Published: 01 May 2002
Q: You were recently named vice chairman of the Critical Infrastructure Protection Board, but you've said that Richard Clarke, the board's chairman and special advisor to the president on cybersecurity, considers you a "co-chair." How does that sort out?
A: The presidential executive order established a chairman and a vice chairman for the Critical Infrastructure Protection Board, which is comprised of 26 senior U.S. government executives. We also have 20 standing committees that are subsets of the board. Beyond the core issues of the board and its subcommittees, there are four basic areas we cover: national security; the security of government systems; outreach, including private/public and state/local/international; and assisting the various law-enforcement communities. Richard and I cross over as necessary, but I'm particularly focused on the outreach and law enforcement/investigative pieces. Richard says we're interchangeable; that's why he says I'm more like a co-chair.
Clarke is frequently questioned about the threat of a "digital Pearl Harbor." How do you interpret that phrase? What would a digital Pearl Harbor look like?
By "digital Pearl Harbor," we mean a devastating attack on our ability to use the online world. For example, there were DNS server problems a few years ago that caused significant latency because some major ISPs had problems with corrupted files or bad zone files. If that had been allowed to perpetuate, it could have seriously impacted our ability to communicate using the Internet. A digital Pearl Harbor would be similar, but have a far more dramatic effect.
During the Sept. 11 attacks, the U.S. nearly lost some key nodes in its financial exchange mechanisms, and telecommunications took a big hit. What have we learned about distributing resources more effectively?
I can talk about a similar incident as an example. A fire in a tunnel near Baltimore last year effectively knocked out the Internet and a whole bunch of Northeast telecoms because there wasn't a good understanding of single points of failure. We had all that wire and cable strung through that one tunnel. Take a physical event like that and look at the cascading effects, such as when a tree fell across power lines in Oregon and the lights went out in Tucson. If we have that happening at the same time as a virus or Trojan attack, as you said, a cascading effect could cause significant disruptions because of interdependencies in our infrastructure.
What did we learn from Sept. 11? We need to find out where those events are correlated. What the interdependencies are and how we can be more resilient. And how can we resist attack, be resilient and remediate in a relatively short period of time? Answering those questions is part of the board's mission statement.
We don't know where all the interdependencies are, and we need a better handle on that so we can protect them. We're moving forward quickly, but you can't turn a 600-foot ship around on a dime. Am I satisfied with our speed? Yes. All of those potential effects and attacks are being considered.
The New York Electronic Crimes Task Force (NYECTF), which was based in the World Trade Center, was operational within 48 hours of the Sept. 11 attacks, due in large part to its public/private partnerships. You frequently define your work as creating public/private partnerships, but there are different assumptions in the public and private sectors about goals, which makes sharing information tricky. How are you enabling people to stand on common ground?
The NYECTF is one example of how public/private partnerships work. A lot of telecoms after Sept. 11, through the National Coordination Center, immediately put up significant resources without any hope of compensation. Within hours, a number of companies went to the federal government and said, "Here's $20 million in resources, tell us what you need us to deploy." That's one way it worked.
What happened with the NYECTF was happening on a grander scale on the national level, from telecoms to the IT infrastructure to the Pentagon. I was at the Pentagon within 36 hours of the attack with a blank check from the private sector saying, "Here's what we can offer to get the Pentagon and New York communications up and running."
In the immediacy of the moment, we entered a space of extraordinary cooperation. But the half-life of a crisis, as Stash Jarocki of Morgan Stanley says, is 90 days. That's when the level of urgency diminishes by half. Do people still understand what we're up against?
I think that in a lot of cases we do; a lot of people were genuinely converted. It has been said that 70 percent of the people are back at some level of normalcy. We need to find a balance. We want people to do things on a normal basis, but we also want a continued sense of urgency about things that are really critical. We still have a critical mass of people inside and outside the government saying, "I don't care about the bureaucracy, what can we do to facilitate something effective?"
Do you see "functional networks" being built in creative ways?
