Architecting for Chaos

Richard Clarke gave up his post as President Bush's top advisor on cyberthreats, but he hasn't given up the fight for better IT security.

Get one thing straight: Richard Clarke is fed up with the term "cyberterrorism". And when the man who was America's first counterterrorism czar says he doesn't like an expression because it mixes two very different security threats, CIOs had better listen.

Clarke is currently the chairman of information security consultancy Good Harbor, but he had plenty of opportunities to see terrorism close-up when he served as the US national coordinator for security and counterterrorism from 1998-2001, and he doesn't like it when people confuse information security threats like data loss or operational disruption with the kind of terrorism practised by al-Qaeda or Hizbollah.

"If you say 'cyberterrorism' and sort of glue the two of them together it gives the reader or listener the impression that it's Osama bin Laden in a cave somewhere in Pakistan with a laptop that we have to worry about," Clarke says. "But in point of fact, it's not. It's a much more diverse threat. It's a threat from criminals. It's a threat from vandals who do it just for the hell of it. It's a threat from other companies and other countries that are engaged in industrial espionage. And it's a potential threat from other countries and organizations, including terrorist organizations, that want to go after national infrastructure."

After the position of national coordinator for security and counterterrorism was downgraded by the Bush administration in 2001, Clarke moved on to the role of the president's top cybersecurity adviser and chair of the Critical Infrastructure Protection Board, where he helped draft US National Strategy to Secure Cyberspace before resigning in February 2003. His resignation brought an end to a record-setting 11 consecutive years as a White House staffer; but now, firmly ensconced in the private sector, Clarke is once again a man with a mission. And that mission is to make individuals and businesses aware that the threats they face on the information front are not only real, they're getting worse.

"The problem has been that after 9/11 things that did not result in thousands of body bags were difficult to put into the spotlight of national attention," Clarke says. "How can it be a major security problem if it doesn't kill people? Well, it can be."

The Bureaucratic Salute

According to Clarke, the problems facing security executives at the enterprise level are largely a matter of bad governance. The current state of the security landscape reminds him of the "bureaucratic salute" he often observed during his government years: Instead of saluting and saying: "I'm in charge", executives use both hands to point out other people who are in charge - or who are to blame.

After the passage in the United States of the Sarbanes Oxley corporate governance legislation, a number of organizations looked at how they should best model their governance systems. Clarke himself has provided input to such studies (in fact, his conversation with CIO in Australia was arranged thanks to his consulting work with security vendor Symantec), and in his opinion the best model for enterprises to follow is to create an operational security risk committee that includes the CIO, CFO and COO, as well as the internal auditor, general counsel and CSO. "These responsibilities overlap, and only by having a group where every member of that group has responsibility can you address the major security problems and how dealing with them properly gives the company an economic advantage and how dealing with them improperly puts the company at great risk," Clarke says.

It's a task that's often easier said then done. As recently pointed out in a September 2004 report by The Conference Board, called "Cops, Geeks, and Bean Counters: The Clashing Cultures of Corporate Security", security at most companies is divided into three separate areas: physical security, IT security and risk management - the "cops, geeks, and bean counters" of the report's title. These three worlds are divided not only by their position in the corporate hierarchy but also by culture. As the report states, each area "has its own educational and career path, its own jargon, and its own distinctive worldview". Overcoming this clash of cultures is crucial to managing security effectively.

Clarke freely acknowledges that such cultural or institutional divides are common in large organizations. Having spent 30 years in the public service, he's seen more than a few government agencies that faced similar clashes of culture. Nevertheless, Clarke also knows from personal experience how a committee, properly empowered, can help bridge such gaps.

"One of the things that President Clinton did from time to time when we had a complicated problem was to get everybody in charge of a slice of it and put them in a room together. Then he'd say: 'You're all presidential appointees' - which meant he could fire them. But he'd also say: 'This is a presidential mission and whatever your narrow job description is, you now have a larger job description, which is that you have as much say, as much ownership and as much responsibility for this larger issue as everyone else around the table. You all have an equal say and you all have an equal responsibility, and therefore you all have to take the entire problem into account, not just your little, narrow bit of it.'

"I think that's what these corporate operational security risk committees are doing," says Clarke. "The CEO and the corporate board of directors are saying to their operational risk security committees: 'You each have personal responsibility for this overall issue, not just your slice of it.'"

The operational security risk committee approach advocated by Clarke obliges CIOs, CSOs and CISOs to look beyond their individual security responsibilities and view them as part of a larger whole. "You might be the CSO and think you only have to worry about physical security. Not any more. You may be the CIO and think your major job is to keep the systems running. Not any more. You all have the same responsibility, and you have it collectively," Clarke says.

Such an approach also requires CIOs to adopt new ways of thinking about the enterprise IT requirement. In Clarke's view, this translates to architecting information systems based on the assumption that they're going to live in a constant state of "cyber chaos".

"Typically CIOs look at the IT requirement and ask: How do I keep my systems running as cheaply as possible and as easily understood by the user as possible?" Clarke says. "It makes life a hell of a lot easier if you assume that your enterprise IT architecture lives in a hostile world and is constantly going to be under attack, and instead ask yourself: How do I architect it for a multilayered, attack-tolerant defence? Because as good as you are at architecting your system, somebody's going to get through. So the question is: How do I make it attack-tolerant so that I can be resilient and reconstitute quickly at low cost?"

Security As Competitive Advantage

Clarke believes many companies currently underestimate the security risks they're facing, but he's not just another Internet doomsayer trying to scare up new customers for his security consultancy. In Clarke's opinion even the companies that have recognized the need for better security are falling short of the mark, because they haven't figured out how to use security to gain an edge on their competitors. These companies may have become more secure since 9/11, Clarke says, but they don't know how to translate this increased security into an increase in market share.

With most research predicting that cyberthreats will continue to rise in the coming years, Clarke reasons that the future will belong to those businesses that can convince their customers that they have the most secure offering on the market. In the e-business environment of tomorrow, he says, security will be both a brand differentiator and means of delivering competitive advantage. "Companies need to realize the extent of the problem, but they also need to think about differentiating themselves against their competitors by having more secure alternatives," Clarke says.

Security can be a competitive advantage, Clarke insists, but only if companies know how to sell it to their customers. He cites the example of Citibank, one of the largest banks in the US, which in 2004 ran an expensive - and humorous - television ad campaign on the issue of identity theft. In the ads Citibank admits that identity theft is a problem while at the same time assuring customers that the bank has systems and policies in place to deal with it. Another example is America Online, the largest Internet service provider in the US, which recently ran a series of TV ads promoting its cybersecurity systems as a reason to choose AOL over other ISPs. All money well spent, according to Clarke.

"Most companies that are first movers into the secure market can increase their market share because the public knows that there are security problems out there. Saying that there aren't, or not commenting on it, just isn't as credible as saying that there are," he says.

Tags cybercrimecyberterrorismrichard clarke

Show Comments