LAS VEGAS—The
government's top information security official sharply criticized the
software industry, ISPs and the government itself for a lack of commitment to
security. Saying that the current climate demands more and better security,
Richard Clarke, chairman of the President's Critical Infrastructure
Protection Board (PCIPB), said it was time for a change.
"The software
industry has an obligation to do a better job producing software that
works," Clarke said in his opening keynote speech at the Blackhat Briefings security conference here Wednesday.
"It's no longer acceptable that the number of vulnerabilities identified
goes up every year."

Clarke's comments
drew cheers and applause from the audience, an eclectic mix of security
professionals, hackers, federal officials and academics.
He cited
Microsoft's Trustworthy Computing effort as a step in the right direction,
but said that vendors as a rule need to write better quality code.
"We also need
an improvement in the quality of software engineering. It's clear that what
we're doing now isn't working," Clarke said. "I welcome Bill Gates'
pledge, and I will hold him to it. I think we should ask other vendors to do
the same thing."
Clarke's comments
were part of a preview of PCIPB's forthcoming
national cybersecurity strategy, which it will
unveil Sept. 18 in Silicon Valley. The
document will address security problems in several key market segments,
including banking and finance, chemical manufacturing, IT and education.
Clarke singled out several industries as bearing the lion's share of
responsibility for the current security problems facing the country.
He was particularly
critical of vendors who sell wireless LAN gear and ISPs. Citing the
Department of Defense's recent decision to turn off all WLANs
in its facilities, Clarke said other organizations should do likewise until
there are better methods for securing these networks.
Clarke lambasted
ISPs for failing to alert consumers to the dangers inherent in having an
always-on broadband connection.
"Every ISP
that offers broadband ought to be offering a firewall," he said.
"If you ask ISPs off-the-record why they don't, they'll tell you it's too expensive and they want broadband to be cheap. So
they want to make it cheap for people to be hacked."
During his speech,
Clarke also emphasized that he was not satisfied with the government's
participation in the process of securing the Internet, but made clear that he
had no intention of pushing for government regulation in this area.
"I don't want
the government controlling regulating the Internet, but there has to be a
middle ground where the government doesn't walk away," Clarke said.
"Whose responsibility is it to think about the health of the Internet?
It's all of us, but the government has a responsibility too."
|