Former cybersecurity czar Clarke says smartphones, digital certificates create huge security problems

Clarke shares his thoughts on the hactivist group Anonymous, why we shouldn't trust SLL certificates, and more.

Former White House cybersecurity adviser Richard Clarke, author of the book "Cyber War," served 19 years in the Pentagon, intelligence community and State Department. At the firm he founded, Good Harbor Consulting, he advises clients on security risk management; is an on-air consultant for ABC News; and also teaches at Harvard's Kennedy School of Government.

Speaking with Network World Senior Editor Ellen Messmer, Clarke shares his thoughts on the hactivist group Anonymous, why we shouldn't trust SLL certificates, and more.

IN THE NEWS: Security pros come clean at Summit on Advanced Persistent Threats

Do you find the hactivist group Anonymous to be threatening?

I think of them more positively than most people, though I can't endorse their breaking the law. They're not trying to steal intellectual property to give it to the competition -- a lot of what is going on in the world is about that. But a lot of what [Anonymous is] doing is highlighting vulnerabilities we see in the enterprise. I'd just like to see this done legally. I'm not condoning law-breaking.

Who do you think was behind Stuxnet (the malware worm aimed at industrial control systems that hit the Iranian nuclear reactor last year)?

I don't know for sure, but many think it was the U.S. or Israel. I'd say the U.S.

Is it just dumb luck that the power grids here haven't been hit with a cyberattack like that?

We are having attacks here that go so far into penetrating the networks, but no attacks yet to take down the power systems. The only reason to get into the grid is for war. They're getting set up so if they were called on to attack the power grid, they can. Today, no one has the motivation. I don't know if I'd call an attack to disrupt and damage the power grid inevitable. We haven't yet seen non-state actors, like terrorists, try.

Does the U.S. have good cyber intelligence?

I think we have very good cyber intelligence with one exception: The U.S. government is not well-informed on attacks done on U.S. companies.

If you had the influence, what would you change to improve U.S. cybersecurity?

I would require the major Internet providers as a matter of regulation to filter the packets to look for signatures of attacks and blackhole them. I'd give the signatures to them. In a regulated industry -- finance, power and telecommunications -- I'd require all the software be vetted for all kinds of mistakes.

Over the years, you've been candid in your criticism of Microsoft and the endless cycles of patching month after month. These days, businesses are using virtualization software, primarily from VMware along with others such as Citrix. Do you think that brings any new security concerns?

I think virtualization and the cloud can be more secure or less secure, depending on how you configure. But there's a dialogue of the deaf going on between the user and the [cloud] provider. The user is saying, "It's up to you to provide security," and the provider says the same to the user.

In the past few weeks, the compromise of SSL server certificate providers such as Comodo, DigiNotar and GlobalSign have raised questions about certificates as a source of trust. Do you have any view on this?

My takeaway is you can't trust digital certificates. It's a turning point not just for digital certificates. In the attack on RSA, hackers are now going after two-factor authentication. Then they went after the defense companies, after having broken into a security company. That's a game-changer. I'm not just going to bust into RSA, I'm going to bust into Lockheed. RSA says you can continue to have confidence in two-factor authentication. But how much confidence? Are you really going to rely on them? I wouldn't be happy relying on RSA two-factor authentication or on an SSL certificate solution.

There are security regimens, such as PCI for payment cards. Would it be possible to come up with a security regimen for SSL certificates?

We've been willing to allow the marketplace to regulate them in effect. I'm not sure I could devise anything for this.

The trend we see in business today is that employees are insisting on using their own mobile devices, such as smartphones, for use at work. Sometimes, the corporation agrees to manage the device, sometimes they don't. Do you have any particular viewpoint on that in terms of security?

This is the newest and largest vulnerability in corporate America now. Employees say they must have these devices and the corporations have given in under pressure. That's the same corporation that put millions of dollars into firewalls and intrusion-prevention systems. But the CIOs are knowingly authorizing another way into the network. Maybe they've been told it's not secure, and done it anyway. There are thousands of apps for these mobile devices. Are they secure? What's in the Apple store or Droid store or elsewhere? No one has looked. If there is a corporate device, the corporation has a responsibility to its shareholders to ensure that everything that is allowed there is secured. They should insist they must vet the application, or have the provider vet the application. There should be a "secure app store" checked for security.

The Defense Department is also looking at using smartphones by giving them to soldiers. Is that a good idea?

It's a good idea if they're secure. Whether it's the Defense Department or a private company, they have every right to restrict use and every obligation to make sure they're secure.

When the question of supply-chain security comes up, and with so much manufacturing coming from China, do you think there's reason to be concerned about security of products made in foreign countries where sometimes there are political tensions?

My attitude is whether it comes from New York state or Shanghai, it probably has the same risk in software. There are people in the U.S. who can be bribed, too.

You recently joined the board of Bit9. Are you on the board of other companies as well?

I'm on the board of a few nonprofits, as well as Veracode. I joined Bit9 because I think their software can be used to help prevent advanced persistent threats [APTs].

APTs [stealth attacks to steal sensitive information such as intellectual property and proprietary information to advantage industry competitors or foreign governments] are now a huge concern. As in the RSA case, we hear about them more regularly. But when are we going to see justice? Why is it so hard to bring criminals to justice in APT cases?

If the attacker is a government or a cyber-sanctuary, you don't get justice. As long as there are cyber-sanctuary countries -- or a country that's a scofflaw.

What countries would those be?

Eastern Europe, Russia, Belarus, Ukraine, China. It's sometimes unclear whether attacks are coming from China or authorized by the Chinese government. There are two types of non-government attacks, the attack the Chinese government is letting happen and the attacks they ask to happen. It's against organizations with political involvement, such as Tibetans or other groups to which China is opposed, or economic competitors. The Chinese government is engaged in espionage against the Defense Department.

Is the U.S. also engaged in this type of espionage?

Yes, the U.S. is also engaged.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags abcconsumer electronicssecuritysmartphonesrichard clarke

More about ABC NetworksABC NetworksAppleCitrix Systems Asia PacificComodoGlobalSignLANLockheed MartinMicrosoftRSAVMware AustraliaWells Fargo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts