Cybersecurity expert warns of post-9/11 vulnerability
Pittsburgh Post-Gazette
September 9, 2003
By Dan Fitzpatrick,
Post-Gazette Staff Writer

Almost two years after the devastating attacks of 9/11, former Bush White House adviser Richard Clarke sounded the alarm in Pittsburgh about a cyberattack that could be just as damaging to the national psyche, arguing that the federal government remains slow and very 20th century in its preparation for computer-based terrorist threats.

Clarke, in an interview yesterday on Carnegie Mellon University's campus, singled out the U.S. Department of Homeland Security, led by former Pennsylvania Gov. Tom Ridge, for being sluggish in making cyberspace a true national security priority. The department, Clarke noted, has yet to appoint a director and several key managers to its National Cyber Security Division -- a group asked to implement a protection plan Clarke developed before leaving the Bush administration in February.

The problem, Clarke said, is that Homeland Security leaders still think of risks to our society in terms of things that explode and incidents that have body bags. In the 21st century, as the power blackout of Aug. 14th proved, a great deal of damage to our economy and disruption to our way of life can be done without anything exploding or anybody being killed.

Clarke's insistence that the country pay attention to cybersecurity has made him a polarizing figure in the computer industry and Washington D.C., where he has worked for the last four presidents and advised three of them on intelligence and national security matters.

He left the White House as Bush's cybersecurity czar in February, to become a consultant. Known for his contempt of bureaucracy and his critique of pre-Sept. 11 intelligence failures, Clarke emerged after 9/11 as the digital Paul Revere, warning that the country's electrical power, finance, telecommunications, transportation, water and especially the Internet are all vulnerable to cyberattack.

In making his case for shoring up the nation's electronic infrastructure, Clarke is getting support from Pittsburgh and specifically, CMU. With Clarke's assistance, CMU computer scientist Roy Maxion sent a letter last year to President Bush warning that our nation is at grave risk of a cyberattack that could devastate the national psyche and economy more broadly than did the 9/11 attacks.

The letter, cosigned by Maxion's CMU colleague John McHugh and more than 50 of the country's top computer scientists, laid out a nightmarish scenario involving the sudden shutdown of electric power grids, telecommunications trunks, air traffic control systems and the crippling of e-commerce and credit card systems with the use of several hundred thousand stolen identifies. We would wonder how, as nation, we could have let this happen, the letter said.

Maxion and his co-signers proposed a five-year cyberwarfare effort modeled on the World War II Manhattan Project, requiring an investment ranging from $500 million to $1 billion per year. The clock is ticking, the letter said.

Some critics maintain that Clarke and institutions such as CMU, which was awarded $35 million in federal funds last year to fight cyberterrorism, are hyping a threat that does not really exist -- especially in the case of al-Qaida, the organization that carried out the attacks of 9/11.

Dorothy Denning, one of the country's top cybersecurity experts and a professor at the U.S. Naval Post Graduate School in Monterey, Calif., said she did not sign her name to Maxion's White House letter because I had a certain amount of reservation about whether or not it needed to be bought to that level of attention.

Denning has not seen the kind of devastating attacks people are worried about, and she hasn't seen terrorists actively pursing the Internet as a weapon. Clarke, Denning added, is right to point out the vulnerabilities in our infrastructure that could be exploited by everyday hackers and admitted that bad things could happen. But until those things do happen, no one knows what the cascading effect might be.

Another skeptic, George Smith, is more harsh in his appraisal of Clarke's admonitions.

I can't think of a single Clarke prediction or warning that was right or of any lasting value, said Smith, senior fellow with Alexandria, Va.-based defense think tank GlobalSecurity.Org.

He added: In 2003, it takes no great intellect to say the nation is in great danger from the electronic frontier. The fantastic claim always gets attention, diverts the mind from thornier but mundane problems ... Far easier to say al-Qaida is looking to turn off the power. You don't ever have to prove if there is even a small nugget of truth to it.

Terrorists, Smith said, are interested in creating bloodshed and terror. The Internet doesn't rise to this level of impact in a way that a truck bomb does.

Referring to the e-mail virus that has been plaguing computer systems of late, Smith argued that you can get three or four hundred copies of SoBig in your e-mail box a day -- a thousand, two thousand -- and it just has no physical impact no terror juice to it.

But Clarke, who was in Pittsburgh yesterday to speak at a computer intrusion detection conference, said he has been in this position before, warning of national security threats that some would not take seriously. Clarke, a counterterrorism coordinator under President Clinton, was among those who worried about Osama Bin Laden's capabilities before the events of 9/11.

An awful lot of people, unfortunately, don't believe (a cyberattack) will happen, he said. And as with terrorism itself, we learned from 9/11 that you can yell and yell and yell and imagine something happening and say it is going to happen, as I did with regard to al-Qaida, and no one believes you enough to act until it happens.

As for al-Qaida, Clarke claims that some of its followers have master's degrees in computer science, and that there is lots of evidence that al-Qaida has downloaded sophisticated hacking tools because we have seized their computers and know what's on them. So, I do think there is grounds for concern.

But focusing on al-Qaida is missing the point, he said. I don't think it is terribly important who the enemy is. It doesn't matter. What you need to worry about is the vulnerabilities.

There are some encouraging signs that the country may be safer from cyberattacks than it was before 9/11, according to Clarke.

There is anecdotal evidence, he said, that the companies that control much of the country's electric power generators, telecommunications lines, rail terminals and shipping containers are taking the voluntary security steps asked of them in Bush's National Plan for Protecting Cyberspace, developed by Clarke and released earlier this year.

Bush's plan relies on U.S. business, rather than the federal government, to shore up the nation's computer security infrastructure. Clarke, in fact, came to Pittsburgh twice last October to drum up support for the plan, making the point that for U.S. businesses the increased costs of preparing for an attack do not have to drain a company's productivity.

Some critics, responding to requests from the Bush administration that U.S. firms make themselves more secure, argued that companies have little incentive to pay for such measures in a slow economy.

Others said the plan itself lacked federal firepower.

If (Clarke) had made it to correspond with the urgency of his warnings, it would have been a strong strategy with teeth in it, capable of compelling the private sector to improve security practices in many different ways, said Smith, the senior fellow with think tank GlobalSecurity.Org. However, when unfurled, it had no power. It might as well have not been written.

But Clarke maintained yesterday, in an interview, that U.S. companies and the federal government are spending more money on cybersecurity and that the viruses that plagued computers this summer are forcing CEOs to pay more attention to the problem. Clarke, during his speech yesterday at CMU, even expressed confidence that this issue is making its way into pop culture, citing the recent movies Terminator 3 and Matrix Reloaded.

In the latter, Keanu Reeves' character Neo takes a tour of Zion, the last human city to survive outside the computer-generated Matrix, and is told that Zion's citizens do not think about the machines that power the city until the machines stop working.

Paraphrasing Neo, Clarke said, People need machines. But, machines need people, too.



GlobalSecurity
© Copyright 2003 PG Publishing Co., Inc.