Speech by Richard Clarke, Special Advisor to the President for Cyberspace Security.
Date: February 14, 2002.
Event: Forum on Technology and Innovation luncheon sponsored by Sen. Bill Frist (R-TN), Sen. Jay Rockefeller (D-WV), and the Council on Competitiveness.
Source: TLJ transcribed the following from its audio recording of the event.

Thank you Senator. And thank you all for coming, and for your interest in this topic. The President signed an Executive Order in October creating a new government wide board to worry about cyber space security. I have the privilege of chairing that board. We have also heard a lot in the months since September about cyber terrorism. So, at the risk of painting a very big picture with broad strokes, I would like to step back from the details, and ask, What is all this cyber terrorism stuff? And, why do we care? Why is it important? Because sometimes we can get down into the nitty gritty very quickly, and miss the big picture. So, excuse me for doing this, but I want to step back and look at the big picture.

What is cyber terrorism? I don't like the phrase. And, I would urge us not to use it. Terrorist organizations that we know, Al Queda, Hamas, Hezbolla, have not engaged in information warfare. They have not used the computer networks to attack us or others, with very minor exceptions. The Sri Lankan group LTTE engaged in a minor bit of information warfare against the Sri Lankan government. We are seeing an increasing interest on the part of Al Queda in computer technology. But, it is still fairly minor.

I prefer to think about information security, rather than cyber terrorism, or cyber space security. Because, it is not important who the threat is. It is not important whether it is a terrorist group or not. What is important is that there is a vulnerability out there -- serious vulnerability -- that anyone could use. And, a wide range of people are using all the time. There is a threat spectrum that ranges from the 14 year old hacker joy riding on the Internet, through the criminal engaged in fraud and extortion, through organized groups hacking for profit, through companies engaged in corporate espionage, to nation states engaged in espionage, and potentially, one day, in warfare supported by attacks on the Internet. Large spectrum.

But even the 14 year old at the end of the spectrum, the low end of the spectrum, can do damage, and has done damage. We had a 14 year old hack his way into the control system for dam in Arizona, to the point where he could have opened the flood gates. We had a 14 year old hack his way into the control tower of a airport in Massachusetts. So, let's not worry about who the threat is. The threat is there. Let's worry rather about vulnerabilities.

One of the lessons of September 11 ought to be that we minimized vulnerabilities that we knew were there. We all knew there were vulnerabilities in the aviation industry, from the security perspective. But, we didn't do anything about them. Why? Because there industry and the government couldn't agree on who would pay for it, because it was expensive. And so, we all persuaded ourselves that the possibility of the vulnerabilities being used against us was remote. Well, it obviously wasn't. I think that the lesson we have to learn here is, look at the vulnerabilities. Don't look at who is going to do it. And don't try necessarily to pretend that you have the wisdom of figuring out the probability of that someone will use the vulnerabilities.

When we look at the vulnerabilities of our networked systems, what do we see? We see that something remarkable happened in the course of the 1990s. Something akin to the industrial revolution occurred. But, it didn't have all of the noise associated with the industrial revolution. We didn't see mass migrations of people from the country side into the cities. Our skies didn't get clouded with smoke. What did happen is that every sector of our economy and government moved the operation of critical functionality onto network systems. You can call it the Internet if you like. You can call it the network of networks. The point is, that the electric power industry, the railroad industry, the banking industry, the stock market, the Defense Department, I could keep going, everybody moved all of their operations on to these network systems, and are now dependent upon them. None of our sectors of the economy, or our government, can operate unless their networks operate. They will sit there unable to do anything, unless they have networks operating. That is true across the board.

And in doing this migration of functionality into these network systems, we did not, as a nation pay enough attention to designing security in. In effect, we took systems that were designed to do something very different, and we made them do a great deal. We made them run our country. That was great for us in terms of productivity increases. It was great for us in terms of lowering the cost of doing business. But it was bad for us in the opening up of vulnerability, because the software, the hardware, the overall architecture was never designed with the thought that somebody maliciously would attack it. And so, we have legacy systems proliferated throughout our economy that are very vulnerable to attack.

What do we do about it? We have to think of it primarily first as a software and hardware architecture problem, not as a criminal problem, not as an intelligence problem, not even as a national security problem, primarily. We have, first, get the government to serve as an example. Right now it is an example of how not to do things. We have to get the government to have network security, and computer operations that are secure. The President took a big step in that direction. His budget, which has just come up here, has a 64% increase in the amount of money that the federal government will spend to protect its own computer networks, up to, the figure in the budget, 4.0 Billion dollars. That is 8.1% of the overall federal IT spending. We are beginning to put our money where our mouth is.

Now we have to get the private sector to do the same thing. The Forrester Group has an estimate that of the Fortune 500 companies, the average amount of money, as a percent of revenue, that they spend on IT security, is .0025 percent, or, slightly less than they spend on coffee. So, we need to tell companies that they need to spend more money on IT security, or they are going to continue to be raked as they were by Nimda, and the Code Red, last year.

But it is more than just spending money. They need to know how to spend that money. And, we need a partnership between the private sector and the government to share information, to get over the roadblocks of secret and top secret, to share information, to share the burden for research and development, and to cooperate in an effort to secure our infrastructures. And to do all of this, without heinous regulation. Because, if the government tried to regulate IT security, it would never achieve it. So, we are going to try to do this in partnership, and using market forces.

The President has asked us to develop a national strategy to secure cyberspace, and to have that strategy ready in the early summer. He has asked us to develop that strategy in partnership with the concerned industries. So, already we have groups banking and finance, transportation, oil and gas, IT, telecoms, out there developing their part of the national strategy. And in the Spring, we will be putting out drafts, and having open meetings, and asking for the entire country that cares about this issue, to participate in the development of that national strategy. It will be an open transparent process. And when it is done, we will have a national strategy. It will probably be last a day before it is out of date. So the national strategy will not be a coffee table book that you will see on Senators' desks. They won't be an annual report to Congress required by some Congressional bill. It will be a living document, living in Internet time, living in cyber space, changed, modules of it changed, as the threat changes, or when we learn that parts of it aren't workable.

So, this is an exciting process for us to create a living strategy that the government, industry, academia, are all involved in writing, and implementing. We have to do this, because we are now living on borrowed time. We have infrastructures that are vulnerable. And some day, somebody is going to use them against us in big way.