: How Real Is the Threat?"> "I dont think were as vulnerable as [Clarke] says we are," said Scott Blake, vice president of information security at BindView Corp., in Houston. "If Im a terrorist, I want pictures on TV. You dont get that if you knock out the stock markets computers. And, the time to recovery [with a computer attack] is vastly shorter than with a physical attack." A case in point is the recent warning issued by the FBIs National Infrastructure Protection Center regarding the possibility of wide-scale attacks from Western Europe against ISPs and Web servers. A handful of ISPs reported traffic spikes consistent with DoS (denial-of-service) attacks, but there were no reported service outages, and the service providers handled the incidents without a problem.However, even those who dont see much of a threat to computer networks from foreign terrorists said Clarkes warnings could do good in the long run. "I think some of that [rhetoric] is for effect. But these systems, as theyre deployed, are vulnerable," said Jack Reis, CEO of NFR Security Inc., a Rockville, Md., intrusion detection vendor that does a lot of work with the federal government. "Attacks are happening. You dont see lot of press about it because people dont want it known. More sophisticated attacks are coming, and more sophisticated defenses need to be created. We have to continue to invest in security technology, to the point where it becomes an integral part of everything we do." The one policy for which Clarke enjoys near-total support in the security community is his pledge to do everything he can to avoid government regulation and control of the Internet. "The government, having helped facilitate the Internet, has kind of walked away from it," Clarke said, "and thats a good thing because if it was a government project, it would work worse than it does. I dont want the government controlling or regulating the Internet." Clarke has said, however, that if software vendors dont improve the quality of their products, the government may have to step in to protect consumers and the countrys networks. This idea has gotten less support. "Im not sure how you would regulate software safety, even if you wanted to. Metrics are difficult to come by, and there is no way to avoid bugs in software," said Avi Rubin, principal researcher at AT&T Labs-Research, in Florham Park, N.J., and an expert on network security. "The main reason is that there is no easy way to measure software security. How would you regulate this? You couldnt say, Software must be at least 57 [percent] secure." Related Stories:
Clarke Lambastes Software Industry
Editorial: Security: The Feds Can Help
Congress Zeros In on Cyber-security
Feds Talk Security
Even the rash of distributed-DoS attacks in 2000 on sites such as Amazon, Yahoo and CNN were at worst an inconvenience for most Internet users. The attacks cost the sites involved money in terms of lost traffic, lost revenue and cleanup. But for the most part, service was restored within a day or so.