SECURITY Q&A – They Want You for a Safer Infrastructure

It’s a quarter to noon on a muggy Thursday in the nation’s capital, and Richard Clarke is offering milk and cookies to visitors on the 10th floor of the old Secret Service building, two blocks west of the White House. There’s a simple reason for his snack choice. Earlier in the morning, Clarke (whom headline writers like to call President Bush’s cybersecurity czar) hosted an event for schoolchildren about staying safe online?this decade’s version of just saying no to drugs. Even so, leftover sandwich cookies seem an appropriate offering from a man whose job is to persuade bureaucrats, businesspeople and technology vendors to do two things they might not have thought about since kindergarten: share and cooperate.

It’s a lofty goal?to get executives not only to tell the federal government about attacks on their computer networks but to work with competitors to protect the country from all manner of electronic threats, from website defacements to information warfare. But that’s why President Bush recruited Clarke last October as chairman of the newly created Critical Infrastructure Protection Board, now part of the Office of Homeland Defense. And it’s why in February, Clarke got Howard Schmidt, then chief security officer of Microsoft, to become vice chairman of the board.

Despite the duo’s high profile, it wouldn’t take a pessimist to call theirs an impossible task. Thus far, their work has had a dogged Washington flair?hold meetings, issue reports, beg Congress for attention and most important, recruit volunteers. One way to improve critical infrastructure protection would be for Clarke and Schmidt to advocate legislation that would give them a hammer to force companies to work with the government and report information about attacks. But the two have been staunch opponents of such legislation. “We don’t want to regulate because we don’t think we do it very well,” says Clarke, age 51, who made his name as President Clinton’s counterterrorism adviser for most of the 1990s and is the political counterweight to Schmidt, age 52, whose sympathies lie more with the private sector and vendor community. The process of improving security “works better if people think they’re doing it in their own best interest,” Clarke says.

To hear Clarke and Schmidt tell it, people are joining the fight in their own best interest, and any perceived reluctance on the part of corporate America is merely a marketing problem. The duo make themselves out to be patriots as well as consummate political insiders?Schmidt with the obligatory American flag pin on the lapel of a jacket draped over his chair, Clarke sipping from a blue and gold coffee mug from the White House Situation Room. But as much as anything, they are the chief publicists of a vision for improved cybersecurity around the world. CIO caught up with them for an interview about how far critical infrastructure protection has?and hasn’t?come since Sept. 11, and how they’re trying to coax corporate and vendor leaders into playing a greater role.

CIO: A recent survey shows fewer companies reporting cybercrimes than a year ago. Does that affect your mission?

Richard Clarke: We don’t think about [critical infrastructure protection] primarily as a criminal justice problem. If you discovered break-ins in your town but most of the houses didn’t have locks, would you hire more police or buy more locks? Criminal justice plays a very important role here, especially in terms of deterrence. We have to arrest people and prosecute them in order to deter others. But fundamentally, cyberspace security is about buying and using door locks. Howard Schmidt: Imagine there’s a failure of a locking assembly, which results in a break-in, which results in a report to a law enforcement agency, which results in an investigation. You could have one track from that investigation directed toward the criminal justice system; the other track goes to [us, and we ask], “How could this have been prevented?” We have a constant feedback loop, which means eventually we have better security on the front end and the law enforcement authorities have less to investigate.

You’ve said that the Freedom of Information Act [FOIA] exemption is the single most important policy change to improve information security. [Note: This controversial exemption?debated in Congress and advocated by many CIOs?would ensure information given to the the federal government about computer attacks would not be made public.] Why is the exemption so important?

Clarke: The Nimda virus last November was a major attack that caused billions of dollars worth of losses in the private sector, yet not one company called us up to tell us they had been attacked because they wanted to be able to keep it secret. They don’t want customers and stockholders to lose confidence. We understand that. But as a result, we have an inadequate perception of what’s going on in the American information infrastructure. Sen. Robert Bennett [R-Utah] probably puts it best when he says, Imagine you are a commander in charge of a battlefield, and you could only see or know 15 percent of what was going on in that battlefield. How would you defend yourself? Well, if you look at our critical infrastructure, about 85 percent of it is in the private sector, and unless we can have some knowledge as to what’s going on there?like attacks, viruses, worms, denial-of-service attacks?then we’ll never be able to help defend it. Only by getting a Freedom of Information Act exemption, narrowly written, will we ever be able to persuade companies that they can trust us, the government, with information about vulnerabilities or about hacks.

