>>White House cybersecurity czar Richard Clarke to retire . . . . JANUARY 27, 2003 (COMPUTERWORLD) - Richard Clarke, the nation’s first counterterrorism coordinator and de facto cybersecurity czar, plans to retire next month when the final version of the Bush administration’s national plan for defending cyberspace is released, Computerworld has confirmed.
Unconfirmed reports about Clarke’s departure from his current post as chairman of the President’s Critical Infrastructure Protection (CIP) Board surfaced late last week and over the weekend. However, White House sources close to Clarke confirmed today that next month he will end a career at the National Security Council spanning three administrations. His career was also characterized by a concerted effort to enhance the government’s relationship with the private-sector operators of the critical infrastructures. . . . . Vince Cannistraro, former chief of operations at the CIA's Counterterrorism Center, said people at the agency "resented" Clarke "because he was a hands-on bureaucratic guerrilla who rode roughshod over the bureaucracies." Cannistraro acknowledged, however, that such an approach is sometimes useful.
Cannistraro knew Clarke during his tenure as deputy chief of intelligence and research at the National Security Council, where Clarke "often came up with questionable proposals for covert action," Cannistraro said. "He was contemptuous of the bureaucracy, and this attitude earned him few friends."
Prior to taking his post as cybersecurity adviser (see story), Clarke was responsible for recommending and planning the bombing of the Al Shifa plant in Sudan, which Cannistraro said was probably conducted on the basis of faulty intelligence.
The CIA also resented Clarke for airing his views to the press about the intelligence failures that contributed to the Sept. 11, 2001, terrorist attacks, said Cannistraro. "Of course the intelligence community screwed up. But Clarke also screwed up. He was, after [all], the counterterrorism czar when 9/11 took place," he said. <<
computerworld.com
>>White House Cybersecurity Chief Defines the Threat . . . . The second problem facing companies is determining what is a good product, who's a good service provider and what they should be asking for. Most people think the first thing to do is to run out and buy a firewall or an intrusion-detection system. But that doesn't even begin to solve your problems. You need to have a continuous process of looking for vulnerabilities, and you need to have a layered defense. We passed the 2,000 mark a few months ago in terms of known vulnerabilities that we have to deal with. . . . . We also are looking for input from small and medium-size IT companies. A lot of good ideas are found in the garage, as HP discovered. We've proactively sought them out and met with them one on one.
(said Clark) [Sounds like a heavy duty National Security post he had. Firewalls. Wow.]
computerworld.com
Meanwhile, in the real world:..Cyberterror threat overblown, say experts
News Story by Joris Evers, IDG News Service
MARCH 14, 2003 (IDG NEWS SERVICE) - The cyberterrorism threat is overstated, an expert panel agreed today, because bombs are more effective at instilling fear than strikes against the Internet.
"Cyberterrorism is largely overblown," said Bruce Schneier, founder and chief technical officer of Counterpane Internet Security Inc. in Cupertino, Calif. Schneier spoke as part of a panel on cyberterrorism at the CeBIT technology trade show.
"I don't see a cyberattack as a terror attack of choice," Schneier said. "Dropping ATM networks and shutting down e-mail is not terrorism. If I can't get to my e-mail for a day, I am not terrorized. We are many years away from somebody being able to launch large-scale electronic attacks that have the effects of a bomb."
Other panelists, including executives from security software vendors RSA Security Inc. and Trend Micro Inc. and representatives from the European Union and the North Atlantic Treaty Organization, agreed. They blame the U.S. government, certain IT vendors and the media for creating cyberterrorism anxiety.
"Terrorists will use the Internet to communicate, which is different from an attack. We do not see a terrorist attack on the Internet happening," said Rainer Fahs, senior information security engineer of NATO's Air Command & Control Systems Management Agency.
Fueled by post-Sept. 11 fears, the U.S. government and its agencies warned of potential terrorist attempts to bring down the Internet or to use the network to topple critical infrastructure such as telecommunications and electric power grids; oil, gas and water systems; and transportation and emergency services.
Panelists had this to say about those warnings:
"Critical systems don't run on the Internet; they are based on secure networks. We have protected our systems and do not rely on the Internet," Fahs said.
"I don't want to belittle the threats [to the Internet], but they are not coming from terrorists. The threat from common criminals is understated," Schneier said.
I think the threat of cyberterrorism is overstated," although general threats to IT systems are in some cases underestimated, said Arthur Coviello, president and CEO of RSA. He advised companies to assess risks and then apply security measures.
"The U.S. government after Sept. 11 wanted a broader front to attack terrorism, and cyberterrorism is part of that. Some in the industry got headlines by calling a lot of attention to this," Coviello said.
Fahs said he understands the U.S. government's reasoning, but he warned that civil liberties may be at stake because of a push to fight a threat that isn't real. "This is something that was created, and I think there is a big risk that the liberty of people will be sacrificed for the sake of security," he said.
The panelists' opinions match a Symantec Corp. survey released last month that found that cyberterrorism is more fear than reality. None of the severe events detected by Symantec were traced to countries linked with terrorism, and less than 1% of all attack traffic came from such countries. <<
computerworld.com |
