[This was originally published on attrition.org]
Richard A. Clarke, Special Advisor to the President for Cyberspace Security (lovingly known as the Cyber Security Czar), recently announced plans to retire after little over a year from his appointment by George W. Bush.
Under President Bill Clinton, Clarke was appointed the first National Coordinator for Security, Infrastructure Protection, and Counter-terrorism in May 1998. Later, Clarke was appointed Special Advisor to the President for Cyberspace Security in October 2001 by President George Bush.
Having someone appointed to the position of Cyber Security Czar originally promised great advancement for the cause of internet security. Unlike most political appointments, Clarke appeared to have a genuine interest in learning more about security and its players, despite his lack of IT or security background. He made himself available and spoke at conventions such as Black Hat Briefings and Defcon 10. These acts were taken as a sign that he was willing to get his hands dirty, study all sides of the issue, and make informed decisions about the national security infrastructure. These hopes were quickly dashed, and Clarke reverted to typical czar behavior, leading the industry to ask, “Is Clarke the Right Man For the Job?“
“The software industry has an obligation to do a better job producing software that works,” he said. “It’s no longer acceptable that we can buy software and run software on sensitive systems that is filled with glitches.” – Richard Clarke
Unfortunately, this statement came paired with FUD that came in the form of claiming the worm did 3 BILLION in damages. This statement should have set off warning bells for everyone in the security industry. I have long been a critic of computer crime damage figures since they are rarely (if ever) founded in factual numbers. Drawing numbers out of thin air represents fear mongering at best, and a desire to sell some nice swamp land in Florida at worst. People designated to lead our nation in ‘cyber security’ have no right to lead through fear, uncertainty and doubt.
Clarke’s resignation is to come shortly after submitting his final draft of the National Strategy to Secure Cyberspace. Already described as controversial and lacking muscle, this plan is intended to guide the United States in securing a global network rife with insecurities. A strategy for taking millions of computers, run by millions of people with varying levels of technical proficiency, running diverse applications, with a twenty year history of security vulnerabilities, all running on protocols that are inherently insecure, and somehow making them all work together in a secure fashion. In short, a pipe dream.
Ariana Cha of the Washington Post calls Clarke’s plan his most ambitious endeavor. I disagree. Clarke prepares and submits this strategy, only to resign his position as the Cyber Security Czar, leaving his successor with an impossible task. When asked why he is resigning, he “simply wants to pursue new challenges outside government after 30 years of public service.” I say bullshit. Were he the ambitious sort that Cha praises, he would stick around to implement the plan.
Consider Clarke’s 30 year career, last appointment and the task at hand. Where exactly can he go if he stays in this position? He is in a president appointed advisory position and likely making the best salary with healthy benefits and perks. With no avenue to advance in the government sector, it dooms him to his current position where he would have to ride out the remaining years implementing his new strategy. Imagine that! Having to live up to the task of securing ‘cyberspace’ for our nation, which is simply not possible. Instead of acting like a real Cyber Security Czar and simply informing the president that the Internet is not securable in its present form, he is bailing out before facing the failure when his strategy isn’t implemented or successful. His departure is the ultimate in undermining his own strategy.
With his resignation announcement, Clarke sent out a farewell letter of sorts to “all ISAC’s”, which was swiftly forwarded on to everyone else on the Internet. It was this letter that prompted my original response in the form of an ad hoc rant to the ISN Mail List.
Days after my ad hoc rant, Decland McCullagh posted the farewell letter to his Politech Mail List and received several excellent responses pointing out more flaws in Clarke’s comments.
At the same time, it seems that we should hold government officials to a high standard of accuracy, particularly when there’s always the danger of exaggeration and scaremongering to (a) make yourself seem more important and thereby fatten your paycheck at your next (probably private sector) job, (b) increase funding for your own .gov fiefdom and those run by your friends, and (c) argue for new, intrusive, and arguably unwarranted regulations imposed on technology firms. — Declan McCullough
According to an article titled Internet Slammed Again by Steven Cherry, the worm did not disable “some root servers”. Turns out that a single unix based root server in Vienna, Va. run by the U.S. Department of Defense was off-line for any length of time, while the rest did not see any increased activity or experience any downtime. According to others on the Politech list, Clarke was way off base with his Canadian election comment. The “national election/referendum in Canada” that was “cancelled” was actually the NDP leadership election, and the voting tally was only delayed slightly due to Internet slow down. Is this a case of sheer ignorance, or a Cyber Security Czar peddling FUD to further his own agenda?
Farewell, Dick – We Hardly Knew Ye
The role of Cyber Security Czar is simple but important. Make informed decisions and recommendations so that the presidential administration can act responsibly in shaping legislation and standards that will affect the Internet. If such a czar is not making informed recommendations or finds himself using fear, uncertainty, and doubt as a tool to further his soon-to-be private sector life, then he isn’t fit to hold the position. Grossly misstating facts to undermine the security and confidence of the Internet you are tasked to protect before entering the private sector that profits heavily off those insecurities is tantamount to fraud.
When tasked with drafting a plan to secure the Internet, Richard Clarke had a chance to reply truthfully to President Bush. “Mr. President, without sanctions and fines for gross neglect of security responsibilities for all parties involved, our cause is hopeless.” Rather than face the President’s irrational request head on, Clarke opted to draft a weak willed plan that will leave any successor floundering in the watchful eyes of an administration ill-prepared to tackle Internet security.