I’ve heard you aren’t so sure the exemption is necessary; it’s more that businesses think it’s necessary. Are you offering it to corporate America as sort of a contract: Trust us, and we’ll help you out?

Clarke: No, not really. We’ve looked at the legal question: Are there already adequate provisions in the law that would exempt this kind of information from a Freedom of Information Act request? Our lawyers say the law, as currently written, would allow us to protect that information. But that doesn’t persuade companies to give us the information. Their lawyers believe they need additional protection; therefore we need to get additional protection.

If the law passes, will there be an onslaught of people reporting information to you?

Schmidt: It’s hard to tell. We think we’ll have some companies come forth right away. In other cases, there’ll still be some hesitation, some guarded discussions. I’m sure there’ll be a little bit of giving of information, seeing how that plays out. I don’t think it’s going to suddenly open the floodgates.

One line in the executive order creating the Critical Infrastructure Protection Board says, “Implementation of this policy shall include a voluntary public-private partnership, involving corporate and nongovernmental organizations.” So in a way, your job is to force people to volunteer. How?

Clarke: The Partnership for Critical Infrastructure Security [PCIS] was formed two years ago. We’ve had six or seven industry groups form Information Sharing and Assessment Centers [ISACs] before 9/11. So I’m not concerned that people won’t cooperate. But this is more than just patriotism. It’s economic self-preservation. Many companies participating in this partnership on a voluntary basis realize that they’re doing it because they can only grow if IT grows, if IT is secure. For us really to go to the next stage of IT in the workplace?IT in the home?we really need to increase consumer confidence. Schmidt: When the PCIS was formed, I was in the private sector, and [security] was not an issue in many companies. You worried about earnings per share, shareholder value and so on. Dick [Clarke], John Tritak [director of the Commerce Department’s Critical Infrastructure Assurance Office] and the folks in the government at that time provided a forum for us to become more aware of the government’s interest in the area of critical infrastructure protection. It was natural to pull everybody in and say, “Listen, this is important to the president. We want you to help us.” Who would not want to answer that call? You’ll see the momentum that we’ve got today, where people are literally calling up and saying, “What can we do?” It’s based on the trust that was developed by the government initially reaching out to companies saying, “We’re not here to regulate you or ruin your business model. We want what’s good for the country, for all of us.”

It sounds like you’re talking about this volunteerism as a substitute for regulation.

Clarke: We don’t want to regulate because we don’t think we do it very well. We’d like voluntary cooperation, voluntary adoption of best practices, voluntary sharing of information, because it works better if people think they’re doing it in their own best interest, rather than if they think they’re doing it because they have to.

It’s a marketing job as much as anything?

Clarke: About half our job is marketing.

What’s the other half?

[They both laugh.] Clarke: A lot of what we do is make priorities?budgetary, legislative, priorities in terms of what parts of the infrastructure we work with the most. What are the most important things to fix? Imagine the intersection of where the vulnerabilities are highest and where the effect of failure is the highest. That’s what we’re trying to find.

If you look at the state of critical infrastructure on Sept. 10 versus now, have there been measurable improvements?

Clarke: The federal government is getting more secure in its cyberspace networks. The budget the president sent to Congress in February asks for a 64 percent increase in funding to defend federal departments and agencies?that’s more than 8 percent of the federal IT budget spent on IT security. We’re trying to do two things with that [funding increase]. Obviously we’re trying to fix very serious problems that the federal departments have. And two, we’re trying to set a model for the private sector?for members of corporate boards of directors, for CEOs, saying, “Gee, the federal government is spending 8 percent of its IT budget on IT security. What are we doing at our company?” Unfortunately, most companies are not going to be able to say that they’re spending anywhere near 8 percent on security.

You like to quote a report that most companies spend more on coffee than on security. Is 8 percent for catch-up? Is it enough?

Clarke: It’s catch-up for the federal government, and it won’t be enough if we don’t sustain it at that level or perhaps even slightly higher over several years. There’s no good figure that is appropriate for every company or every institution. That’s why we’re not saying 8 percent is the target.

Are you advocating any kind of tax benefits for spending on security?

