Retired supreme allied commander Gen. Wesley K. Clark said Monday that the insurance industry and tougher government enforcement of security standards are keys to improved cybersecurity and critical infrastructure protection.
Clark, who hasn’t made a final decision about a potential presidential bid in 2004, told hundreds of government and private-sector representatives in Philadelphia that a better balance between market incentives and government regulation is urgently needed, particularly in the areas of cybersecurity and critical infrastructure protection.
“We’ve got to have standards in this country” that must be communicated to the private sector and enforced if the homeland security effort is to succeed, Clark said.
Clark’s comments, made during the second annual Government Symposium on Information Sharing and Homeland Security, come one week after Microsoft Corp. Chairman Bill Gates and other industry officials publicly threw their support behind greater use of government testing, evaluation and certification of commercial software.
In an interview after his keynote speech, Clark acknowledged what critics have long said about the Bush administration’s National Strategy to Secure Cyberspace: that it lacks teeth and requires little or no action by the private sector, which owns and operates more than 85 percent of the nation’s critical infrastructure.
“What you need is an arrangement with federal risk-sharing and counterterrorism insurance,” said Clark. “To make the standards work in the private sector, you start with insurance and with the federal government underwriting risks. [However], there may be areas where you can’t do that and you simply have to mandate it and say that in order to be licensed as a business, you must meet certain standards.”
Clark retired from military service in 2000 as one of the most highly decorated U.S. Army officers since Dwight D. Eisenhower. He now heads his own consulting business and sits on the board of directors at several companies. Various private groups during the past few months have led a campaign to convince the former NATO commander to run for the U.S. presidency in 2004. Although Clark maintains that he isn’t a politician, he hasn’t ruled out a presidential bid.
According to Clark, the government must do more to push the private sector toward better cybersecurity. “Here’s where you have a private-market flaw. In my experience, very little has been done in business in terms of cybersecurity.” He said there is little or no incentive for the private sector to move away from the current security model, which is centered on not reporting security incidents.
The government also faces challenges when it comes to information sharing, he said. “There are enormous barriers between databases,” said Clark. “Some are physical barriers, some are procedural barriers, and some are institutional and policy barriers. We don’t need a single … room-size data storage model. With the correct use of information technology, we can create virtual databases that will enable the Department of Homeland Security to become a real department instead of negotiating with its constituent parts.”
Rep. Curt Weldon (R-Pa.), agreed and said so far the biggest success at the U.S. Department of Homeland Security (DHS) has been the massive integration effort led by DHS CIO Steve Cooper.
“We’ve had a number of real threats (of attack) that we’ve stopped,” said Weldon, referring to classified intelligence briefings given to members of Congress. Stopping short of providing any details on the threatened attacks, Weldon credited improvements in IT interoperability and information sharing made since the formation of the DHS in November.
“Winning the war on terrorism is all about information,” said Clark. But trying to integrate hundreds of databases isn’t a problem that’s unique to the federal government, he said. Every major company in the U.S. has, at one time or another, wrestled with the same challenge, Clark said.
Tim Sample, a former senior staff member of the House Permanent Select Committee on Intelligence, agreed. “The technology is not the holdup,” said Sample. “Technology is not the issue. Bureaucracy is the issue.”
Sample said he fears that not enough attention and emphasis is being placed on the Information Analysis and Infrastructure Protection Division of the new department.