Clarke presses industry on security

The White House is calling on the information technology industry to assist in government efforts to strengthen the state of cybersecurity and is also urging vendors to ensure that what they sell is secure.

The government has several programs under way to increase security within agencies, Richard Clarke, the Bush administration's cyberspace security adviser, said Dec. 4 at the Business Software Alliance's Global Tech Summit 2001 in Washington, D.C.

These programs include:

* Establishing a simulation center by January to build a model of the interdependent networks that support critical infrastructures, which include telecommunications and electric power.

* Analyzing comments from industry on the proposed GovNet intranet for critical federal systems.

But industry also must play a part to secure systems within government and within the private sector, Clarke told the audience of BSA members, which include Adobe Systems Inc., IBM Corp., Microsoft Corp. and Network Associates Inc.

To start, members of the IT industry must build information security into their products at the point of development and not treat it as an afterthought, Clarke said. In essence, manufacturers must say that "from now on, the default setting on all our products as they come to market will be for high security," he said.

Vendors must also work with government and other users to determine a better way to deploy patches to fix security vulnerabilities in software, he said. Right now when a vulnerability is discovered, vendors issue a patch and send out an alert to users, but Clarke said that industry must follow through, since most attacks happen because the patches are not used.

"It is also your responsibility to work with your customers to make sure those patches are applied," Clarke said.

Internet service providers also have a responsibility to their customers, including scanning for viruses and doing more to stop the spoofing of Internet Protocol (IP) addresses — a tactic used by many attackers to hide from investigators, Clarke said.

Beyond those steps, he said ISPs should insist that users install a personal firewall when they buy an always-on connection, such as Internet access via cable modem or Digital Subscriber Line. Many security incidents occur because home users — including federal and industry employees who work from home — have always-on connections without any security because ISPs do not necessarily provide a firewall as part of the connection service, Clarke said.

"People who sell cable modems and DSLs should sell them packaged with firewalls," he said.