Building personal relationships is crucial. One thing that encouraged me to take this government job was the people I had worked with from my private-sector position, people who truly believe that we can make a difference, people who have grown up in this business together. It gives us extra leverage that in addition to our professional responsibilities, we all have a passion to do everything we can.
1967-1983: U.S. Air Force
1983-1994: Police officer with the Chandler, Ariz., police department.
1994: Headed the ComputerExploitation Team at the FBI's National Drug Intelligence Center.
1994-1997: Directed the USAF Office of Special Investigations, Computer Forensic Lab and Computer Crime and Information Warfare.
1997-2002: Worked at Microsoft as chief security officer.
1997-2002: Taught computer forensics at the University of New Haven, Conn.
1999-2002: Served as international board president of the Information Systems Security Association.
2001-2002: President of the Information Technology-Information Sharing and Analysis Center.
2002: Appointed vice chairman of the Critical Infrastructure Protection Board.
Some say that Gov. Tom Ridge, the director of the Office of Homeland Security, has an impossible job that doesn't carry the full authority to accomplish his assigned tasks. Do you see any similarities between his job and yours?
I agree that he has a tremendous job, but I don't agree that he lacks authority. His challenge is that this is a brand-new issue, whereas we have been doing cybersecurity for some time and have a pretty good sense of what it will take to bring it up to par. Both jobs are important and challenging, but we have more experiences behind us that we can build on.
Are you reasonably satisfied with what you have been able to do to this point at the Critical Infrastructure Protection Board?
At this point, I am 100 percent satisfied. Every conversation I have tells me that. One issue that we dealt with was the SNMP vulnerability. In my previous government life, it would have been more challenging to try to coordinate a response. In this case, we had all the key players from government, the private sector and academia on conference calls to look at the issues and come up with technical responses. It's phenomenal to have everyone going in the same direction.
Some security pundits say that everything we do going forward will be built on platforms that are permanently flawed.
The Internet, as we all know, wasn't designed to be secure. If you go to a security engineer and ask what it will take to fix this, you'll be told that we have to upgrade infrastructure. It's not necessarily because a vendor has something good or bad, but because the threat model has changed significantly.
There must be reengineering of processes to make the infrastructure secure. We have to build in testing and response capabilities so we're proactive instead of reactive. At the same time, we have to educate people on how to be secure. Look at the history of the automobile. We added brake lights, then seat belts and so on, and now we have pretty safe cars. They're not and never will be perfect, but they're much better than they were. If we train people and put the right processes in place and improve the technology so it's designed to reduce the threat, we'll be in much better shape.
Some security and IT professionals believe technology is advancing at a pace greater than our ability to field people to manage and secure the systems. How do you respond to that?
The systems we've created up to now have been far more complex than they should be. It's a growing process, and that's the source of my optimism. Like cars, they're becoming easier to use and maintain. We're not going to have a CIO in everyone's house, and you shouldn't need one to own and use technology. The engineering needs to be secure and simple, and the curve for IT professionals will drop dramatically because things will be easier to use and security will be part of the fundamental process. I am encouraged because Richard Clarke has met with CEOs of major companies that make routers and software, and everyone has said security is now a number one priority. It may not have been a priority before, but it is now.
Is that due to the recognition that litigation may lead to software manufacturers being held as responsible defective products?
That's part of it. But I think there's a greater realization about the importance of security. I think of my trajectory using computers. I once used a Commodore 64 to set up bulletin boards, for example, and it was a minor inconvenience if my hobby computer wasn't accessible. But my dependency has changed significantly and a lot of vendors recognize this. It's not a toy, but something we depend on in many different areas. In my role at Microsoft, I heard the White House say for years, "This is not a hobby now, it's part of the critical infrastructure," which is why so many people are now on board with security.
Since Sept. 11, we've moved toward greater surveillance, which some say is eroding personal privacy and liberties. Do you think anything will inhibit that process?
I think we'll reach a balance. Building up borders has been one of our problems. It's the "Tootsie Pops syndrome," with hard outer shells and soft chewy centers. That's how we built networks. We had firewalls and strong perimeters, designating anything inside as trusted. Living in a ubiquitous online world, we have to secure individual devices and define profiles for resources under particular sets of circumstances.
