Clarke: Who leads cybersecurity?
- By Florence Olsen
- Feb 16, 2005
SAN FRANCISCO -- Richard Clarke, former special adviser to the president on cybersecurity, has this advice for Michael Chertoff, the new secretary of the Homeland Security Department: Find out who's in charge of cybersecurity.
Speaking at the RSA Conference this week, Clarke said the Intelligence Reform and Terrorism Prevention Act of 2004 is unclear about who is responsible for cybersecurity in the federal government.
He said the new law creates a center for cybersecurity in DHS but gives authority for decision-making to the Office of Management and Budget, which according to Clarke has only three people working on cybersecurity issues.
"The first thing Chertoff needs to get straight with the president is who is in charge of this issue, because if he is in charge, then he ought to know that," Clarke said. "And if he is in charge of it, he ought to have some authority to direct the rest of the government on this issue."
Jamie Gorelick, a member of the 9-11 Commission, said Chertoff's first priority should be to start creating an information-sharing infrastructure, which the intelligence reform act requires. But first someone has to set policies, she said, because those policies will determine the technology architecture for sharing information.
The fact that President Bush has not yet named a director for the National Counterterrorism Center, created under the new law, is delaying work on the IT infrastructure, Gorelick said.
Gorelick and Clarke, who spoke here at a town hall meeting sponsored by the Cyber Security Industry Alliance, answered questions on a variety of homeland security topics such as information sharing and analysis centers, the DHS budget and the lack of attention paid to cybersecurity in the federal government.
Andy Purdy, acting director of cybersecurity at DHS, did not have an official role in the town hall meeting, but he addressed the audience, saying that people would soon see a new emphasis on cybersecurity within DHS.
Without revealing further details, Purdy said that DHS is working with officials in the White House, Defense Department, intelligence community and other agencies so the government will be prepared to handle a potential cyber incident of national significance.
Asked to comment on DHS' information sharing and analysis centers, which were created under the president's National Strategy to Secure Cyberspace, Gorelick said the groups are not working well as they are constituted and that DHS officials need to become more involved.
Clarke said the centers are working reasonably well if they are seen as a first step toward improving communication between industry and government about threats to the nation's critical infrastructures. Companies first had "to overcome fears that the government was trying to get into their business," he said.
But now it is time for DHS officials to get more involved, Clarke said, so that information about cybersecurity risks and threats are systematically shared and analyzed. "We need a synoptic view of cyberspace," he said. Without that, he added, the United States could become the target of a national cyberattack, and no one would really know it was happening.
Clarke suggested that the official responsible for cybersecurity should work in the White House, as he did when he was special adviser to the president on cybersecurity. Speaking as a former political insider, Clarke said proposals to elevate the director of DHS' National Cyber Security Division to the level of an assistant secretary within DHS would not achieve the results that people are expecting. "An assistant secretary in any one department is not a very important person," he said.
On the topic of DHS' budget, Gorelick said she is glad to see homeland security funding begin to be distributed on the basis of risk rather than pork-barrel politics. Clarke, on the other hand, said he is worried about a zero-sum game in which spending more on improved rail and port security would likely mean spending less on aviation security. "That would be a mistake," he said.
At the most fundamental level, protecting the nation from a potentially crippling cyberattack is difficult, Clarke said, because such an attack has never happened. Public officials have many problems vying for their attention and resources, he said, and therefore it is not surprising that they would choose not to focus their attention on something that has never happened.
But Clarke said the hacker and virus attacks happening every day against companies and government agencies are cause for alarm. "We need a national effort to handle the day-to-day attacks, which are costing us a lot," he said.