AUCKLAND, New Zealand (Computerworld New Zealand) -- It's time to take back cyberspace from hackers, phishers and others who are preventing e-commerce and e-government from reaching their full potential.
That was the message Richard A. Clarke, former special adviser to President George W. Bush on cybersecurity, gave at a CIO breakfast meeting here recently.
Clarke, who was visiting New Zealand as a guest of Symantec Corp., also advised President Clinton on terrorism. Clarke published a book, Against All Enemies: Inside America's War on Terror, and is an outspoken critic of the decision to go to war with Iraq.
However, he stuck to cybersecurity during his presentation, turning to terrorism and politics only during the question-and-answer session. After serving three presidents, Clarke is chairman of security company Good Harbor Consulting.
Security fears are the main factor holding back the widespread adoption of online banking and other transactions that can be more cheaply and efficiently done over the Internet, Clarke says.
"Most banks have about 30% of their customers doing online banking, and when you consider that an over-the-desk transaction that costs $2 can be done for five cents online, if a bank can move from 30% online customers to 70%, it'll save a lot of money.
"The No. 1 reason more people aren't banking online is the fear of chaos in cyberspace."
There are "all sorts of things" that are possible over the Internet but aren't being done "because we haven't achieved security in cyberspace," he says.
The U.S. government will spend 8% of its IT budget on security this year, double the percentage of five years ago, with the bill coming to $5 billion. Banks and other businesses are increasingly using their commitment to security as a point of differentiation in advertising, he says.
Clarke went on to list 12 trends, a "dirty dozen" that will shape IT security in coming years. Among them were encryption of archived and stored data and automated audits of IT assets, using asset management software that certifies hardware and software as being secure.
Also on the list were greater use of intelligence and advisory services on security issues, increasing reliance on patch management systems instead of patches being applied ad hoc, and an ever-greater need to secure digitally controlled and Scada (supervisory control and data acquisition)-based systems that run utilities such as electricity, water and gas suppliers.
"We're seeing worms getting into those kinds of networks and in Ohio, a power plant was knocked out by one," Clarke told the audience.
The IT security dirty dozen future trends also included more rigorous testing of software code for flaws such as buffer overflows and having desktop protection at a level matching that at the back end.
One of the most important trends will be to "rein in the road warriors" -- travelers and visitors who hook their laptops into company networks and introduce worms and viruses.
"Many companies have spent a lot of money on a VPN, only to have a road warrior shoot a virus over it from their laptop to the corporate network."
Products that scan and check laptops for security threats will increasingly come into use, Clarke said.
Another important trend is that more organizations will outsource basic security functions such as firewalls and intrusion detection and, if they can, will let Internet service providers do some of the work.
"Increasingly, we're seeing that ISPs are providing the first barrier -- the personal firewall -- and when you renegotiate a security service-level agreement with an ISP, you can get them to do a lot regarding security."
Greater attention to security threats from inside, such as former employees who retain access to systems and data at their old workplace, will see company networks increasingly segmented so that employees can only access what they're meant to.
The final trend Clarke identified was two-factor authentication. "Don't bother with just a password, as it provides no security. There are utilities available for cracking passwords," he says.
George W. Bush made one of his "occasional" good decisions as president, Clarke says, when he mandated that all federal U.S. government employees sign on with a smart card with dual PKI and biometric identification.
All of those trends are converging toward an online world where there's far more confidence among users, and where advances made in the 1990s that allowed the Internet to become an everyday tool can truly be realized.
"People are trying to take back cyberspace from the phishers, identity thieves and hackers, and we can all be part of the effort to take it back," Clarke said.