Cybersecurity tsar calls for tougher audits

Former White House cybersecurity expert Richard Clarke has demanded tougher standards for security audits of US companies, saying...

A former White House cybersecurity expert has demanded tougher standards for security audits of US companies, saying congressional action is needed.

RIchard Clarke, now a private security consultant, said, "The Securities and Exchange Commission thinks it can require audits under its existing authority, but what I'm predicting is it will be a very vague statement and there will be no real auditing against that standard.

"You've got to have a relatively specific standard ... with some real probability that someone will show up at the door to audit. That will take a congressional act," he added.

Clarke said standards should encourage automatic audits, so network probes could quickly determine security levels, "instead of bringing in PriceWaterhouse for $500,000" to do the audit.

Similar to banking audits, only 90% of what will be audited should be known, so companies will not prepare only for audits and nothing else, he added.

Clarke, who resigned from his government cybersecurity role in January after serving in three administrations, made his comments after being asked about Sarbanes-Oxley Act and Health Insurance Portability and Accountability Act security requirements.

Both federal mandates require companies to provide security certification.  "What do they certify, and who is going to say that they are wrong?" Clarke asked.

He also claimed US Homeland Security Secretary Tom Ridge's recommendations for security certification were ineffective. "Frankly, it was Tom Ridge's idea that there be a Y2k-like statement [about security protection steps] to the SEC, but if that happens, it is going to be at such a high level of aggregation that you are never going to know what it means."

During year 2000 IT modifications, the SEC required Y2k certification by public companies. "We got away with that because it was a one-year trick, and you can trick people for one year," Clarke said, adding that Y2k certification was a "device" to get chief information officers in front of their boards of directors to provide funds for date change fixes.

Asked if cybersecurity failures could have caused the power blackout in the US and Canada in August, Clarke ticked off a string of power outages and attacks on energy systems across the world in recent months, including the loss of power throughout Italy in September.

"We don't what caused any of these so far," he said. "We do know that Norway and Israel at least are saying there were cyber-hacking attempts to bring down the power grids in their countries.

"If the August outage was not caused by a hack attack, could it have been?'' Clarke asked. "Could you bring down the power grid with a hack attack? I fully believe the answer is yes."

Generally, IT managers need to make security encryption as automatic as possible, Clarke said. "The key here is whoever makes the decision to use encryption in the organisation [so] that after that, it becomes automatic. 

 "Establishing elaborate systems [for security] is a pain in the ass, frankly, and they require lots of people to run them, and that's why they don't work and why people don't do them."

Clarke also noted a humorous personal problem with unsolicited commercial e-mail, saying that last week he got a spam from himself. He said it was obviously because somebody or some program had spoofed his e-mail address and then sent the spam with his address back to him.

Clarke said it would be "really easy" for e-mail users to start their personal "do not call" lists for e-mail by taking any of several programs now available to allow e-mail only from certain people, which could be combined with e-mail encryption to provide a private system.

Matt Hamblen writes for Computerworld

Read more on IT risk management