No cyberterrorism—yet—says security chief

Although terrorists have yet to execute a successful Internet-based attack on the United States, criminals continue to assail private and public sector computer systems, causing millions of dollars in damage and posing a threat to national security, said Richard Clarke, the president's cybersecurity czar, at a Thursday briefing.

Clarke, a strong advocate of increased electronic security, has helped to raise the issue to national prominence, but he has also suffered criticism from skeptics that say he and the White House overstate the threat posed by cyberterrorists.

Clarke, a counterterrorism official in the Clinton administration, acknowledged that terrorist organizations such as al Qaeda haven't turned the Internet into a weapon. But he cautioned against complacency. For years, he said, counterterrorism experts never thought terrorists would launch strikes such as the Sept. 11 attacks within the United States, because they wanted to use the country to make plans and raise funds without drawing the attention of law enforcement and intelligence officials.

Private-sector computer networks are hacked ever day, Clarke noted. Since companies use the Internet to communicate and conduct electronic transactions, disruptions to their networks undermine U.S. commerce, he said.

In order to defend networks, security experts and government officials agree that companies must tell authorities when their systems have been compromised. But businesses are often reluctant to do so for fear of bad publicity. FBI director Robert Mueller has complained that unwillingness to disclose hackings prevents his agency from investigating cyber crimes.

Still, companies are sharing more about the wounds they've incurred at the hands of hackers. In the year 2000, organizations reported almost 22,000 incidences of security violations to the Computer Emergency Response Team Coordination Center, a federally funded research center at Carnegie Mellon University in Pittsburgh. In 2001, that number more than doubled to almost 53,000. By the third quarter of 2002, more than 73,000 incidences had been reported.

Nevertheless, in an October speech before technology executives in Northern Virginia, Mueller chastised businesses for only reporting a third of cyber crimes committed against them.

Clarke said the White House has no plans to impose regulations forcing companies to reveal the security of their networks. But he admonished businesses to take security matters into their own hands. "Don't wait for the government to tell you who the threat is, because the government may not know in time," he said.

Numerous federal agencies monitor threats-such as computer viruses and worms-to private and public networks. Several of the largest organizations are now part of the Homeland Security Department. However, no single agency has a total view of all the threats moving through the Internet.

To help create a more unified picture of the state of the Internet at any given moment, Clarke has proposed building an international monitoring center. Companies and government agencies maintain such "situation rooms" to keep tabs on their own networks. But no organization or government has been able to put all those efforts in one place, and there hasn't been a major push in the United States to do so.

On the subject of cyber warfare, Clarke said the military lacks a policy doctrine that would allow it to launch electronic attacks on foreign countries. The Pentagon has the capability to conduct network warfare, and countries such as China and Iraq have reportedly been building their own cyber forces, as well.

Defense Department officials have complained that the lack of parameters on fighting in cyberspace has tied their hands. Clarke said he couldn't comment on how far along the Pentagon is defining a cyber warfare policy, but he said, "We're making progress."