'Dirty dozen' tips from former cybersecurity czar
Subscribe now for $100 (23 issues) and save more than 37% off the cover price!
Get the latest news from Computerworld delivered via email.
Sign up now
It's time to take back cyberspace from hackers, phishers and others who are preventing e-commerce and e-government from reaching their full potential.
That was the message Richard A Clarke, former special advisor to president George W Bush on cybersecurity, gave at a CIO breakfast meeting in Auckland recently.
Clarke, who was visiting New Zealand as a guest of Symantec, has previously also advised President Clinton on terrorism. Clarke has published a book, Against All Enemies: Inside America's War on Terror and is an outspoken critic of the decision to go to war with Iraq.
However, he stuck to cybersecurity during his presentation, turning to terrorism and politics only during the question and answer session.
Security fears are the main factor holding back the widespread take-up of online banking and other transactions that can be more cheaply and efficiently done over the net, he says.
"Most banks have about 30% of their customers doing online banking and when you consider that an over-the-desk transaction that costs $2 can be done for five cents online, if a bank can move from 30% online customers to 70%, it'll save a lot of money.
"The number one reason more people aren't banking online is the fear of chaos in cyberspace."
There are "all sorts of things" that are possible over the net, but aren't being done "because we haven't achieved security in cyberspace," he says.
The US government will spend 8% of its IT budget on security this year, double the percentage of five years ago, with the bill coming to $US5 billion. Banks and other businesses are increasingly using their commitment to security as a point of differentiation in advertising, he says.
Clarke went on to list 12 trends, a "dirty dozen" that will shape IT security in coming years and among them was encryption of archived,stored data and automated audits of IT assets, using asset management software, that certifies hardware and software as being secure.
Also on the list was greater use of intelligence and advisory services on security issues, increasing reliance on patch management systems instead of patches being applied ad-hoc and an ever-greater need to secure digitally controlled and Scada (supervisory control and data acquisition)-based systems that run utilities such as electricity, water and gas suppliers.
"We're seeing worms getting into those kinds of networks and in Ohio, a power plant was knocked out by one," Clarke told the audience.
The IT security dirty dozen future trends also included more rigorous testing of software code for flaws such as buffer overflows and having protection at the desktop at a level matching that at the back end.
One of the most important trends will be to "rein in the road warriors" — travellers and visitors who hook their laptops into company networks and introduce worms and viruses.
"Many companies have spent a lot of money on a VPN, only to have a road warrior shoot a virus over it from their laptop to the corporate network."
Products that scan and check laptops for security threats will increasingly come into use, Clarke said.
Another important trend is that more organisations will outsourcing basic security functions such as firewalls and intrusion detection and, if they can, will let ISPs do some of the work.
"Increasingly, we're seeing that ISPs are providing the first barrier — the personal firewall — and when you renegotiate a security service level agreement with an ISP, you can get them to do a lot regarding security."
Greater attention to security threat from inside, such as former employees who retain access to systems and data at their old workplace, will see company networks increasingly segmented so that employees can only access what they're meant to.
The final trend Clarke identified was that towards two factor authentication. "Don't bother with just a password, as it provides no security - there are utilities available for cracking passwords," he says.
George W Bush made one of his "occasional" good decisions as president, Clarke says, when he mandated that all federal US government employees sign on with a smartcard with dual PKI and biometric identification.
What all those trends are converging towards is an online world where there's far more confidence among users and in which the advances made in the 1990s that allowed the internet to become an everyday tool can truly be realised.
"People are trying to take back cyberspace from the phishers, identity thieves and hackers and we can all be part of the effort to take it back."
After serving three presidents, Clarke now works for private firm Good Harbour Consulting.