Ex-cybersecurity czar warns that complacency could lead to disaster
Richard Clarke has more bad news for IT execs.
During his tenure as White House cybersecurity czar, Clarke was frequently criticised for his "sky-is-falling" attitude. Indeed, Clarke claims that the Sobig attack brought down a chunk of sky and that his warnings should have been taken more seriously.
If current trends continue, Clarke told attendees at Gartner's Symposium/ITxpo 2003 in Florida this week, the cybersecurity situation isn't just going to get worse. It's going to get exponentially worse.
Noting that the conference's location (Disney World) might be appropriate because "only in fantasy land can everything you have be secure," Clark identified five trends that don't bode well for those trying to deal with cyber attacks.
The first of these trends has to do with the number of software vulnerabilities. After assimilating data from sources such as Bugtraq, the SANS Institute, and the vendors themselves, Clarke said the number of announced vulnerabilities has doubled every year for the last three years. "At this point," said Clarke, "we're now seeing as many as 60 new vulnerabilities per week."
A second trend that closely tracks the first, according to Clarke, is the number of patches for those vulnerabilities, which also has doubled every year for the past three years. Patch management is a road full of potholes.
"No sooner do the patches get applied, then they have to apply another one," Clarke said. "CIOs want these patches applied but have no idea what the effect of the patch will be on their systems, so they're reluctant to put them on quickly. Also, they want to wait until they have a bunch of patches first, and then test them before deploying them. But, during the wait period, they're vulnerable and some have been successfully attacked in that window."
The third trend Clarke is watching is what he called the "time to exploit". This is a measurement of the elapsed time between the moment a vulnerability is announced and when the corresponding exploit makes its first appearance on IRC or some other chatroom. Said Clarke, "It's gone from months to weeks to days, and now it's about six hours.
Clarke's fourth trend is the rate of propagation of the attacks. "In July 2001, Code Red was a big deal," said Clarke. "I was the White House cybersecurity guy at that time and we knew something was going on, but we didn't know what. We knew it was a big threat, though. So, we reached out to all the security-related agencies -- the NSA, CIA, FBI, even the private sector -- and by 4pm on that day, we had broken the code and knew what was going to happen: At 8pm Eastern Time, 300,000 machines were going to launch a distributed denial of service attack (DDoS) on the White House's domain."
To mitigate the attack's impact, he asked the major Internet backbone providers to black-hole all traffic destined for whitehouse.gov. "So, when the tsunami hit the edge routers, it just died," said Clark.
Comparing Code Red to the Slammer worm, which originated from South Korea, Clarke said: "We saw the same phenomenon earlier this year. It involved 300,000 computers from five continents, but instead of taking a day, it all happened in 14 minutes. So, when you combine the six hours of vulnerability-to-exploit with the 14 minutes it takes to complete an attack, not only are "they" evolving, but reaction time is shrinking. Bottom line: if you don't have defences already set up to deal with problem, you will be a victim."
The fifth trend to watch is the rising cost of cleanup. Precise cost estimates are difficult to come by, said Clarke, because too little is known about the reporting methodologies used to collect the data. Still, Clarke said, "The numbers may not be accurate, but the trend lines are. According to the data we have, the worldwide cost in 2002 was $48bn. This past August [when Sobig.f struck], the cost for one month alone was $35bn. Depending on whom you talk to, the total projected worldwide cost for 2003 is $119bn to $145bn. Compared to the $35bn from the year before, that's a huge upward curve."
Another trend that Clarke discussed had to do with identity theft. According to Clarke, recent data suggests that approximately 27 million Americans were victimised by some form of identity theft in the past five years. "Of those 27 million, 9.9 million of them -- more than a third -- came in the last year," said Clarke. "The FTC estimates that each incidence of an identity theft costs the company involved an average of $10,000. With almost 10 million happening in one year, you do the math."
Clarke used specific events to demonstrate what he called a "sea-state change" in the cybersecurity situation.
"For the last three years, I've been saying that there will be attacks on critical infrastructure such as transportation, banking, and power," Clarke said. "Let's look at what happened this year."
Clarke recounted how cyberattacks knocked out The Bank of America's ATM network, stopped or slowed CSX Railroad's trains, cancelled some of Continental Airline's flights, and forced offline a nuclear power plant in Ohio.
Regarding the Ohio blackout, Clarke noted the irony in a White House report refuting his assertion on ABC News that it could have been the result of a cyberattack. "I had no idea what it was," said Clarke, "But it might have been a cyberattack. The White House was saying it wasn't a cyberattack but, then again, couldn't say what it was. Then, the White House went on to ask former FBI National Infrastructure Protection Center director Ron Dick to investigate the cyberattack angle." The NIPC, which is now a part of the US Department of Homeland Security, focuses almost exclusively on cybersecurity issues. "Make of that what you want," said Clarke.
According to Clarke, the US power grid hasn't been the only grid to experience trouble recently. "The recent collapse of the Italian and British power grids has so far gone unexplained," said Clarke. "Oslo recently reported that cyberattackers attempted to bring down Norway's power grid, and Israel's intelligence agency Shin Bet recently reported that Israel's power grid has been the target of several cyberattacks. All of our infrastructure, including power and the Internet, are vulnerable."
Perhaps the worst news contained in Clarke's presentation is that nobody has been caught. "Look at all of the cyberattacks," said Clarke, "The FBI only has one high school kid who had neon signs in his windows saying 'I did it' and all he did was capture an existing virus (MSBlast) and modify it. The originator was never caught."
Clarke cautioned Gartner Symposium/ITxpo attendees against complacency. "When you hear everyone talking about IT security and you see it in the publications and from vendors, it becomes noise and you tend to turn it off. This is a mistake. What does this say about the future? It's not a pretty picture."