 |
| ||||||||||||||||||||
America’s cyberspace security leader is ready to talk strategy.
As the Bush administration’s cyber security chief, Richard A. Clarke is spear-heading the landmark effort to formulate a national cyberspace security strategy that will encompass all sectors of computing and the Internet.
To that end, his office is working with leaders in the critical infrastructure areas of America, and along with global interests to. Clarke describes the strategy as a continuing “process” that will depend on everyone participating, and not on government mandates or regulation. We talked with him prior to the official launch date for the strategy.
Q. What is the principal objective of the national strategy effort?
A. The objective is to have a nationally accepted game-plan of things that we are all going to do—industry, the government, even home computer users. The idea is to define objectives. There are a lot of ideas about how to secure cyberspace. And there is some disagreement. There’s certainly disagreement about priorities. What we’d like is a single process, with an ongoing discussion in cyberspace itself rather than just a written report.
The goal is to have online a resource that everyone can log on to, a series of modules that lay out what the threat is and what the role of each unit of society is. These are categorized at five levels.
The first is home users and small businesses. The second level is enterprises, big companies. The third is programs at the Sector level, like banking. The fourth is national level institutions. That’s the biggest level of the strategy because it includes the critical sectors of the economy one by one, banking, transportation, and so forth. It also includes the sectors of the government and the national programs we need for research and education, warning, recovery, and other issues. The next level above that is global—what global policies do we need.
So, you could log on to this strategy and look at the level that you are interested in. I want to stress, this is not going to be a static document. It is going to be a modular approach where the content will change as needed—because the threat changes or what we are doing no longer makes sense or we’ve learned it didn’t work.
It’s quite different from the first national plan, which was a book was written by bureaucrats. We have people all across the country in these various sectors writing sections for banking, transportation, electric power, state and local, and so forth.
Q. Is there a model for this approach or are you charting a new course here?
A. We’ve never seen anything like this, where you have the government trying to develop a strategy with so many different sectors. There have been efforts within individual areas, where the government and a specific sector got together and co-developed something. But we’ve never seen anything that crosses so many areas of society and the economy, and so many parts of the government.
Q. Do people generally recognize IT and cyberspace as critical infrastructure?
A. Most people in the sectors we talk to recognize it. I had an interesting conversation with the CEO of a very large railroad company, which is about as old an industry as you’ll find. He said to me: ‘I’m an IT company. If my IT systems aren’t working, my trains literally stop running. No one will know where they are suppose to go, what’s in which boxcars, which boxcars go where, what has to be off-loaded along the way, which train has the higher priority on what track… All of that is on our IT system, and if the IT system goes down it just stops the trains.
|  |
| THE OBJECTIVE IS TO HAVE A NATIONALLY ACCEPTED GAME-PLAN OF THINGS THAT WE ARE ALL GOING TO DO—INDUSTRY, THE GOVERNMENT, EVEN HOME COMPUTER USERS. |
Q. Can a strategy help with the process of moving IT security out of the niche it’s traditionally occupied in overall systems development?
A. The goal is to put the weight of the government and all the industries that are participating behind the notion that security is not an expensive and cumbersome add-on that someone makes you do it. Rather, it’s integral, inherent, and as much a part of IT as the chip boards, the printers, the fiber cables. And that security done right saves money. Security, done right, is almost transparent for the end user.
Q. Many specific security issues often boil down to required compliance versus market-based solutions.
A. No one is proposing regulation, which is kind of interesting. In all of this discussion, no one is saying that the FCC should regulate the Internet the way they do the telephone system. And we’re certainly not saying there should be regulation. The question people are debating is, short of some big clumsy government agency regulating the Internet, if you don’t have that, how do you have smart government activity that is not regulation. What are the other things government can do?
Well, it can have smart procurement that requires secure products be made for government, and therefore create a market. It can create standards for itself, not regulations that other people have to follow. These standards and best practices can become a framework for when government helps industries, on a voluntary basis, develop their own standards and best practices. The government can pay for research, training, conduct awareness efforts, and make the outputs of these efforts available to industry.
The convening power of the government can also be used to create a dialogue between the people who are using software in critical areas and the people who are making it. We can work with the insurance industry to get them interested, internal auditors, and corporate boards of directors, which we’re doing as part of the general stimulation-of-interest campaign. In the long run, all of these individual things might add up to more than any regulatory approach.
Q. We’ve seen privacy become a marketable commodity in the last few years. Can security benefit from a similar compelling business case?
A. We think privacy and security are often a single issue and we are working with the FTC to hold a conference on privacy and security later this year. You can’t really achieve privacy without security. As an example, the health care (HPPA) legislation requires that steps be taken regarding patient records. You can’t do that without security. The Banking Modernization Act similarly requires that all the banks have privacy protection programs that depend on security programs.
 | |
| THIS IS THE FIRST YEAR OMB LOOKED AT THE VULNERABILITY ASSESSMENT THAT IS REQUIRED OF EACH DEPARTMENT AND COMPARED THOSE TO THE BUDGET REQUEST. AND WHEN THEY FOUND VULNERABILITIES WITH NO MONEY IN THE BUDGET FOR REMEDIATION, THEY TOOK MONEY OUT OF THE PET ROCK PROGRAM AND PUT IT INTO REMEDIATION. AND THAT HAD A BIG IMPACT. IN THE GOVERNMENT, THAT’S A MAJOR EVENT. |
Q. Accountability seems to be on the rise?
A. We’ve had some remarkable statements by people like Bill Gates and John Chambers at Cisco in the last couple months. Gates said that from now on security will be the priority at Microsoft. Chambers said that he used to think security was one of twenty product lines. Now he realizes that unless we solve the security problem the IT industry is going to stay on the plateau it’s on now and never go further. People won’t have the faith and trust in IT necessary to do the next series of things.
Q. Have other industries reached the juncture we’re at with IT security right now?
A. Cell phones and credit cards, where fraud was the issue. Both of those entities leaped into the marketplace without a lot of security systems in place, and then both started being victimized. And then in both areas security had to be made inherent, and they have pretty much done that.
Q. Do we have a frame of reference by which performance measurement can be made meaningful where IT security is concerned?
A. The performance measure has to be something similar to accidents on the job site. Or, fire safety. What’s the performance measure on fire safety? It’s whether or not you have a fire. Or, how frequently you have one. Or, if you do, is it contained. Workplace safety is measured by person-days worked without an accident. We ought to think about IT security in the same way. The metric has to be what hasn’t happened. And when something did happen, were you able to contain it. With NIMDA, they couldn’t. It ran right through their systems.
Q. Will security spending in critical infrastructure areas keep rising?
A. We don’t have a thumbnail that says you must spend X-percent of revenue on IT security, or X-percent of IT budgets. But we know what we have been doing, and we have some anecdotal survey data from the private sector. The FY 03 budget that the president sent to Congress raises IT spending to $50 billion. Of that, 8.1 percent will be for IT security—that is to say, the security of federal computers and federal networks. That is up 64 percent over last year.
We realized we weren’t spending anywhere near enough in most departments. And number two, we’re going to have make an example here that we’re credible. We’re going to have to put our money where our policy is. This is the first year OMB looked at the vulnerability assessment that is required of each department and compared those to the budget request. And when they found vulnerabilities with no money in the budget for remediation, they took money out of the pet rock program and put it into remediation. And that had a big impact. In the government, that’s a major event.
![1105 Government Information Group [purity]](/images/1105logo_website.gif "Government Computer News [purity]")
