Mr. Clarke has been floating several trail ballons this week.
"Software makers and Internet service providers must share the blame for
the nation's vulnerable networks, President Bush's special adviser on
cyberspace security said Wednesday."
"Why is it that companies have sold products that they know are
insecure?" asked Richard Clarke, President Bush's chief cybersecurity
adviser. "And why is it that people have bought them? We should all
shut [wireless LANs] off until the technology gets better."
While Mr. Clarke was identifying groups to blame for the current state
of affairs, he seems to have left out the group which has historically
blocked many security improvements.
Gee, it seems like just last year the US Government had a policy of
futzing with international standards development to block strong
security (GSM), engaging in expensive legal investigations of people who
wrote things like Pretty Good Privacy, prohibiting companies from
exporting products with strong encryption, and generally making it a PITA
for companies who wanted to make products which were more secure (forcing
security research offshore or to Canada). Even attempts to include
default encryption in IPv6 hit government policy roadblocks. Anyone who
tried to make it more difficult to intercept communications was accused of
helping child pornographers, criminals, terrorists and hackers. The
refrain was if you have nothing to hide, ...
It took decades of government policy to reach this point. Does Mr.
Clarke's statement signal the end of the government's policy of
maintaining the status quo? If we secure wireless communications, that
means it will be possible for people to communicate without worrying
(excesively) about evesdroppers. But that security improvement also
means the government may not be able to listen in on those communications
either. Has the FBI and NSA signed off on this apparent new policy of
securing our networks?
Finally, what role should network operators play in determining what
content subscribers can have access, including "unsafe" content?
"ISPs to step up
Internet service providers also have to be more security conscious,
Clarke said. By selling broadband connectivity to home users without
making security a priority, telecommunications companies, cable
providers and ISPs have not only opened the nation's homes to attack,
but also created a host of computers with fast connections that have
hardly any security."
Public network operators are very security conscious, about the
public network operators network. Should public network operators do
things, common in private corporate networks, such as block access to
Hotmail, Instant Messenger, Peer-to-peer file sharing, and other
potentially risky activities? Should it be official government policy
for public network operators to prohibit customers from running their own
servers by blocking access with firewalls?