excerpt from my book on technology, terrorism, and
DHS, tentatively titled "Skating on Stilts." (If you want to
read the excerpts in a more coherent fashion, try the categories on the
right labeled "Excerpts from the book." I'm afraid I can't fix the bug
in TypePad that prevents me from putting them in the category in
reverse-chronological order, but I have started putting chapters up in
pdf form from time to time.) Comments and factual quibbles
are welcome, either in the comments section or by email:
firstname.lastname@example.org. If you're dying to order the book, send
mail to the same address.
Cybersecurity regulation had been talked about for years. The Bush Administration had floated the possibility in 2002. Or, to be more precise, Richard Clarke had floated the idea.
Clarke was a flamboyant bureaucratic warrior camouflaged by the dress and haircut of a high school math teacher. A career official with a knack for building empires -- and making enemies -- he had risen to take charge of both cybersecurity and terrorism policy in President Clinton’s National Security Council. He later became famous briefly for his scathing denunciation of the Bush White House’s response to terrorism warnings. But in 2000 he was better known as the man who had sponsored the failed Clinton Administration plan to build a monitoring network.
Clarke was held over by the Bush Administration, with the same two portfolios he had held under President Clinton -- terrorism and cybersecurity. But he never seems to have gained the same support in the new Administration as he had in the old one. After the attacks of 9/11, pushed out of the terrorism job, he poured himself into his cybersecurity role, spending much of 2002 drafting a strategy for the new Administration.
Always a hard-charger, Clarke had high ambitions for his new effort. He planned a grand event to unveil the strategy in September of 2002. Reportedly, the strategy sidled up toward new mandates for industry, calling on technology companies to contribute to a security research fund and pressing Internet service providers to bundle firewalls and other security technology with their services. But just days before the event, Clarke’s wings were publicly clipped. Industry had found more sympathetic ears at the White House, and he had too few friends at the top. His carefully honed strategy was unveiled, not as a final document but merely as a draft, for comment. And even for that purpose, anything that could offend industry, anything that hinted at government mandates, was stripped out.
For Clarke it must have been the final straw. He’d already been pulled off the terrorism account with brutal swiftness after 9/11, and now his year of effort on cybersecurity had ended in a public rejection of his work.
He stayed in the White House just long enough to produce a final strategy document that was as tepid as the draft. Then he quit.
Industry had claimed another scalp in its long campaign to head off federal mandates aimed at improving computer security. The President (though not industry) eventually paid a heavy price for Clarke's resentment. The one-time security adviser became a harsh Bush critic, in testimony before the 9/11 Commission and other writings.
I thought of Clarke’s fate as we put together the report. Regulation had become an electrified third rail. Especially in a generally business-friendly administration, advocating more regulation was not likely to be career-enhancing.
But the status quo clearly wasn’t working. Moore's law was working against us. We had to find a way to change incentives, to get information technologists to start building security into the foundation of our networks. It’s not that I thought regulation was always going to be the right answer. But I was sure that it had to be on the table. Especially because regulation didn’t have to mean classic command-and-control Federal Register rulemaking.
Government doesn’t have to issue mandatory rules to influence private sector behavior. It can use a variety of incentives to encourage security. So the policy office laid out a range of approaches, ranging from soft to hard.