White House Cyber Czar Richard Clarke on DMCA's "chilling effect".....

[Dave Farber <dave () farber net>]

Do read the whole thing -- djf

Cyber chief speaks on Data network security
By Hiawatha Bray, Boston Globe Staff, 10/17/2002

President Bush's point man on computer security says that the nation has a
long way to go in securing its data networks but that new federal
regulations would be a step in the wrong direction.

Richard Clarke, head of the White House Office of Cyber Security, also said
the government should modify a controversial law designed to prevent
exploitation of software security flaws because it can be used to stifle
research to improve computer security.

''We don't want to create the Federal Internet Security Regulatory
Agency,'' said Clarke. Clarke wants businesses and government agencies to
work together voluntarily on tougher network security standards to protect
their computer systems from small-time criminals and international
terrorists alike.

Clarke, a Dorchester native and graduate of Massachusetts Institute of
Technology, came to the Boston area yesterday for a town meeting at MIT,
one of a series held to gather feedback on a proposed White House strategy
for securing America's computer networks. A draft of the proposal has
attracted criticism from some security experts since it was published on
the White House Web site last month. Skeptics say businesses and
individuals won't undertake the costly and expensive work of upgrading
their networks without an element of government compulsion.

At the town meeting, Clarke responded to a question about the controversial
Digital Millennium Copyright Act. The act makes it illegal to publicize the
existence of security flaws in computer software, but computer software
companies have used the law to threaten legal action against academic
researchers who publicize their discoveries of such flaws.

Clarke said such threats were a misuse of the law and that reform is
needed. ''I think a lot of people didn't realize that it would have this
potential chilling effect on vulnerability research.''

Clarke said that researchers should share vulnerability information with
reponsible authorities who can produce repair patches before a problem
becomes widely known.

Bruce Schneier, author of a textbook on data encryption and founder of
Counterpane Internet Security Inc. of Cupertino, Calif., scoffed at the
White House's support of businesses and government agencies working
together voluntarily to prevent breaches of security.

''It's a lot of feel-good rhetoric,'' he said. ''The hard choices have not
been made.''

Schneier said the only hope for real improvement is to pass laws that make
computer hardware and software companies liable for security flaws.

''If you do leak private information, you will be held personally liable
for it,'' Schneier said. ''If that happens, companies will figure out how
not to do it.''

But Clarke said it would be very difficult to fairly assess the liability
of computer companies in a security breakdown. ''To date there's not been a
successful case of anybody bringing a legal liability case,'' he said in an
interview before last night's town meeting. ''I'm told by the lawyers that
liability law doesn't cover that kind of thing, has never covered that kind
of thing.'' Clarke added that the Bush administration doesn't support the
idea of drafting such a liability law.

Instead, Clarke wants computer experts in particular industries, such as
banking and health care, to work together on security standards and systems
that are compatible with the way computers are used in those industries.
Clarke said the banking industry and several others already have formed
such working groups, called Information Sharing and Assessment Centers, or
ISACs. Each ISAC will be able to establish a set of ''best practices'' for
computer security. Companies that fail to meet those standards could suffer
a loss of business, as clients seek out those with better data security.

Clarke wasn't totally opposed to government action. He noted that strict
standards can be imposed on businesses already under federal regulation.
For example, financial institutions are subject to federal laws that set
standards for their data privacy practices. Companies that don't meet the
standards of this law can be forced to do so.
He also favored a proposal contained in the pending homeland security
legislation that would give businesses a limited exemption to the Freedom
of Information Act when they reported security lapses to the federal
government. Companies have sometimes failed to report such security
problems for fear that a rival could file a FOIA request and gain access to
their proprietary information.

Clarke said he backed federal involvement in efforts to redesign the basic
data protocols used on the Internet. Some of these protocols, such as those
used for e-mail, contain well-known security weaknesses. But in order to
reform them, the entire Internet community must adopt the improved designs.

Although the US government privatized the Internet in the early 1990s,
Clarke said that it has a role to play in rewriting the basic code of the
network.

''There's got to be a middle ground between the federal government running
the Internet ... and abandoning it,'' he said.

And Clarke said the federal government can play a major role in setting
tougher security standards by simply applying such standards to its own
purchases of computer hardware and software. Because federal agencies spend
billions on data processing and networking products, businesses will
upgrade their products in order to bid on federal contracts, and these
improvements will be passed on to private sector customers as well.


-------------------------------------
You are subscribed as interesting-people () lists elistx com
Archives at: http://www.interesting-people.org/archives/interesting-people/