RE: [iwar] [fc:Cybersecurity.A.Top.Priority:.White.House.Adviser. Presses.Computer.Industry.to.Do.More]

From: Leo, Ross (Ross.Leo@csoconline.com)
Date: 2002-02-15 07:18:47


Return-Path: <sentto-279987-4477-1013786323-fc=all.net@returns.groups.yahoo.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Fri, 15 Feb 2002 07:40:22 -0800 (PST)
Received: (qmail 32697 invoked by uid 510); 15 Feb 2002 15:18:58 -0000
Received: from n14.groups.yahoo.com (216.115.96.64) by all.net with SMTP; 15 Feb 2002 15:18:58 -0000
X-eGroups-Return: sentto-279987-4477-1013786323-fc=all.net@returns.groups.yahoo.com
Received: from [216.115.97.188] by n14.groups.yahoo.com with NNFMP; 15 Feb 2002 15:20:39 -0000
X-Sender: Ross.Leo@csoconline.com
X-Apparently-To: iwar@yahoogroups.com
Received: (EGP: mail-8_0_2); 15 Feb 2002 15:18:42 -0000
Received: (qmail 37440 invoked from network); 15 Feb 2002 15:18:42 -0000
Received: from unknown (216.115.97.171) by m2.grp.snv.yahoo.com with QMQP; 15 Feb 2002 15:18:42 -0000
Received: from unknown (HELO csoc-fire1.csoconline.com) (140.169.2.142) by mta3.grp.snv.yahoo.com with SMTP; 15 Feb 2002 15:18:42 -0000
Received: from csoc-mail-imc.csoconline.com by csoc-fire1.csoconline.com via smtpd (for mta3.grp.snv.yahoo.com [216.115.97.171]) with SMTP; 15 Feb 2002 15:18:42 UT
Received: by csoc-mail-imc.csoconline.com with Internet Mail Service (5.5.2653.19) id <1Y1YFCBH>; Fri, 15 Feb 2002 09:11:54 -0600
Message-ID: <72222DC86846D411ABD300A0C9EB08A1079C3372@csoc-mail-box.csoconline.com>
To: "'iwar@yahoogroups.com'" <iwar@yahoogroups.com>
X-Mailer: Internet Mail Service (5.5.2653.19)
From: "Leo, Ross" <Ross.Leo@csoconline.com>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Fri, 15 Feb 2002 09:18:47 -0600
Subject: RE: [iwar] [fc:Cybersecurity.A.Top.Priority:.White.House.Adviser. Presses.Computer.Industry.to.Do.More]
Reply-To: iwar@yahoogroups.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

All I can say is:

1.  Hooray Bill!  At least you are being realistic by saying "less
vulnerable...".  We won't hold our breath, but we will wait and see.

2.  Once again Larry Ellison grandiloquently pledges the impossible, and
once again won't deliver.  His attention-getting remarks are worse than
boring.  As Anthony Hopkins' character from "The Edge" said "What one man
can do, another can do." With apologies, "What one man can build, another
can break".  At best Oracle will only be improved (which is fine) - but
unbreakable?  Not very realistic.

3.  Hooray John!  The light comes on.  Funny how the leader of the
networking behemoth has only now figured out how fully and completely
network security and networking configuration/performance are fundamentally
a part of each other such that he is now calling security enhancements
"necessities"!

This is good news,  at least 2 out of 3 anyway.  However. talk is cheap.

Ross




-----Original Message-----
From: Fred Cohen [mailto:fc@all.net]
Sent: Thursday, February 14, 2002 23:48
To: iwar@onelist.com
Subject: [iwar]
[fc:Cybersecurity.A.Top.Priority:.White.House.Adviser.Presses.Computer.I
ndustry.to.Do.More]


Cybersecurity A Top Priority: White House Adviser Presses Computer Industry
to Do More

By Ariana Eunjung Cha, Washington Post, 2/10/02
www.washingtonpost.com

The unusual announcements from three of the technology industry's most
powerful men came just weeks apart.

Microsoft Corp. Chairman Bill Gates declared that making his company's
software less vulnerable to security breaches would take precedence over
adding new features. Oracle Corp.'s Larry Ellison pledged to make his
company's database programs "unbreakable." Cisco Systems Inc.'s John
Chambers told clients at a private conference that he no longer regarded
security enhancements on equipment that directs traffic across the
Internet as extras but as necessities.

The timing of the announcements was no coincidence.

Directly or indirectly, the statements were influenced by an aggressive
public awareness campaign orchestrated by Richard A. Clarke, who in
October took on the new job of White House cyberspace security adviser.
In private meetings with chief executives and in speeches at
conferences, Clarke has pushed companies to commit themselves to
protecting the online world from attacks by terrorists and other
nefarious parties.

"There is . . . a growing consensus in government and industry that we
can no longer continue praising the emperor's new clothes," Clarke said
in an interview this week. "There is a willingness to admit that there
are vulnerabilities and it is not inconceivable that they will be used
against us in a way that could be very damaging to the economy."

Clarke's push is part of a government-wide effort to improve
cybersecurity and to better coordinate the efforts of bureaucracies and
corporations.