As to privacy -- without security, you have no privacy. That doesn't mean we have to give up privacy, but we must have some level of authentication. For example, if I have a $20 bill in my pocket and want a $10 and two $5s, I don't need identification to get that change from a bank. However, if I want to open an account, I do. If I want a safety deposit box, I need better authentication -- I need two keys and someone has to come into the vault with me. I think these levels of authentication translate into the online world.
Given the level of threat we face, we're asking people to trust authorities with invasive surveillance technologies because it will ultimately serve the greater good. Is privacy over?
Privacy is a very individual thing. When I subscribe to a magazine, I give up a certain level of privacy for the benefits of getting the information in that magazine. There's always a trade-off, giving something up for the service that you want. You should be able to surf the 'Net and get medical information anonymously without compromising your privacy. A bar can ask for an ID that proves you're 21 before serving you alcohol. By showing a government-issued ID, like a driver's license, we give up some privacy to have that drink. That's where balance comes in.
For society as a whole and for individuals who want different levels of access to information, there will be different sets of rules.
I don't think we really know what "balance" is at this point. We're still in a state of shock. We are searching for the right balance, and it will almost certainly differ from what "balance" was when I was 16.
These are uncharted waters. How will people be held accountable?
On the government side, this is one reason the Critical Infrastructure Protection Board was created. The Government Information Systems Reauthorization Act requires the head of each federal agency to be responsible and accountable for security in their agency. The recent GAO report shows there's a lot of work to be done, but those people are going to be held accountable. The board is giving them the tools and mechanisms to do cross-government collaboration to get their systems in order.
On the private-sector side, if you lose customers because your Web site gets hacked, you won't be trusted. Accountability in the private sector will come from the necessity of providing that level of trust.
It's been said that one of the reasons you left government service the first time was because of bureaucratic politics -- especially with the military. Some said you grew frustrated with having to fight for resources and funding, and felt stifled by the bureaucratic culture's rigidity and lack of teamwork. By returning to government service, are you saying that this culture no longer exists?
That's right. Conditions have changed significantly in government and also in the private sector. When everyone is focused narrowly on their own issues, they lose sight of the bigger issues. There's now a greater recognition that "your issue is my issue."
I'll never forget a meeting at the White House where I told Richard Clarke that we had been coming to meetings on public/private partnerships for some time now and the definition of a "good meeting" was that "we had a good meeting." It was frustrating. Richard and a few others got eight or 10 of us together and said, "This is serious business. Do you in your companies really understand the impact of what we're discussing beyond what you're selling or producing? That this goes way beyond that?" From my perspective, that was a real turning point in the conversation on the public/private relationship. People began seeing and saying that it wasn't just about what they were doing; it was about what we were all doing.
Are we 100 percent there yet? Of course not. But I challenge anyone to find a CEO today involved in the industries that affect the critical infrastructure that will say security isn't a CEO issue.
It takes time to generate this kind of change, and you're trying to communicate the depth and magnitude of the need for change to others so that the "community of interest" will include more people.
That's correct. In a conference call on the Nimda worm, we had an astonishing level of participation. I marveled at the unprecedented technical depth, the senior-level management expertise and the level of government participation. Everyone was laying out their cards on the table; everyone was working together to identify what Nimda was doing, how to stop it and, if you had it, how to fix it.
Throughout our conversation I've heard you say how encouraged you are about security becoming a priority. Was this level of awareness not possible prior to Sept. 11?
Yes. I spent three tours in Southeast Asia, I'm a cop, a proverbial "tough guy," but the day I got the call from the White House after the Sept. 11 attacks asking me to be part of the team, I sat there almost in tears thinking that this is a no-brainer. We just had the worst death toll on American soil due to a terrorist attack, so it's not whether it's convenient, it's that "this is the way to do it." I have met others who were in the private sector and joined the team because they felt a tremendous obligation to do their part. This is a job we all have to do together. Failure is not an option.
About the Author: Interviewer Richard Thieme is a contributing editor for Information Security. He writes, speaks and consults on the human dimensions of technology and the workplace.