Richard Clarke: Awareness Builder

Clarke is most recently known for his position as White House cybersecurity czar from 1998 to 2003—the culmination of 11 years in the White House, making him the longest-serving senior staffer. Previously, he spent 19 years in the Pentagon, serving variously as deputy assistant secretary of state for intelligence, assistant secretary of state for military affairs, and coordinator of diplomatic affairs during the Gulf War. He was as comfortable serving Presidents Bush, Clinton and Bush Senior as he was talking sleeper cells with George Stephanopoulos on Sunday morning.

Clarke resigned his White House postand turned in his FBI-issued semiautomatic handgunin February 2003, partly in frustration at being passed over for a position as deputy secretary of Homeland Security. While Clarke may have felt stymied at times by D.C. bureaucracy, clearly he led the way in elevating the possibility of cyberwarfare to the front of national consciousness. At a recent U.S. House Technology and Information Subcommittee hearing, Clarke cautioned that the U.S. government is without a leader in the cybersecurity war, and urged CSOs to get involved in government and educate legislators about security issues.

“Threats to a corporation are multifaceted. They may come from criminals, competition, hackers, terrorists or insiders. CSOs need to ensure that they are part of a corporate governance model that relates physical security, cybersecurity, privacy, continuity of operations and personnel security. They need to be part of a structure that involves the CIO, the COO, HR and the privacy officer. That structure must have regular access to the CEO and to a body within the board. A corporate security council model rises above the stovepipes of traditional wiring diagrams. Working together, members of such a council can identify multifaceted threats and develop integrated responses. They can advocate for the resources they need and, perhaps, be able to relate overall corporate security expenditures to an ROI.

What’s next is a future of indefinite duration in which new technologies will continue to appear at a steady pace, each offering the hope of greater efficiencies and carrying with them the potential of danger. Wi-Fi seems to bring the freedom to move about, but it may (if not done properly) also allow malicious actors behind the firewall. Third generation, or 3G, phones may finally bring us the single portable device but could, in the absence of security software, be the weakest link in a network. VPNs allow road warriors to get at their desktops from the hotel room but can also zip any infection on the laptop right onto the corporate network. At the far end of the planning horizon, quantum computing will both destroy all current encryption protection and simultaneously offer those who have it an uncrackable code. Nanodevices will create truly ubiquitous computing but will pose a serious challenge to civil liberties and privacy.

We need a mechanism to identify the security and policy implications of technology before it goes to market so that we can balance technological advances with our security needs and what we stand for as a nation.”