sector, so that it is not a merely a document written by bureaucrats for bureaucrats -- not a coffee-table book, but a strategy that lives in cyberspace. And the strategies change not on an annual or semiannual basis but when the threat changes or the technology changes or we discover a new way of doing things is better or that the way we are doing things is failing. Q: When do you plan to have this strategy in place? A: I have not set, nor has the President set, a deadline for the strategy. I would rather not be up against a deadline, because we have never tried to do a national strategy. I don't know how long it will take. Q: What else is your office undertaking? A: One of the things we'd like to do is to simulate attacks better. You can't do these attacks on real infrastructure. One of the things we're interested in is what are the interactions among infrastructures. We'd like to see what the interactions are between telephone and IT [information technology] network and the electric power and natural-gas systems. Think of the national simulation center as an acupuncture map of the U.S. If you apply pressure on the elbow, what is the effect on the knee? You can't model that today. Last summer, we had a train derailment in the tunnel at Baltimore, and the Internet slowed to a creep in the central North Chicago area and Wisconsin because so much of the Internet backbone was in the tunnel. We don't know today where these acupuncture pressure points are, and therefore we can't protect them. Q: Explain your plans for a Cyber Warning & Information Network? A: The best way to describe that is by analogy. Today, when anyone in the command centers at the White House, Pentagon, State Dept., and Justice Dept. becomes aware of breaking news, they have a particular phone they pick up that is a private line and it rings on the desk of the senior duty officer of each of the command centers. Usually, within 30 seconds you have a conference call of the five or six senior duty officers at the major command centers. We'd like to build a system that does that at a different set of command centers -- the network command centers of the government. And we'd like to build it out to private industry. We have these things called Information Sharing & Analysis Centers (ISAC). There's an ISAC for electric power, for banking/finance, there's one about to happen for railroads, there's one for IT. We'd like to extend this system out to the ISACs and then perhaps to some key private companies. You can imagine the antivirus companies wanting that kind of connection, maybe the router manufacturers, and maybe the major software vendors, such as Microsoft, Sun, and Oracle. Q: Doesn't this process already take place? A: In the case of Code Red and Nimda this summer, we were doing this ad hoc. We had Cisco, Microsoft, and WorldCom all on conference calls, when we finally figured out this thing had infected thousands of servers. We were able to take apart the code and learn what it would have the servers do and when it would have the servers do it. At 4 p.m., we discovered that at 8 p.m. that night it would have all the servers attack one site -- us, www.whitehouse.gov.
Q: When do you want the cyberwarning system up, and how much would it cost? A: I would like to have it by summer. We may have enough money to start it without appropriations. I don't know how much it would cost to reach out to the private sector. Q: You have talked about creating a separate, secure network called GovNet. What's the rationale? A: In the existing system, I send an e-mail from my PC to somebody in Silicon Valley. It leaves my PC, goes through a server and a router, and it bounces around from [ISPs] Genuity to Qwest to AT&T. Typically, transcontinental messages go through 12 to 17 routers. As I go across the country, I run the risk of my message being stopped by a denial-of-service attack or by a virus. Instead of using that PC, I use a different PC. I go through a different server and routers. And the routers aren't connected to the [public Internet]. What if I leased fiber [optic lines] all the way across and never shared it with anyone else? Then they wouldn't be subject to denial-of-service attacks, and there would probably be 95% fewer viruses. The viruses will be easily detected. To access this network, we could require a biometric smart card to make sure no one could just walk into your office and play with your computer. Q: But separate networks exist at many government agencies already. Why do they need a new one? A: Some corporations in banking/finance and IT are already doing this. Some federal agencies are doing it to a limited extent -- parts of the Defense and Energy Dept. to connect the national labs. We could offer this to other agencies who couldn't afford to do it otherwise. This gives them something more reliable. The network would be used for critical communications. Q: Won't you still run the risk of wayward insiders who could introduce viruses into the system? A: Absolutely. But you would be in a better position to deal with them.
A: It ranges from fair to good in some sectors such as banking/finance to abysmal in others. The bottom line is: It's not going to be cheap. People think IT is a way of reducing costs and increasing productivity. But IT security is not cheap. Most companies are not paying enough for it. They buy firewalls and an intrusion-detection system and think they're done. But that's just the beginning. Q: How can government give corporations incentives to invest more in IT security? A: I'm not attracted to the idea of giving tax incentives. It's a misuse of the federal budget. Insurance incentives work better. The insurance industry ought to realize, both in directors and officers insurance and business-continuity insurance, they need to have standards and best practices that take into account IT security. We're working with the insurance industry and the internal auditors' association on that. Q: You're known as a passionate advocate of cybersecurity. When and how did you get bitten by the bug? A: The February, 2000, denial-of-service attacks against eBay, Yahoo!, CNN, and others began to demonstrate not just something directed against individual companies but the national infrastructure itself. I also read intelligence reports every week about foreign countries creating information warfare units and doing surveillance on our networks. I have to assume they have the capability that could do a lot of harm. One day that knowledge can be used by foreign countries or companies or nonstate actors.  Get BusinessWeek directly on your desktop with our RSS feeds.  Add BusinessWeek news to your Web site with our headline feed. Click to buy an e-print or reprint of a BusinessWeek or BusinessWeek Online story or video. To subscribe online to BusinessWeek magazine, please click here. Learn more, go to the BusinessWeekOnline home page  | | DECEMBER |
 Copyright 2001 , by The McGraw-Hill Companies Inc. All rights reserved.Terms of Use | Privacy Policy |
Printer-Friendly Version
