[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[infowar.de] nochmal Clarke auf RSA, mehr zu GovNet, Krypto
Terror talk stalks RSA Conference
By Kevin Poulsen
Posted: 21/02/2002 at 21:02 GMT
The official theme of the eleventh annual RSA Conference evokes the
Elizabethan Era -- complete with costumed minstrels and acrobats
wandering the San Jose, Calf. convention center.
Unofficially, the security event opened Tuesday with a more serious
theme, with U.S. cyber security czar Richard Clarke warning about the
potential for terrorist hack attacks, and a panel of noted
cryptographers fretting over lost liberties in the wake of the real
terrorist attacks of September 11.
In a keynote address kicking off the conference, Clarke repeated the
message that he's delivered around the country since his appointment as
the White House's Special Advisor for Cyber Security last fall, evoking
patriotic duty and September 11 to urge companies to make computer
security a top priority, and arguing that future terrorists may exploit
glaring weaknesses in U.S. computer systems.
"This industry runs the same risk that the aviation industry ran,"
Clarke said. "For years, people in the aviation industry knew that there
were security vulnerabilities. They convinced each other and convinced
themselves that these vulnerabilities would never be used."
Citing a Forrester Research report that found companies spend on average
.0025 percent of their revenue on information security, Clarke chided,
"If you spend more money on coffee than IT security, you will be hacked.
And moreover, you deserve to be hacked."
In contrast, Clarke said, the Bush administration has proposed
increasing federal cyber security funding by sixty-four percent to $4
billion -- eight percent of the government's $50 billion IT budget.
Clarke also defended his proposal for the creation of a private network
exclusively for sensitive government computers. The administration
received 167 comments on the proposal to create a "Govnet" that would be
isolated from the public Internet, Clarke said. Those proposals are
being reviewed by sixteen federal agencies.
The cyber security czar professed surprise at learning from the comments
that other segregated wide area networks already exist, within federal
agencies and private companies. "What we discovered is that the idea of
having a separate air-gapped network... is in fact an old idea," said
Clarke. "There are already such networks out there."
Some security experts had criticized the Govnet proposal, arguing that
such a network would itself be vulnerable to attack, and would represent
a government abandonment of the Internet. Clarke countered Tuesday that
he didn't expect Govnet to provide perfect security, but that it makes
sense to remove critical government functions from the public network.
"I don't know where it was ever written that everything has to be
connected to everything else," said Clarke.
Clarke's talk -- a mix of fiery rhetoric and pragmatic analysis -- was
generally well received, though observers disagreed with Clarke on some
"He seems to say that out of the goodness of our hearts we should spend
more and more and do the right thing, and I don't think that's going to
happen," said Bruce Schneier, CTO of Counterpane Internet Security. "If
you want to make them do the right thing, make it illegal to do the
"I really believe terrorists are more interested in physical mayhem,"
said former hacker Kevin Mitnick, also attending the conference. "A lot
of people don't take notice if the phone system goes down in Miami."
The terrorism theme carried over into the Cryptographer's Panel -- an
annual tradition at the conference that brings together the world's most
well known cryptography experts. But the panel was less concerned with
the purported threat of cyber terrorism, than with the corporate and
governmental responses to physical attacks.
Adi Shamir, professor at the Weizmann Institute of Science, criticized
the hodgepodge of security measures that went into effect following
September 11, including airport screeners that sometimes prohibited
innocuous items like fingernail clippers, while allowing materials that
could be converted into weapons. "I think that in computer security we
know the importance of multiple lines of defense," said Shamir. "They
should use ethical computer hackers in order to think of ways that
airline security could be breached."
Privacy was an issue for MIT professor Ronald Rivest, who was
particularly concerned about plans to make widespread use of small,
inexpensive radio-frequency tags as security tools. "Everything you own
might have one of these tags on them," said Rivest. "I might be able to
tell how much money you're carrying just by putting out a radio probe."
The technology could backfire, said Rivest, with terrorists using the
tags as a proximity fuse for an explosive, so that a bomb would go off
when a particular person came within range. The cryptographer suggested
that laws may be needed to prevent companies or the government from
tying such tags to personally identifiable information.
Whitfield Diffie, another cryptography legend, worried about growing
restrictions on the free flow of information. "The more we impose
controls on ourselves, the more they can be taken over to support some
else's information control policies," said Diffie.
The cryptographer drew applause for condemning intrusive new
surveillance practices. "This kind of very un-American watching of
people is something we should watch very carefully."
Mail an infowar -
- infopeace -
de mit "unsubscribe" im Text.