Former National Security Boss: Bush Admin Leaves Holes in Cyberspace

Former Terrorism Czar Richard Clarke: Instead of debating stem cell research or whether to teach evolution in schools, we should be having the debate about how to secure cyberspace.

LAS VEGAS—Richard Clarke remembers standing in the Oval Office and handing President George W. Bush a letter regarding what the nation should do to secure cyberspace.

"I think he signed it. I dont think he read it. I dont think he knows what it was," Clarke said during his keynote here at the Black Hat security conference on Aug. 1.

Clarke is somebody whose advice Bush should have heeded.

Until his retirement in 2003, Clarke was a member of the Senior Executive Service, having served as an advisor to four presidents between 1973 and 2003. He was the chief counter-terrorism advisor on the U.S. National Security Council for both the latter part of the Clinton administration through the early part of Bushs administration and the 9/11 attacks.

Serving with the Clinton administration, he toured the country for two years, collecting industry and academic intelligence on one crushingly important question: How do we secure cyberspace?

This is important. Within the coming 20 years, Clarke said, our soldiers will enter the battlefield with multiple IP addresses. The Pentagon is already working toward what Clarke called net-centric warfare, part of which will be exoskeleton armor covered with interior and exterior sensors. These exoskeletons will allow soldiers to literally have eyes in the back of their heads, to see around corners as robots fly ahead and beam back images to their visors, to lift weights at 5 to 10 times their normal capability due to exoskeletal servo-motors, and have their health monitored and their illness or fatigue medicated—again, automatically through the exoskeltal suit.

The Pentagons vision of net-centric warfare relies on IP addresses, lots of them. Its why the Pentagon is the only part of government now pushing for the next-generation Internet, IPv6, with its vast capacity for IP addresses, Clarke said.

But this all assumes that cyberspace is secure. "Its not," Clarke said. "The chaos that goes on in cyberspace very day, I dont have to tell you about," he said to the audience of black, white and gray hackers.

"We are building more and more of our economy, our global economy, on the foundation of cyberspace 1.0," Clarke said. "The fundamental architecture hasnt changed since creation. And we still have secured very little" of that architecture, he said, including the very foundations of todays Internets, DNS and PHP—themselves still not very secure.

Were also still running code from major vendors across the world thats "replete with errors, replete with errors people can use to hack into systems," Clarke said. We still have no industry or academically generated standards to secure code.

We still dont write secure code, either, he said, with high rates of errors commonplace.

We still dont authenticate much of cyberspace, either, he said. Users could choose to be authenticated, but beyond that, businesses could be authenticated, and easily so, but its not common.

We could also be using encryption far more than we do today, Clarke said—an omission evidenced by the loss of a laptop bearing the Social Security numbers of U.S. veterans. "When some government laptop with the Social Security numbers of every veteran in the United States is stolen in Washington, we shouldnt have to worry about it; it should be encrypted. Databases should be encrypted," he said.

And, yet, theyre not.

VOIP (Voice over IP) can be encrypted. With headlines about national security letters being abused by the FBI and other uses of surveillance, perhaps we should encrypt phone calls, Clarke suggested.

The United States also needs to adopt IPv6 "much more rapidly," Clarke said. Not just because the Defense Departments plans rest on having IP address-loaded soldiers but "because it also offers opportunity for security and for prioritization, which we dont have today. Think of how prioritization could improve disaster response in situations like 9/11 or Katrina, where communications channels get swamped immediately, barring emergency first responders from the prioritization they should have.

"And yet were now planning disaster relief and other response based on cyberspace. On the Internet," Clarke said. "Theres no way today to differentiate e-mail from someone to their grandmother or a packet with their vacation photos with that of [communications from a first responder in a disaster situation]."

The work needed to create an Internet infrastructure that could support a more secure, more rationalized cyberspace has unfortunately been starved of funding by a Congress, an administration and a society that just "doesnt get it," Clarke said.

"The Bush administration has systematically reduced the work necessary to secure cyberspace," he said. The administration has reduced funding for research and development, at DARPA and elsewhere, for example, he said.

"Bushs own advisory committee said we were dangerously reducing funding" on securing cyberspace, he said. "Still, he went ahead, and it was reduced."

Not that government is the solution, Clarke said—but its part of the solution. The government can be funding R&D and setting a good example for cybersecurity, instead of providing an example of how not to do cybersecurity a la the department of Veteran Affairs bungling of veterans personal data.

"Its not because the answers arent there," he said. "Or because its a really hard problem. Sure its a hard problem, but a lot can be done quickly. Two years we went around holding meetings, asking experts, asking industry, What should we do to secure cyberspace?"

Perhaps, instead of debating stem cell research, instead of debating whether evolution should be taught in schools, instead of surveilling citizens rather than terrorists, we should be having this crucial debate, Clarke said.

"The enemy is terrorists. The enemy is not citizens," he said.

The takeway from his talk: The enemy is an insecure cyberspace.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.