RE: Richard Clarke’s Source Boston Talk
I wasn’t able to attend Source Boston this year so I have been following the blog for the event as well as some random Twitter traffic on it. I wanted to comment on this blog post but for some reason the blog requires me to register/login to comment but that feature seems to be broken.
At least this gives me an excuse to add to my blog. 🙂
The first thing that struck me was this comment:
“Clarke cited the well-known DDoS attacks on Estoniaand the reported Chinese government hacks of other governments as examples of how what used to be called paranoia has become, in reality, state-sponsored cyber war. “
While I have the utmost respect for Mr. Clarke and I do agree with a lot of what he has to say. This is pure FUD on his part. The DDoS attacks on Estonia were not state sponsored and while you can loosely apply the term “cyberwar” to these attacks I wouldn’t say that this is the best example. You can read a bit more on the Estonia thing over at Wired Threat Level.
The Chinese Government comment is very interesting to me. This has been something that has been rumored and invoked by security salesmen for quite some time but with no actual proof attached to it.
While I totally understand that any proof of this would be considered sensitive in nature if Mr. Clarke expects those outside of various .gov circles to believe these claims evidence must be produced. This reminds me of one of my favorite Boondocks Episode.
Gin Rummy: I always say the absence of evidence is not the evidence of absence.
Gin Rummy: Simply because you don’t have evidence that something does exist does not mean you have evidence of something that doesn’t exist.
Anyways, I am getting side tracked.
The other comment I wanted to make on this topic is in regards to this:
“He went on to say that government regulations be put in place to require ISPs to clean all of their data to solve at least 80 percent of cyber threat issues; and that also require the government itself to report vulnerabilities discovered to hospitals, corporations, universities and financial markets. But quite frankly, this seems like a moot effort. Considering the molasses rate at which the U.S. government moves, what are the chances that even if it is first to discover a vulnerability, that it could get it patched and communicated quickly enough to really protect high profile data? I’m no expert, but my guess is low.”
Looking at the recent Comcast vs. BitTorrentexample consumers will not accept any ISP monitoring / cleaning or otherwise altering content. Government regulation or not, users do not want their traffic monitored — it really is that simple.
The second part of this is U.S. Government reporting discovered vulnerabilities. Is this not what CERT is for? Has CERT not proved to all of us that this is actually a bad idea for various reasons. I do think that we need a reliable, trusted, and secure third party to help researchers report vulnerabilities (I would love to do this with VulnWatch) but I do not think it needs to or should be a government entity.
Many have the opinion that vendors are still moving too slow to fix security vulnerabilities (average of 120-150 days in my experience) adding government bureaucracy to the process will only make it worse.
Finally, after all the above complaining and tangents I do want to say that I agree with Mr. Clarke that one day we will see some sort of full scale state sponsored cyber-attack on critical infrastructure. Sadly, nothing will be done to prevent this until it actually happens and even then there is a good chance that the wrong things will be done in response. Take a look at the world since 2001 to see some very good real life examples of this.