LAKE BUENA VISTA, FLORIDA (10/20/2003) - Former White House cybersecurity expert Richard Clarke Sunday urged for stronger standards for security audits of U.S. companies, saying congressional action is needed.
"The (U.S.) Securities and Exchange Commission (SEC) thinks it can [require audits] under its existing authority, but what I'm predicting is it will be a very vague statement and there will be no real auditing against that standard," Clarke told reporters at the opening of Gartner Symposium ITxpo 2003 in Lake Buena Vista, Florida. Clarke is now a private security consultant, serving as chairman of Good Harbor Consulting LLC in Arlington, Virginia. He joined Good Harbor in July.
"You've got to have a relatively specific standard ... with some real probability that someone will show up at the door to audit. That will take a congressional act," he said.
Clarke also said standards should encourage automatic audits, so network probes could quickly determine security levels, "instead of bringing in PriceWaterhouse for US$500,000," to do the audit.
Similar to banking audits, only 90 percent of what will be audited should be known, so companies won't prepare only for audits and nothing else, he said.
Clarke, who resigned from his U.S. government cybersecurity role in January after serving in three administrations, made his comments after being asked about Sarbanes-Oxley Act and Health Insurance Portability and Accountability Act security requirements. Both federal mandates require companies to provide security certification. But "what do they certify, and who is going to say that they are wrong?" Clarke asked.
He also criticized U.S. Homeland Security Secretary Tom Ridge's recommendations for security certification as ineffective. "Frankly, it was Tom Ridge's idea that there be a Y2k-like statement [about security protection steps] to the SEC, but if that happens, it is going to be at such a high level of aggregation that you are never going to know what it means," Clarke said.
During year 2000 IT modifications, the SEC required Y2k certification by public companies. "We got away with that because it was a one-year trick, and you can trick people for one year," Clarke said. That Y2k certification was a "device" to get CIOs (chief information officers) in front of their boards of directors to provide funds for date change fixes, he said.
Asked if cybersecurity failures could have caused the power blackout in Canada and the Northeast in August, Clarke ticked off a string of power outages and attacks on energy systems globally in recent months, including the loss of power throughout Italy in September. "We don't what caused any of these so far," he said. "We do know that Norway and Israel at least are saying there were cyber-hacking attempts to bring down the power grids in their countries.
"If the Aug. 14 outage was not caused by a hack attack, could it have been?'' Clarke said. "Could you bring down the power grid with a hack attack? I fully believe the answer is yes."
Clarke also endorsed new technology from PGP Corp. in Palo Alto, California, and is expected to take part in a presentation on behalf of that company today at the symposium. PGP last month announced the first version of its Universal product, which is designed to automatically provide end-to-end e-mail security. The burden of protecting critical information resides on the network and not a user's desktop, reducing the security burden on end users, Clarke and company officials said.
Generally, IT managers need to make security encryption as automatic as possible, he said. "The key here is whoever makes the decision to use encryption in the organization [so] that after that, it becomes automatic," Clarke said. "Establishing elaborate systems [for security] is a pain in the ass, frankly, and they require lots of people to run them, and that's why they don't work and why people don't do them."
Clarke also noted a humorous personal problem with unsolicited commercial e-mail, saying that last week he got a spam from himself. He said it was obviously because somebody or some program had spoofed his e-mail address and then sent the spam with his address back to him.
Clarke said it would be "really easy" for e-mail users to start their personal "do not call" lists for e-mail by taking any of several programs now available to allow e-mail only from certain people, which could be combined with e-mail encryption to provide a private system.