“Trust” isn’t the first word that most folks associate with “cyberspace.” More likely it’s “risk.” So when former national cybersecurity czar Richard A. Clarke came to Santa Clara this October to deliver the keynote for SCU’s Trust Online conference, he shared strategies for making the Internet a little less risky for business and leisure—and less hospitable to crime, espionage, and fraud.
Consider this, Clarke said: “Massive amounts of data on corporate networks, on government networks, and university networks have been exfiltrated out of the United States over the last several years.” Indeed, the Pentagon had recently revealed that a hacker had not only penetrated its security but made a cyberforay into the secretary of defense’s office itself. The origin of the attack? It was traced to China. And consider that a week before the conference, Clarke said, hackers got into the system running the power grid in Idaho and took down a generator.
The Trust Online conference was co-sponsored by the Center for Science, Technology, and Society; the Markkula Center for Applied Ethics; the High Tech Law Institute; and Microsoft. Clarke observed, “If we didn’t have this university and its centers, we would probably conclude at the end of today’s meeting that we needed it.”
Beyond needing a university “in the middle of Silicon Valley where we can discuss ideas”—especially one like Santa Clara that is “one of the gems of California”—what else do we need to reclaim e-space from the bad guys? Clarke offered a few solutions, some of which are shibboleths to the left or the right:
National ID cards containing biometric data
Authentication online—at least for sites managing commerce or infrastructure
Increased regulation from the FCC—which the courts have ruled has the authority to make Internet service providers toe the line but, so far, has failed to exercise that authority. (“You don’t want government regulation?” Clark quipped. “Then just keep on letting your kids lick the lead off the Chinese toys.”)
Expanded use of a closed Internet for certain functions—e.g., the part that connects to nuclear labs or power grids
Improved quality of secure computer code to reduce the number of required patches and to eliminate trap doors
Establishment of a government champion of privacy rights and civil liberties with the power to actively oversee government activity—an action that would help restore some trust in government itself.
During the Q&A following his speech, Clarke was asked if there are other countries the U.S. should look to when it comes to cybersecurity. For online banking, Clarke offered Hong Kong—which requires two-factor identification. As for international policy bodies, Clarke recalled the first time that he sent an assistant to a meeting of ICANN, the international Internet regulating body. When the assistant returned, Clarke asked him how things went. The assistant answered with a question: “Do you remember the bar scene in the first ‘Star Wars’ movie?”
The conference brought more disturbing news from the annals of fighting cybercrime: The crooks and would-be crooks are diversifying, getting more sophisticated and organized, and “malware” developers are being funded to develop new and more damaging attacks. That was the assessment of Dave Cullinane, eBay’s chief security and information officer, who, in a lunchtime keynote address, shared some findings of a recent analysis his company had conducted of threats online. One observation that many of his listeners could corroborate: Phishing scams are better than they used to be, increasingly slick in their look and feel, with the goal of hooking computer users into revealing their passwords.
Panel discussions that included security experts from TRUSTe, Microsoft, Cisco, and the Federal Trade Commission assessed that one of the major tasks in cybersecurity is to break the cycle of online attacks we now face. However, it will remain a parry-thrust game, where the advantage resides with the attacker, unless we can make changes in policy, technology, and how we as individuals interact online. —JC and SBS