Establishing Digital Trust: Don't Sacrifice Security for Convenience
While some say he was an experienced leader who brought a great deal of attention to network security issues, others say efforts have stagnated around endless discussions and useless recommendations that come without teeth or conviction. All agree that whoever replaces Clarke needs to be a visionary well versed in technology, business and political wranglings -- someone capable of weaving together a network of security procedures and mandates that will protect government and business interests.
"We haven't seen any action out of that office to date," says Mike Rasmussen, director of research at analyst firm Giga Information Group. "We've seen a lot of communication but not necessarily anything that changes things... They've laid a lot of groundwork but now we've got to build on that foundation. In the cybersecurity world, we're littered with attempts that never get finished. I hope this isn't the same thing."
Late last week, Clarke confirmed reports that he was stepping down as the Bush administration's cybersecurity chief to look for a job in the private sector. He has not addressed rumors that he is leaving the job because of his dissatisfaction with the progress his office has made or with the jobs that have been offered him in the new Department of Homeland Security, which the cybersecurity office is being folded into.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i Industry analysts say the bulk of Clarke's time has recently been spent working on the National Strategy to Secure Cyberspace, a document -- expected late this month or next -- that focuses on recommendations to prevent and respond to Internet-based attacks. A draft of the plan was released in September, prompting a host of critics to complain that the plan was nothing more than a long-winded recommendation for companies to tighten up their own security.
Despite criticism, Dan Woolley, a vice president at SilentRunner, a network security company, says Clarke, a former counter-terrorism advisor, has been a real "champion" of security issues, raising awareness about the risks to network security.
"I've agreed and disagreed with Dick on various issues, but I know him and he's always put his heart and soul into it," says Woolley, who says Clarke's departure will be a real loss to the industry. "But I don't know if anything has truly been accomplished except for increasing awareness. There's a lot more work and a lot more evangelism that needs to be done."
Woolley adds that the upcoming cybersecurity plan needs to be much stronger than the draft was.
"It was very soft in terms of what we have to do and how we do it," he says. "It has to be a little stronger... We need a more active involvement in governmental leadership. They should talk about policies and mandates. They should be bringing together information and investigating threats. If that is to happen, the government needs to be very influential."
'We Need a Visionary'
Woolley says the cybersecurity office should lay out a methodology for reporting security threats and breaches. How is information shared? How do companies get a look at the big picture? How do you secure the crime scene for a cyber attack?
"There's so many loose ends that if brought together correctly, will weave a fabric of security that will stretch across the network," adds Woolley. "We need a visionary who can look at all these things and make sense of them and figure out priorities. The leader needs to be someone who understands commercial risks, and has experience with how business works and how government works."
Charles Kolodgy, research manager at industry analyst firm International Data Corp., says anyone who replaces Clarke foremost needs to be a liaison between government and industry.
"Clarke has been doing what he can. It's a tough job," notes Kolodgy. "We need someone who is able to bridge between government and industry."
But Kolodgy also points out that things may change a great deal with cybersecurity being taken into the Homeland Security office. Clarke's replacement may end up being an administrator of an even larger department.
And some analysts point out that no one in the Bush administration has said that there will be a replacement for Clarke. His duties could be parceled out to a myriad of people, leaving the position unfilled. And potentially leaving cybersecurity efforts without a champion.
Giga's Rasmussen says he's waiting to get some clear word from the administration about the direction that both Homeland Security and cybersecurity will be taking.
"There's been a vagueness around this," says Rasmussen. "Clarke stepping down forces the government's hand to say where they're going with this. Clarke's leaving could be a positive in that we'll get more of a sense of what their plans are."