National cybersecurity chief Richard Clarke (S.M. 1979) made it clear at an MIT panel discussion on Oct. 16 that the federal government plans to rely primarily on market forces and the cooperation of citizens to secure the nation's cyberspace infrastructure.
The meeting in Tang Hall was one stop on Clarke's road tour of the Northeast to get feedback on the draft of the National Strategy to Secure Cyberspace document. (Click here for the complete draft.)
Clarke told the audience of mostly men from the software industry and the information technology and security sectors that this may be the first time any national strategy has been developed with so much input from citizens, nongovernmental organizations and corporations. Anticipating the difficulty of regulating a system not owned by the federal government, Clarke said the process of developing the strategy was "designed to create a consensus" so that when the national strategy is finalized, people will buy into it.
"This is not a paper exercise. We are seriously soliciting dialogue," he said.
"We are running a big risk if we assume that we have big vulnerabilities in our IT [information technology] networks and the only thing that's ever going to happen is the low-level attacks - denial-of-service attacks and worms - that we've seen to date. I think personally that is a stupid attitude. Somebody, some day is going to hurt us and hurt our economy if we don't start dealing with those vulnerabilities," said Clarke.
Several audience members questioned the advisability of relying on software vendors voluntarily to make their products secure and asking consumers who can't even program their VCRs to download patches to prevent hackers from getting into home computers.
"We don't see regulation as the main way of achieving IT security," said Clarke, who was appointed Special Advisor to the President for Cyberspace Security in October 2001. The role of government is to "provide information, to do research and development, to fund it, to raise awareness and to stimulate education, but not to get into everyone's network and tell them how to do it. Instead we think it's everybody's responsibility." He said the national strategy calls for everyone "to identify the vulnerabilities in their part of cyberspace and then develop a program to mitigate those vulnerabilities."
He plans to have the government work with software vendors to encourage them to "ship it secure with every box" and to empower organizations like the Internet Engineering Task Force (the standards body for the Internet) to work the problems of securing the mechanisms of the Internet, he said.
MIT's network manager Jeff Schiller, director of the security subgroup of the Internet Engineering Task Force, moderated the discussion, which was introduced by President Charles M. Vest. Panelists besides Clarke were Gary Beach, publisher of CIO and CSO magazines, and John Grossman, assistant attorney general and chief of the corruption, fraud and computer crime division for Massachusetts.
In opening remarks, Vest said that network security has been a priority at MIT since the first days of the Internet. He outlined some of MIT's most notable contributions to the field, including the development of the Kerberos cryptographic authentication system in 1986, which is today incorporated in both Microsoft and Apple operating systems. "We recognize an institutional responsibility to assist in combating terrorism at levels ranging from the study of its root causes through the development of technical countermeasures and strategies for protection," Vest said.
Schiller described "the great myth in people's heads."
"They believe when they design systems that no one's ever going to attack them," he said. The great lie, according to Schiller, is that people develop technology thinking it will never be used on the Internet.
Schiller said after the meeting that he generally agrees with Clarke's strategy.
"This is the first step. Let's see if [Clarke] can make progress in this way," said Schiller. "If it doesn't work, then we have to think about regulating the software industry in general. But one shouldn't do that without at least trying."
A version of this article appeared in MIT Tech Talk on October 23, 2002.