LAS VEGAS—The governments top information security official sharply criticized the software industry, ISPs and the government itself for a lack of commitment to security. Saying that the current climate demands more and better security, Richard Clarke, chairman of the Presidents Critical Infrastructure Protection Board (PCIPB), said it was time for a change.
"The software industry has an obligation to do a better job producing software that works," Clarke said in his opening keynote speech at the Blackhat Briefings security conference here Wednesday. "Its no longer acceptable that the number of vulnerabilities identified goes up every year."
Clarkes comments drew cheers and applause from the audience, an eclectic mix of security professionals, hackers, federal officials and academics.
He cited Microsofts Trustworthy Computing effort as a step in the right direction, but said that vendors as a rule need to write better quality code.
"We also need an improvement in the quality of software engineering. Its clear that what were doing now isnt working," Clarke said. "I welcome Bill Gates pledge, and I will hold him to it. I think we should ask other vendors to do the same thing."
Clarkes comments were part of a preview of PCIPBs forthcoming national cybersecurity strategy, which it will unveil Sept. 18 in Silicon Valley. The document will address security problems in several key market segments, including banking and finance, chemical manufacturing, IT and education. Clarke singled out several industries as bearing the lions share of responsibility for the current security problems facing the country.
He was particularly critical of vendors who sell wireless LAN gear and ISPs. Citing the Department of Defenses recent decision to turn off all WLANs in its facilities, Clarke said other organizations should do likewise until there are better methods for securing these networks.
Clarke lambasted ISPs for failing to alert consumers to the dangers inherent in having an always-on broadband connection.
"Every ISP that offers broadband ought to be offering a firewall," he said. "If you ask ISPs off-the-record why they dont, theyll tell you its too expensive and they want broadband to be cheap. So they want to make it cheap for people to be hacked."
During his speech, Clarke also emphasized that he was not satisfied with the governments participation in the process of securing the Internet, but made clear that he had no intention of pushing for government regulation in this area.
"I dont want the government controlling regulating the Internet, but there has to be a middle ground where the government doesnt walk away," Clarke said. "Whose responsibility is it to think about the health of the Internet? Its all of us, but the government has a responsibility too."
- U.S. Consensus Standards Likely Enforced
- Homeland Security Plan Draws Criticism
- More Security Coverage