Analysts: Next Cybersecurity Czar Must Get Things Done

Datamation content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Industry analysts are having mixed reactions to news that Richard Clarke is
leaving his post as the government’s cybersecurity czar.

While some say he was an experienced leader who brought a great deal of
attention to network security issues, others say efforts have stagnated
around endless discussions and useless recommendations that come without
teeth or conviction. All agree that whoever replaces Clarke needs to be a
visionary well versed in technology, business and political wranglings — someone capable of weaving together a network of security procedures and
mandates that will protect government and business interests.

“We haven’t seen any action out of that office to date,” says Mike
Rasmussen, director of research at analyst firm Giga Information Group.
“We’ve seen a lot of communication but not necessarily anything that
changes things… They’ve laid a lot of groundwork but now we’ve got to
build on that foundation. In the cybersecurity world, we’re littered with
attempts that never get finished. I hope this isn’t the same thing.”

Late last week, Clarke confirmed reports that he was stepping down as the
Bush administration’s cybersecurity chief to look for a job in the private
sector. He has not addressed rumors that he is leaving the job because of
his dissatisfaction with the progress his office has made or with the jobs
that have been offered him in the new Department of Homeland Security, which
the cybersecurity office is being folded into.

Industry analysts say the bulk of Clarke’s time has recently been spent
working on the National Strategy to Secure Cyberspace, a document — expected
late this month or next — that focuses on recommendations to prevent and
respond to Internet-based attacks. A draft of the plan was released in
September, prompting a host of critics to complain that the plan was nothing
more than a long-winded recommendation for companies to tighten up their own
security.

Despite criticism, Dan Woolley, a vice president at SilentRunner, a network
security company, says Clarke, a former counter-terrorism advisor, has been
a real “champion” of security issues, raising awareness about the risks to
network security.

“I’ve agreed and disagreed with Dick on various issues, but I know him and
he’s always put his heart and soul into it,” says Woolley, who says
Clarke’s departure will be a real loss to the industry. “But I don’t know
if anything has truly been accomplished except for increasing awareness.
There’s a lot more work and a lot more evangelism that needs to be done.”

Woolley adds that the upcoming cybersecurity plan needs to be much stronger
than the draft was.

“It was very soft in terms of what we have to do and how we do it,” he
says. “It has to be a little stronger… We need a more active involvement
in governmental leadership. They should talk about policies and mandates.
They should be bringing together information and investigating threats. If
that is to happen, the government needs to be very influential.”

‘We Need a Visionary’

Woolley says the cybersecurity office should lay out a methodology for
reporting security threats and breaches. How is information shared? How do
companies get a look at the big picture? How do you secure the crime scene
for a cyber attack?

“There’s so many loose ends that if brought together correctly, will weave
a fabric of security that will stretch across the network,” adds Woolley.
“We need a visionary who can look at all these things and make sense of
them and figure out priorities. The leader needs to be someone who
understands commercial risks, and has experience with how business works and
how government works.”

Charles Kolodgy, research manager at industry analyst firm International
Data Corp., says anyone who replaces Clarke foremost needs to be a liaison
between government and industry.

“Clarke has been doing what he can. It’s a tough job,” notes Kolodgy. “We
need someone who is able to bridge between government and industry.”

But Kolodgy also points out that things may change a great deal with
cybersecurity being taken into the Homeland Security office. Clarke’s
replacement may end up being an administrator of an even larger department.

And some analysts point out that no one in the Bush administration has said
that there will be a replacement for Clarke. His duties could be parceled
out to a myriad of people, leaving the position unfilled. And potentially
leaving cybersecurity efforts without a champion.

Giga’s Rasmussen says he’s waiting to get some clear word from the
administration about the direction that both Homeland Security and
cybersecurity will be taking.

“There’s been a vagueness around this,” says Rasmussen. “Clarke stepping
down forces the government’s hand to say where they’re going with this.
Clarke’s leaving could be a positive in that we’ll get more of a sense of
what their plans are.”