The very week that companies were dealing with Slammer, the most damaging worm since Nimda, Richard Clarke sent an unlikely memo to members of the industry security groups known as Information Sharing and Analysis Centers (ISACs). In the memo Clarke said that he had submitted his resignation to President Bush. Indeed, last Friday, according to the New York Times, he quit.
Clarke, the president’s top cybersecurity adviser and chair of the Critical Infrastructure Protection Board, wasn't calling it quits because of the worm, precisely. But the connection wasn't lost on him either. In his memo to the ISACs, Clarke wrote:
The events of the last weekend demonstrate yet again how vulnerable our society is to cyberspace attacks. The Sapphire Worm was essentially a dumb worm that was easily and cheaply made. It attacked only one vulnerability on one piece of software from one vendor for one type of machine. ... It spread to hundreds of thousands of machines in less than 15 minutes. It disabled some root servers, the heart of Internet traffic. Although it was aimed at servers, it caused routers to flop and cease to function. Some airline flights were delayed or cancelled. Some banking functions ceased. A national election/referendum in Canada was cancelled. Workers were sent home at some major US companies. ... With slight modifications, the results of the worm would have been more significant.
Clarke, who was in San Diego most of the week, did not respond to repeated phone calls and e-mails from the writers of "Alarmed." His right-hand man and likely successor, Howard Schmidt, proved steadfast in his refusal to comment on the matter. But Schmidt, the former Microsoft CSO, did say, “Every time something like this happens, we collectively get better at being able to respond.” The ever-optimistic Schmidt (whose former employer, incidentally, fell victim to the Slammer vulnerability in its own software), said that Slammer proved what he and Clarke had been preaching for the last year and a half about interdependencies and unintended consequences — and that he thought they had made progress.
But that seems specious. Car crashes prove (over and over again) that car crashes kill people, but this hardly counts as progress. If anything, Slammer — and the destruction it caused that Clarke so eloquently summarised in his resignation letter — illustrated how painfully little progress has been made.
One could argue things are getting worse.
Noted security researchers Mark and David Litchfield picked the precise moment of Clarke’s news and Slammer to criticise the vulnerability information sharing process, as handled by CERT, the nonprofit research clearinghouse that both the government and private industry rely on heavily to coordinate critical infrastructure protection. When their company, NGS Software, discovers vulnerabilities (and they were the ones who discovered the SQL flaw that ultimately led to Slammer), they will no longer submit that information to CERT early on. Instead, NGS will only notify CERT 24 hours before it distributes a patch to its customers. The Litchfields cited concerns over CERT’s paid subscription service getting data before everyone else.
The move opens the door for fewer and fewer companies to share vulnerability information with CERT. It also closes the door on some of the information sharing and public/private cooperation that Clarke has made his rallying cry.
"About half my job is marketing," Clarke told CSO magazine late last year in an interview. But many factors largely out of his control conspired to make that marketing fail. Those factors include: The emasculation of the National Strategy to Secure Cyberspace; an administration that wouldn't consider the most cogent ideas to secure cyberspace (including regulation); a constituency of technology vendors that has never been serious about the task and had a part in emasculating the National Strategy; and, most recently, the Litchfields' move.
It starts to become clear why Clarke is resigning. Why push a rock uphill if everyone above you is pushing back down on it?
In his memo to the ISACs, Clarke cited two specific — and far less controversial — reasons for leaving his post: the completion of the National Strategy and the formation of the Department of Homeland Security, whose Secretary, Tom Ridge, was sworn in right when news of Clarke’s departure first leaked. This provides "a good juncture ... to end my 11 years in the White House," Clarke wrote. He also mentions briefly his desire to "contribute to these issues as a private citizen."
Think of all the money he'll make as a private consultant when Slammer2 hits. And Slammer3. And 4....
(Scott Berinato contributed to this article.)
"Alarmed" is a biweekly column about security and privacy. Look for a new version every other Thursday.