Government // Cybersecurity
News
2/26/2014
01:25 PM
Connect Directly
RSS
E-Mail
50%
50%

NSA Too Focused On Perimeter Defense, Clarke Says

The Former White House cybersecurity adviser says the NSA's focus on perimeter security made it vulnerable to insider Edward Snowden.

Despite a drumbeat of high-profile data breaches in recent years, the National Security Agency and many other federal agencies continue to focus on outdated perimeter security practices, leaving networks vulnerable to insider threats, former White House cybersecurity adviser Richard Clarke warned at this week's RSA security conference in San Francisco.

"NSA was hacked," Clarke said. Despite having some of the best outward-facing security in the world, Edward Snowden was able to access and steal classified information without setting off alarms, "because NSA had terrible internal security."

The NSA, one of the world's most capable organizations in cyberoffense, is lousy at defense, he said.

Clarke, a security consultant who took part in the presidential review that recommended revamping the NSA's intelligence-gathering operations in the wake of the Snowden breach, made his comments at a Feb. 25 news conference hosted by Bit9 and Carbon Black at the RSA conference.

He also spoke at length on how the NSA's controversial intelligence collection activities have damaged relations with multinational companies that host data around the word, and he raised concerns about the safety of data traveling through US networks.

[How should infrastructure providers combat internal and external threats? Read Feds Launch Cyber Security Guidelines For US Infrastructure Providers.]

Former White House cybersecurity adviser Richard Clarke.(Source: Wikipedia Commons)
Former White House cybersecurity adviser Richard Clarke.
(Source: Wikipedia Commons)

Intrusions are increasing in government systems, with a 42% increase in breaches of personal information reported by agencies in fiscal 2012 over the year before to the Homeland Security Department's US Computer Emergency Response Team.

Intrusions in private-sector systems are also getting plenty of attention. A recent example is the theft of credit card information from millions of customers from Target and other large retailers over the holiday season. Once inside a network, intrusions can go undetected for long periods because of a lack of monitoring of network activity, Clarke said.

Yet security programs continue to focus on the perimeter at the expense of the network. "The money goes to firewalls. The money goes to antivirus. The money goes to intrusion detection and prevention systems, and we know these systems fail all the time."

Clarke, who sits on the board of Bit9, made a pitch for visibility tools offered by the company, and he said legislation is needed to raise the level of cybersecurity in the nation's critical infrastructure, both government and privately owned. "Ultimately, I would like to see regulation," because market forces have failed to protect the national security and economy, but it isn't going to happen under the current Congress.

In the absence of regulation, Clarke called the president's 2013 executive order on infrastructure security and the resulting Cybersecurity Framework a good first step -- but only a step -- toward improved security.

He also called for revamping the NSA's intelligence-gathering programs and for increased transparency in the spy agency's oversight. Too often, it gathers information because it can, rather than because it should. While praising the current agency leadership, he said, "It's not a crazy idea" that the government could abuse information it has gathered, citing FBI abuses in earlier decades.

The NSA's problem is not a lack of controls, Clarke said, but the fact that oversight occurs in secret, which undermines public trust. The NSA is much more closely regulated than most nations' intelligence agencies, with oversight from the judicial, legislative, and executive branches, "but there is no way for the American people to know that."

The NSA leak showed that one rogue insider can do massive damage. Use these three steps to keep your information safe from internal threats. Also in the Stop Data Leaks issue of Dark Reading: Technology is critical, but corporate culture also plays a central role in stopping a big breach (free registration required).

William Jackson is a technology writer based in Washington, D.C. He has been a journalist for more than 35 years, most recently covering the $80 billion federal government IT sector for Government Computer News. His coverage has ranged from architecture to international ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
asksqn
50%
50%
asksqn,
User Rank: Ninja
2/26/2014 | 3:07:00 PM
So Much Hot Air So Little Ventilation
So Richard Clarke believes the NSA's biggest problem comes from insider threats who then rightfully divulge governmental abuse of power? Clearly, he still lives in the same, elite ivory tower he always has when he was receiving a paycheck from the agency.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Author
2/26/2014 | 4:50:08 PM
Revamping NSA intellegience-gathering
I'd like to hear more details on what Clarke actually thinks the NSA should change in order to provide more transparency into spy agency activities. Did he offer any specfics? 
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Author
2/26/2014 | 4:54:00 PM
Re: So Much Hot Air So Little Ventilation
I'd venture to say that the issue goes beyond poor internal security. Simply put, modern communications technology makes it extremely difficult to keep secrets. Even if the NSA was on top of everything, I suspect a determined insider could take data outside the organization. It's just too difficult to simultaneously have data be readable and protected.
WKash
50%
50%
WKash,
User Rank: Author
2/26/2014 | 11:00:49 PM
Re: So Much Hot Air So Little Ventilation
I think you're right Tom that determined insiders are hard to beat.  It is worth noting that after the Snowden incident, NSA chief Gen. Keith Alexander instituted a rule that two people had to be present to permit the downloading or transferring of data.  Together with the right internal controls, that would make it harder though not impossible to make off with key data. 
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Author
2/26/2014 | 4:55:26 PM
Defense in depth
We must get to defense in depth, internal safeguards as well as perimeter defense, to achieve more secure operatoins. A rules engine should be watching user behavior to spot activity like Snowden's that's out of line.
Cyber Security Standards for Major Infrastructure
Cyber Security Standards for Major Infrastructure
The Presidential Executive Order from February established a framework and clear set of security standards to be applied across critical infrastructure. Now the real work begins.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 23, 2014
Intrigued by the concept of a converged infrastructure but worry you lack the expertise to DIY? Dell, HP, IBM, VMware, and other vendors want to help.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.