return to ICG Spaces home    ICG Risk Blog    discussions    newsletters    login    

ICG Risk Blog - [ Clarke's vision of securing the net ]

Clarke's vision of securing the net


It appalls me that we have overlooked Richard Clarke's recommendations in cybersecurity as we have in other areas.  I would agree with all of Vamosi's comments in Richard Clarke: He could have secured the Net save for his disagreement over the potential for a digital Pearl Harbor

I think that something with at least a small "p" is possible -- and that opinion rises if I consider a concentrated attack on one critical element, given that the 2003 Federal Computer Security Report Card (9 December, 2003) scored the critical 24 federal agencies into an overall D grade from an F -- after four years of scoring, and that the those still getting an F are the departments of Homeland Security, Energy, State, Justice, Health And Human Services, Interior, Agriculture, and Housing And Urban Development.  (Defense got itself into the D category along with Transportation, GSA, Treasury, Office Of Personnel Management, and NASA.)

"Had Clarke's proposals been taken seriously, all broadband users would have antivirus and firewall protection, and we might not have endured the MSBlast worm meltdown in August of 2003 nor be dealing with these pesky e-mail viruses right now. Microsoft might also be talking about releasing a version of Windows XP that had been independently proven to be secure (instead of us just taking the company's word that it's secure). In retrospect, we're no better off today, and perhaps we're actually worse off, than before the [National Strategy to Secure Cyberspace] existed."

Clarke further suggested that the government procure "only computer products certified by the National Intergovernmental Audit Forum (NIAF) testing program," but it was dropped as excessive regulatory intrusion.

With Clark and his former reports departed, we now have no one with the breath and vision needed to craft and lead a cybersecurity mandate.  DHS is in disarray.  As Peter G. Neumann observed:

"Technology alone does not solve management problems. Management alone does not solve technology issues. Reducing risks is a beginning-to-end, end-to-end system problem where the systems include all of the relevant technology, all of the relevant people, and all of the dependencies on and interactions with the operating environment, however flawed and complicated. But those flaws and complexities must be addressed systemically."

Not an easy thing to achieve on the best of days.

See 2003 Federal Computer Security Report Card

and IT Security Gets First Passing Grade — Barely
Published: December 15, 2003
Federal Times

Also these -- what might be called Clarke's legacy:

The National Strategy to Secure Cyberspace

National Strategy for Physical Protection of Critical Infrastructures and Key Assets

Richard Clarke: He could have secured the Net
By Robert Vamosi: Senior Associate Editor, Reviews
Friday, March 26, 2004

Gordon Housworth

Cybersecurity Public  InfoT Public  Infrastructure Defense Public  


  discuss this article

<<  |  October 2019  |  >>
view our rss feed