Just yesterday, the House passed a bill that would allocate $880 million
over five years to computer-security research. And a coalition of
companies in partnership with the federal government announced a
National Cybersecurity Campaign to teach home and small-business
computer users how to safeguard their machines.

Over the past few months Clarke has drawn up his own ambitious agenda,
which includes:

* Creating an Underwriters Laboratory-type place to test software
security.

* Establishing a priority cell-phone system for law enforcement and
medical personnel.

* Creating a "reverse 911," or multimedia emergency broadcasting
service, to send alerts to people in specific areas on land lines, cell
phones or computers.

* Establishing ties with cybersecurity experts in other countries to
coordinate investigations.

* Setting up a government-run Internet called GovNet.

Clarke successfully lobbied for an increase from $2.7 billion in fiscal
year 2002 to $4 billion in 2003 for government-computer security.

His office has created task forces of major Internet service providers,
router manufacturers and security experts in and out of government to
develop a plan to protect the basic infrastructure of the Internet.
Their proposals are due in April.

Clarke is still assembling a staff. He has filled only half of the 16
jobs.

The staff so far is a mix of national security officials, businessmen
and technical geeks. Howard Schmidt, the former head of computer
security for Microsoft, started in late January as Clarke's deputy.
Roger Cressey, a career public servant who has worked on anti-terrorism
efforts in Israel, Somalia and the Balkans, is the chief of staff.

Also in the office are Paul Kurtz, a longtime National Security Council
staffer specializing in international relations; Steve Poizner, a former
Silicon Valley entrepreneur; and Marcus Sachs, a retired army officer
who is better known for being part an elite group of hackers that helped
the government neutralize the "Code Red" and "Nimda" worms.

Clarke is emphasizing that government agencies and other interests talk
and share information.

"I see that office as having its greatest effect by bringing together
resources that already exist and making them go in the same direction,"
said Allen Paller, director of research for the SANS Institute, a
computer-security think tank in Bethesda.

The various government agencies in charge of cybersecurity will come
together under one roof this month at the old Y2K initiative
headquarters at 18th and G Street. The Commerce Department's Critical
Infrastructure Assurance Office and the FBI's National Infrastructure
Protection Center outreach operations -- two groups known for past turf
battles -- will join Clarke's staff.

There has already been some awkwardness. While Tom Ridge's Office of
Homeland Security has taken the lead in issuing alerts about physical
threats, it has always been the FBI's job to let the public know about
viruses, worms, hacks and other things that threaten the online world.
And the mission of Clarke's office overlaps greatly with the Commerce
Department's critical infrastructure unit.

The groups have temporarily resolved the issues by making sure that
Clarke's office is informed when the FBI issues alerts and by appointing
John Tritak, director of the Commerce Department unit, as a high-ranking
member of the critical infrastructure protection board that Clarke
oversees.

Clarke spent much of his first 100 days in office making the rounds of
technology companies. Many corporate executives expected feel-good pep
talks about how government and industry could work hand-in-hand to
prevent cyber attacks.

Instead, Clarke and his staff brought binders full of research papers
raising questions about security vulnerabilities. They were not above
coaxing or bullying the business officials with threats of regulation
and appeals to patriotism.

"No vendor wants to appear like they are not being patriotic or
responsive to real concerns about security breaches or flaws now and I
think Mr. Clarke is very effective at using that to push them to make
changes," said Catherine A. Allen, the chief executive of the technology
group for the Financial Services Roundtable, which represents the chief
executives of some of the nation's largest companies.

Microsoft spokesman Jim Dessler said while the company chose on its own
to redirect its software development efforts, "it came in the backdrop
of an increased emphasis in security that has been put forward by those
in government such as Clarke."

Mary Ann Davidson, chief security officer at Oracle, said that since
Sept. 11 federal officials have made many people realize that perhaps
"the most frightening type of attack is one that's launched in
cyberspace to bring down our critical infrastructures."

"To get these companies to put their money where their mouths have been
for years, that is a major victory for his office," said Gilman Louie,
who heads In-Q-Tel, the high-tech venture fund financed by the Central
Intelligence Agency.

But even as they praise his aggressiveness, some question Clarke's
priorities.

His proposal to create GovNet has been criticized by many experts as
impractical and costly. His partnership approach to get industry to do
things voluntarily has clashed with the opinions of groups such as the
National Academy of Sciences, which recently put out a report that said
new liability laws are the answer.

Eugene Spafford, director of Purdue University's Center for Education
and Research in Information Assurance and Security, said Clarke should
spend more of his energy on getting federal computer systems up to par.

"They are starting in the wrong place," Spafford said. "If I were out in
industry I would find it unpersuasive to be told that I have to spend a
lot of money on new security without some indication that government has
done it first."


------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 


------------------------ Yahoo! Groups Sponsor ---------------------~-->
Sponsored by VeriSign - The Value of Trust
Secure all your Web servers now - with a proven 5-part
strategy. The FREE Server Security Guide shows you how.
http://us.click.yahoo.com/uCuuSA/VdiDAA/yigFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2002-12-31 02:15:03 PST