Clarke: No, I think there’s enough benefit inherent for spending on security that we don’t need to give people a tax break. The benefit comes from being secure. It’s more expensive in the long run to be insecure.

Don’t you think that’s a hard sell to CFOs?

Schmidt: Not at all. When the Melissa virus hit at one company that I have some very great insight into, it took about $14 million dollars to bring that whole system up online after 10 days. When the Anna Kornikova virus hit the same company, they were able to contain it within 30 minutes with better processes, and that 30 minutes translated into about $12,000 worth of effort?quite a difference. CFOs are saying, “It’s going to cost me just like anything else to do some risk management on the front end, but in the long term I’m going to be much more able to save money and reduce total cost of ownership.”

Are you saying that viruses and worms actually helped as far as demonstrating that ROI?

Clarke: I think that there’s a silver lining to some of these viruses and worms, because you know when you get hit. People are penetrating networks, doing espionage, and we don’t know it because they’re successful. They’re not leaving traces. It’s helpful when we have major viruses and worms and denial-of-service attacks because they’re noisy and they leave fingerprints, and we know it’s out there. People are then motivated to fix it.

How can you convince vendors to create more secure products?

Clarke: The vendors tell us, “We could create more secure products, but no one wants them.” Then we talk to the procurement people?in banking, finance, energy, government?and say, “Do you want more secure products?” And they say, “Yes! But the vendors won’t make them.” It’s what I call a “dialogue of the deaf.” We try to bridge it by taking the critical infrastructure procurement people and the vendors by the hand and saying, “Vendors, could you make a more secure product?”?”Critical infrastructure companies, do you want a more secure product?”?”Now, can both agree that we’re going to have more secure products?” There’s actually a real role for us to bring people together to have dialogues that you would think naturally occur but don’t. We also have a sort of honeybee role where we fly around flower to flower proliferating the message and sharing information. We’re able to learn what products are out there. We don’t recommend certain brands, but we do recommend certain kinds of services.

What’s the administration’s position on holding vendors accountable for products that aren’t secure? And liability for products that aren’t secure?

Clarke: I think they’re two separate issues. One is holding vendors accountable, one is doing [something about] it in court. We’re in favor of holding vendors accountable. When a product fails, the vendor has a responsibility to quickly identify a way of fixing it and getting that patch out, and the patch not only should fix the problem, it should not interact badly with other widely utilized applications. But we don’t think it’s terribly valuable to litigate such problems. We’d like to try to find solutions that are quicker than long, multiyear litigation. We spend a lot of time worrying about patches, but we don’t want to just put bandages on the current generation of systems. We want to think about what the next generation of systems should look like.

What would be the signs that things were getting better?

Clarke: It’s mostly anecdotal. You can look at the number of computer incidents; you can look at the dollar value of damage done by such incidents. Unfortunately the numbers are skyrocketing. That doesn’t mean we’re not making progress. If you look at traditional measures of effectiveness?the number of incidents and how bad they are?it would tell you we’re getting worse. The number of people and functions connected to the Internet is going up, and the sophistication of the attack tools is increasing. At the same time, we are getting the awareness message out, getting more CEOs to care, getting spending in security in the public and private sectors, getting the hardware and software manufacturers to develop more secure systems. Then there’s the unknown unknown. Have our enemies already penetrated our critical infrastructure successfully and we don’t know it? Or are they in a position where, if there is a big conflict between us and them, they are already in a position to disable our critical infrastructure?

Who’s the “them”?

Clarke: We’ve stopped asking that question. Before Sept. 11, people tended to think in terms of a threat paradigm: Who’s the them, and when are they going to do it? They waited for that information before they acted. So, tell me the name of the terrorist group, what airplane they’re going to hijack, what city they’re going to attack. Tell me when it’s going to occur, and then I’ll do something to prevent it. We learned you don’t always get the information?the attack just occurs.

So we’re advocating instead a vulnerability paradigm that says, Don’t worry about who’s going to do it. Don’t worry about when it’s going to occur. Ask yourself what your vulnerabilities are. And then find that intersection between the things that are the most vulnerable and the things that would be the most damaging. It’s a shift from who’s going to do it, when and where, to where are my weaknesses, and what are the most important weaknesses that I have?

People who are not now actively our enemy may be actively our enemy three years from now, five years from now. If all we do is collect intelligence about people we think are our enemies, we may miss what we should be doing.