Analysis Don't look now, but the cyber 'missile gap' might be turning into an issue. Speaking at Microsoft's Safenet 2000 conference on Friday, top White House security official Richard Clarke painted a grim picture of foreign powers setting up cyber warfare squads intent on unleashing an electronic Pearl Harbor on the USA.
And they're at it already - Clarke, who is National Coordinator for Security, Infrastructure Protection and Counter-terrorism for the White House National Security Council, told the select invited audience that these "information warfare squadrons" are now mapping US networks, looking for vulnerabilities. They could even be doing more than that, he hinted darkly.
Here come the Zeroes...
Shortly, the US really will have a new President, and people like Clarke are going to have to bring him up to speed: "The new President," he says, "will get an intelligence briefing that will tell him that crackers, criminals, and foreign powers are building sophisticated cyber attack capability and doing reconnaissance on our networks today. So whatever he does about cyber security, the new President better move fast."
Yes, that's right folks, Clarke has an expensive plan and wants a budget for it. Back in the 60s large quantities of dollars were secured on the basis of a missile gap that didn't exist, and now whoever turns out to be Prez is going to have the willies scared out of him about communist terrorist SMERSH spook squads led by Blofeld the instant he turns up for the intelligence briefing. We wouldn't be in the slightest bit surprised if another 30 years down the line these turn out to be largely imaginary too.
Clarke's pitch is slightly impaired by how difficult it is today to grasp who the states with the crack cyber squads could be, and we suspect this may be why he doesn't seem to have made it in his actual speech.
The Evil Empire is no more, and if you're trying to define things that could conceivably fall into the category of enemies, you're struggling to get much beyond Cuba and North Korea, neither of which is entirely credible as a state-of-the-art tooled-up cyber-warrior.
But who knows, maybe their lack of IT equipment is in itself a threat to the Free World, given that it confers a certain immunity to Echelon; carbon paper could be the V-weapon de nos jours.
Uninvent the Internet
Colourful, budget-getting presentation aside, the underlying axes Clarke has to grind are fairly clear. As far as the Internet is concerned: "Security was not a design criterion. Those who wish to do us ill in cyberspace can do so easily. They can steal information, invade our privacy, rob our money, extort concessions, and may even be able to disrupt and shut down major infrastructure such as electric power grids, telecommunications networks, and Defense command control systems."
To some extent, this is true, but as The Reg's saintly cyberspace guru Thomas C Greene repeatedly points out, it's generally people leaving doors open that makes hacking so damnably easy.
Clarke however sees security vulnerabilities that need an expensive Big Fix, and his proposed one seems strangely familiar. "We have a chance now to make security features inherent rather than appendages... our focus must be the new network." He proposes more secure switches, operating systems (a tip of the hat to the host here), and traffic management protocols. This should be done "as part of a private-public partnership."
It's legacy stuff anyway
Significantly he differentiates between the "legacy" network and the "new" network before getting on to his proposal - for an ever-expanding new network where security is inherent and absolute. Perforce, the current Internet must be what he terms the "legacy" one.
He splits them on the basis of "the current area of anonymity on one side and a secure zone for critical infrastructure on the other." In the latter privacy and security can be achieved, "but only if we end anonymity" (and can't you just hear those axes grinding away?).
The axes get louder. "What I envision is a secure critical infrastructure zone within cyberspace where messages could travel on fiber and switches exclusively serving authenticated messages. To secure that zone from attacking Trojan horses, there may have to be portals and customs inspectors. Participants may have to mutually design a form of scanning for known viruses, just as we consent to have our carry-on scanned before we are allowed to enter airspace. Such scanning can, I believe, be designed consistent with the highest standards of protection of privacy rights."
Remember this guy will have the President's ear, and - particularly if it's the one with the short attention span - will have terrorised him with visions of global secret conspiracies led by sinister men stroking fluffy white cats.
"I propose that Government and Industry in partnership, and with privacy rights advocates fully involved, examine whether such a secure area can be built in cyberspace." Industry will no doubt confirm that it can be, before you can say "lucrative defense contract."
The Brainiac Darpanet
He sees the network as first covering the US Department of Defense, which by a miraculous coincidence appears to have been falling seriously in love with his Redmond hosts over the past couple of years. And of course there's an exquisite irony to it all, because this will be what you might call the Brainiac Darpanet. From that humble (but lucrative for the IT industry) beginning, "the walls might be moved out to include banking and finance or electric power generation and distribution. Our goal would be to make this critical infrastructure zone of cyberspace immune to disruption from outside."
Entry to the secure zone would be voluntary for businesses, but presumably outfits wanting to engage in electronic commerce with other outfits (like the DoD) inside it would have to join them on the other side of the wire and the watch towers. Whatever, this "voluntary" zone "should be designed, built, and operated largely by the private sector."
Those of you with memories stretching back a tad over five years may remember quite a few outfits first rejecting the Internet in favour of something more secure they'd run up themselves, and then falling back on 'build a better Internet' plans which didn't work. Microsoft and AT&T were in this camp (AT&T for a lot longer than Microsoft), it didn't work, but here we go again, if we get Clarke's meaning properly.
But here, as Clarke signs off, comes what sounds like another axe. "The Federal Government, in my personal opinion, needs someone truly in charge of cyber security and with some power and budgetary clout, a Chief Information Infrastructure Officer. Such an official should be confirmed by the Congress and have authority to create and enforce standards of computer security for essential government systems. This official should also play an important role in the private-public partnership."
Now, who on earth might be able to do that job? Hasn't this guy got a long enough job title already? ®