Former White House cybersecurity czar calls for security audit standards

Computerworld - LAKE BUENA VISTA, Fla. -- Former White House cybersecurity expert Richard Clarke yesterday urged for stronger standards for security audits of U.S. companies, saying congressional action is needed.
"The Securities and Exchange Commission thinks it can [require audits] under its existing authority, but what I'm predicting is it will be a very vague statement and there will be no real auditing against that standard," Clarke told reporters at the opening of Gartner Symposium ITxpo 2003 here. Clarke is now a private security consultant, serving as chairman of Good Harbor Consulting LLC in Arlington, Va. He joined Good Harbor in July.
"You've got to have a relatively specific standard ... with some real probability that someone will show up at the door to audit. That will take a congressional act," he said.
Clarke also said standards should encourage automatic audits, so network probes could quickly determine security levels, "instead of bringing in PriceWaterhouse for $500,000" to do the audit.
Similar to banking audits, only 90% of what will be audited should be known, so companies won't prepare for audits and nothing else, he said.
Clarke, who resigned from his U.S. government cybersecurity role in January after serving in three administrations, made his comments after being asked about Sarbanes-Oxley Act and Health Insurance Portability and Accountability Act security requirements. Both federal mandates require companies to provide security certification. But "what do they certify, and who is going to say that they are wrong?" Clarke asked.
He also criticized Homeland Security Secretary Tom Ridge's recommendations for security certification as ineffective. "Frankly, it was Tom Ridge's idea that there be a Y2k-like statement [about security protection steps] to the SEC, but if that happens, it is going to be at such a high level of aggregation that you are never going to know what it means," Clarke said.
During year 2000 IT modifications, the SEC required Y2k certification by public companies. "We got away with that because it was a one-year trick, and you can trick people for one year," Clarke said. That Y2k certification was a "device" to get CIOs in front of their boards of directors to provide funds for date change fixes, he said.
Asked if cybersecurity failures could have caused the power blackout in Canada and the Northeast in August, Clarke ticked off a string of power outages and attacks on energy systems globally in recent months, including the loss of power throughout Italy in September. "We don't know what caused any of these so far," he said. "We do