SAN JOSE — Much like the airline industry before Sept. 11, high-tech companies, customers and government agencies are well aware of security vulnerabilities but are reluctant to pay to fix them, President Bush’s top computer security adviser said Tuesday.
It’s just a matter of time before terrorists use those flaws to launch a cyberspace equivalent of the Sept. 11 attacks on critical national infrastructure such as the electricity grid, said Richard Clarke, the Bush administration’s cyber security czar.
“They will look for the seams. They will look to where our infrastructure is fragile,” he said during the RSA Conference, the world’s largest gathering of computer security experts. “Our infrastructure is fragile.”
Clarke said the airlines had known for years about weaknesses in the industry’s security mechanisms but chose not to address them. There was no intelligence suggesting an attack might occur, and nobody wanted to shoulder the cost or risk inconveniencing passengers.
“This industry runs the same risks as the aviation industry,” he said. “For years, people in the aviation industry knew there were security vulnerabilities — big ones. They convinced each other and themselves that those vulnerabilities would never be used against the industry or against the country.”
After all, no hijackings had occurred for decades in the United States before Sept. 11. As a result, no one wanted to pay to explore how vulnerabilities might be exploited, he said.
But the information technology industry must work quickly and not dwell on the past. Scenarios must be modeled and everyone — including government, businesses and other customers — must work together and share the costs.
President Bush is proposing a large spending increase for computer and network security, from $2.7 billion in fiscal year 2002 to $4.2 billion in fiscal year 2003.
RSA Conference organizers, who have been quick to criticize government security initiatives in previous years, agreed with Clarke’s comments and many of the new post-Sept. 11 measures.
“Today, the threats to the critical infrastructure are no longer theoretical,” said Jim Bidzos, chairman of the one-week conference.
Bruce Heiman, an attorney and executive director of Americans for Computer Privacy, also said he could not disagree with much of Clarke’s speech, but emphasized a balance must be struck between security and privacy.
Clarke’s proposal for government-industry cooperation, for instance, could work well as long as it remains voluntary. Still, Heiman asked, what would happen in the aftermath of a real cyber attack?
“If exhortation fails, regulation can’t be far behind,” he said.
Despite the government’s voluntary approach so far, Heiman fears it could indirectly force technology standards on the industry if businesses cannot agree on their own.
Heiman also questioned Clarke’s suggestion that the government form its own private network called GOVNET, allowing it to escape Internet problems.
“Is that approach just throwing up your hands?” Heiman asked. “GOVNET says we can’t make it secure — we will just have our own system.”
Clarke, who has served under every president since Ronald Reagan, was picked in October to advise the government and private businesses on cyber security issues. In his talk Tuesday, he said the government is a model of how not to address cyber security.
Clarke also suggested moving away from connecting everything to the Internet. He said details of the nation’s air traffic control system could be made available to Web surfers in the Middle East.
Unless action is taken soon, the information technology industry will suffer the same fate as the aviation industry, he said.
“The vulnerabilities are too well known for someone not use them in a big way that make Nimda and Code Red look like small fries,” Clarke said of two worms, which last year tied up Internet traffic worldwide by exploiting well-known software vulnerabilities.
On the Net:
RSA Conference: http://www.rsaconference.net