Ex-cybersecurity czar warns that complacency could lead to disaster

Summary:Richard Clarke has warned that the rate and severity of cyberattacks is continuing to increase - without adequate security, the future is 'not a pretty picture'

Richard Clarke has more bad news for IT execs.

During his tenure as White House cybersecurity czar, Clarke was frequently criticised for his "sky-is-falling" attitude. Indeed, Clarke claims that the Sobig attack brought down a chunk of sky and that his warnings should have been taken more seriously.

If current trends continue, Clarke told attendees at Gartner's Symposium/ITxpo 2003 in Florida this week, the cybersecurity situation isn't just going to get worse. It's going to get exponentially worse. 

Noting that the conference's location (Disney World) might be appropriate because "only in fantasy land can everything you have be secure," Clark identified five trends that don't bode well for those trying to deal with cyber attacks.

The first of these trends has to do with the number of software vulnerabilities. After assimilating data from sources such as Bugtraq, the SANS Institute, and the vendors themselves, Clarke said the number of announced vulnerabilities has doubled every year for the last three years. "At this point," said Clarke, "we're now seeing as many as 60 new vulnerabilities per week."

A second trend that closely tracks the first, according to Clarke, is the number of patches for those vulnerabilities, which also has doubled every year for the past three years. Patch management is a road full of potholes.

"No sooner do the patches get applied, then they have to apply another one," Clarke said. "CIOs want these patches applied but have no idea what the effect of the patch will be on their systems, so they're reluctant to put them on quickly. Also, they want to wait until they have a bunch of patches first, and then test them before deploying them. But, during the wait period, they're vulnerable and some have been successfully attacked in that window."

The third trend Clarke is watching is what he called the "time to exploit". This is a measurement of the elapsed time between the moment a vulnerability is announced and when the corresponding exploit makes its first appearance on IRC or some other chatroom. Said Clarke, "It's gone from months to weeks to days, and now it's about six hours. 

Topics: Security


David Berlind was fomerly the executive editor of ZDNet. David holds a BBA in Computer Information Systems. Prior to becoming a tech journalist in 1991, David was an IT manager.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.