Richard Clarke remembers standing in the Oval Office and handing President George W. Bush a letter regarding what the nation should do to secure cyberspace.
"I think he signed it. I don't think he read it. I don't think he knows what it was," Clarke said during his keynote here in Las Vegas at the Black Hat security conference on Aug. 1.
Clarke is somebody whose advice Bush should have heeded.
Until his retirement in 2003, Clarke was a member of the Senior Executive Service, having served as an advisor to four presidents between 1973 and 2003.
He was the chief counter-terrorism advisor on the U.S. National Security Council for both the latter part of the Clinton administration through the early part of Bush's administration and the 9/11 attacks.
Serving with the Clinton administration, he toured the country for two years, collecting industry and academic intelligence on one crushingly important question: How do we secure cyberspace?
This is important. Within the coming 20 years, Clarke said, our soldiers will enter the battlefield with multiple IP addresses.
The Pentagon is already working toward what Clarke called net-centric warfare, part of which will be exoskeleton armor covered with interior and exterior sensors.
These exoskeletons will allow soldiers to literally have eyes in the back of their heads, to see around corners as robots fly ahead and beam back images to their visors, to lift weights at 5 to 10 times their normal capability due to exoskeletal servo-motors, and have their health monitored and their illness or fatigue medicated — again, automatically through the exoskeletal suit.
The Pentagon's vision of net-centric warfare relies on IP addresses, lots of them.
It's why the Pentagon is the only part of government now pushing for the next-generation Internet, IPv6, with its vast capacity for IP addresses, Clarke said.
But this all assumes that cyberspace is secure.
"It's not," Clarke said. "The chaos that goes on in cyberspace very day, I don't have to tell you about," he said to the audience of black, white and gray hackers.
"We are building more and more of our economy, our global economy, on the foundation of cyberspace 1.0," Clarke said. "The fundamental architecture hasn't changed since creation. And we still have secured very little" of that architecture, he said, including the very foundations of today's Internet's, DNS and PHP — themselves still not very secure.
We're also still running code from major vendors across the world that's "replete with errors, replete with errors people can use to hack into systems," Clarke said.
We still have no industry or academically generated standards to secure code, he added.
We still don't write secure code, either, he said, with high rates of errors commonplace.
We still don't authenticate much of cyberspace, either, he said.
We could also be using encryption far more than we do today, Clarke said — an omission evidenced by the loss of a laptop bearing the Social Security numbers of U.S. veterans.
"When some government laptop with the Social Security numbers of every veteran in the United States is stolen in Washington, we shouldn't have to worry about it; it should be encrypted. Databases should be encrypted," he said.
And, yet, they're not.
VoIP (Voice over IP) can be encrypted. With headlines about national security letters being abused by the FBI and other uses of surveillance, perhaps we should encrypt phone calls, Clarke suggested.
The United States also needs to adopt IPv6 "much more rapidly," Clarke said — not only because the Defense Department's plans rest on having IP address-loaded soldiers, but "because it also offers opportunity for security and for prioritization, which we don't have today. Think of how prioritization could improve disaster response in situations like 9/11 or Katrina, where communications channels get swamped immediately, barring emergency first responders from the prioritization they should have.
"And yet we're now planning disaster relief and other response based on cyberspace. On the Internet," Clarke said. "There's no way today to differentiate e-mail from someone to their grandmother or a packet with their vacation photos with that of [communications from a first responder in a disaster situation]."
The work needed to create an Internet infrastructure that could support a more secure, more rationalized cyberspace has unfortunately been starved of funding by a Congress, an administration and a society that just "doesn't get it," Clarke said.
"The Bush administration has systematically reduced the work necessary to secure cyberspace," he said.
"It's not because the answers aren't there," he said. "Or because it's a really hard problem. Sure it's a hard problem, but a lot can be done quickly. Two years we went around holding meetings, asking experts, asking industry, What should we do to secure cyberspace?"
Perhaps, instead of debating stem cell research, instead of debating whether evolution should be taught in schools, instead of surveilling citizens rather than terrorists, we should be having this crucial debate, Clarke said.
"The enemy is terrorists. The enemy is not citizens," he said.
The takeway from his talk: The enemy is an insecure cyberspace.
Scary stuff! One can only hope that the government and society recognize the threat and begin to act before it's too late!
For more information, check out the Cyber Security Wiki page.