Despite a drumbeat of high-profile data breaches in recent years, the National Security Agency and many other federal agencies continue to focus on outdated perimeter security practices, leaving networks vulnerable to insider threats, former White House cybersecurity adviser Richard Clarke warned at this week's RSA security conference in San Francisco.
"NSA was hacked," Clarke said. Despite having some of the best outward-facing security in the world, Edward Snowden was able to access and steal classified information without setting off alarms, "because NSA had terrible internal security."
The NSA, one of the world's most capable organizations in cyberoffense, is lousy at defense, he said.
Clarke, a security consultant who took part in the presidential review that recommended revamping the NSA's intelligence-gathering operations in the wake of the Snowden breach, made his comments at a Feb. 25 news conference hosted by Bit9 and Carbon Black at the RSA conference.
He also spoke at length on how the NSA's controversial intelligence collection activities have damaged relations with multinational companies that host data around the word, and he raised concerns about the safety of data traveling through US networks.
[How should infrastructure providers combat internal and external threats? Read Feds Launch Cyber Security Guidelines For US Infrastructure Providers.]
Intrusions are increasing in government systems, with a 42% increase in breaches of personal information reported by agencies in fiscal 2012 over the year before to the Homeland Security Department's US Computer Emergency Response Team.
Intrusions in private-sector systems are also getting plenty of attention. A recent example is the theft of credit card information from millions of customers from Target and other large retailers over the holiday season. Once inside a network, intrusions can go undetected for long periods because of a lack of monitoring of network activity, Clarke said.
Yet security programs continue to focus on the perimeter at the expense of the network. "The money goes to firewalls. The money goes to antivirus. The money goes to intrusion detection and prevention systems, and we know these systems fail all the time."
Clarke, who sits on the board of Bit9, made a pitch for visibility tools offered by the company, and he said legislation is needed to raise the level of cybersecurity in the nation's critical infrastructure, both government and privately owned. "Ultimately, I would like to see regulation," because market forces have failed to protect the national security and economy, but it isn't going to happen under the current Congress.
In the absence of regulation, Clarke called the president's 2013 executive order on infrastructure security and the resulting Cybersecurity Framework a good first step -- but only a step -- toward improved security.
He also called for revamping the NSA's intelligence-gathering programs and for increased transparency in the spy agency's oversight. Too often, it gathers information because it can, rather than because it should. While praising the current agency leadership, he said, "It's not a crazy idea" that the government could abuse information it has gathered, citing FBI abuses in earlier decades.
The NSA's problem is not a lack of controls, Clarke said, but the fact that oversight occurs in secret, which undermines public trust. The NSA is much more closely regulated than most nations' intelligence agencies, with oversight from the judicial, legislative, and executive branches, "but there is no way for the American people to know that."
The NSA leak showed that one rogue insider can do massive damage. Use these three steps to keep your information safe from internal threats. Also in the Stop Data Leaks issue of Dark Reading: Technology is critical, but corporate culture also plays a central role in stopping a big breach (free registration required).