Former Cyberterrorism Czar: 'Bush Doesn't Get It'
"The Bush administration has systematically reduced the major work necessary to secure cyberspace," Clarke said. "The president's own advisory committee on science and technology told him that they had dangerously reduced the funding for cyberspace R&D, and still he went ahead and reduced it."
"We gave President Bush a national cyberspace security strategy," Clarke added. "I handed it to him in the Oval Office, and he signed it. I think he never read it. I don't think he knew what it was. It has not been implemented in any significant way."
Clarke has publicly clashed with the Bush administration on several counter-terrorism and national security issues since 2004.
In a speech largely focused on promoting his recently released second novel, Clarke argued that both the public and private sectors are increasingly relying on the internet while ignoring fundamental weaknesses in its aging infrastructure and protocols.
"We are building more and more of our economy, and the global economy, on foundation of 'cyberspace 1.0'. The fundamental architecture of cyberspace hasn't been changed since its creation," said Clarke, whose resume includes three years as the National Coordinator for Security, Infrastructure Protection, and Counter-terrorism and 11 years as the Chair of the National Security Council's Counter-Terrorism Security Group.
Clarke argued that while, fundamentally, IT security is "a really hard problem," a great deal of improvement would be relatively easy given appropriate attention and resources. He specifically highlighted the broad acceptance of software that he referred to as "replete with errors," and the failure to take steps to improve the security of basic protocols like DNS and BGP. He called for a number of measures, including the adoption of standards for writing security code, greater emphasis on authenticating both users and devices, and the rapid adoption of IPv6.
He also called for greatly increased use of encryption, both to improve overall security and to protect individual privacy. "When some government laptop with the social security numbers of every veteran in the united states is stolen in Washington, we shouldn't have to worry about it because laptops should be encrypted," he argued. "And because we apparently can't trust the government any more not do illegal wiretapping, perhaps phone calls should be encrypted."
While conceding that the government's role in improving IT security is relatively limited, Clarke asserted that it was failing to do it's part.
"I'm concerned, not because I think government is the solution, because it's not. I'm concerned because I think government is part of the solution. Government can do things, like funding R&D. Government can do things like setting a good example for cybersecurity. Instead, it's setting an example far top often of how not to do cybersecurity," he concluded.