As likely expected, Richard Clarke’s kickoff keynote at today’s SOURCE Boston created a lot of post-talk rumblings from the attendees. The former White House senior advisor, clearly still disenchanted with the Bush administration, talked once again about his belief of imminent net-centric warfare, the President’s new non-public cyber security directive, and why the word “regulation” is an expletive in Washington D.C.
Clarke cited the well-known DDoS attacks on Estonia and the reported Chinese government hacks of other governments as examples of how what used to be called paranoia has become, in reality, state-sponsored cyber war. And while there is truth to this, it’s certainly not news (if not a perceived catalyst for the U.S. government’s re-awakened interest in cyber security). Still, Clarke’s main beef appeared to be with President Bush’s recent signing of a directive that puts billions of dollars into several cyber security initiatives. Problem is, he says, that no one knows what those initiatives are.
Ah, but speculation makes for interesting discussion, even if it is only speculation. Clarke says that the Washington rumor mill is putting emphasis on securing the government’s own computer networks, going on the offense in cyber warfare, and perhaps a little investment in R&D.
He implied that once again that the current administration is missing the main problem by focusing Web traffic in such a way, arguing that there is no way to police and protect this data without potentially violating the privacy and civil rights of all Internet users – and ISPs for that matter. “We can no longer assume that our government is not violating the law or our privacy rights,” he said. He also talked again about the ethical impurities in potentially offensively hacking other countries, just because they may be hacking our sensitive networks.
He went on to say that government regulations be put in place to require ISPs to clean all of their data to solve at least 80 percent of cyber threat issues; and that also require the government itself to report vulnerabilities discovered to hospitals, corporations, universities and financial markets. But quite frankly, this seems like a moot effort. Considering the molasses rate at which the U.S. government moves, what are the chances that even if it is first to discover a vulnerability, that it could get it patched and communicated quickly enough to really protect high profile data? I’m no expert, but my guess is low.
Most of this isn’t new to folks who have seen Clarke speak before. And truthfully, while I agree with some of Clarke’s points, there seems to be a little bit of conflict. Pushing government regulations that would monitor all network traffic and put ISPs on the line to block applications and content while also arguing for civil rights and privacy, and even net neutrality, doesn’t mix in my mind. Then again, I’m certainly not going to pretend to be the right person to propose another alternative, either.
So, I ask – what do you think the government should or shouldn’t do? Should it take an offensive approach and is the “they are doing it, so should we” Cold War era approach to battle apply in cyber warfare as well?
– Jennifer Leggio
