September 1, 2005
Dear Assistant Secretary,
By now the congratulatory speeches and handshakes from President Bush are over and you've got to get to work. Let me congratulate you on your new job and offer some advice.
Your first task should be to solve the department's own problems. I'm sure you remember thatfrom May 26, which concluded that Homeland Security had fulfilled precisely zero of its 13 key cybersecurity responsibilities--a damning indictment of an agency that's supposed to be the brains of the federal government in this area.
In that report, the Government Accountability Office concluded that the department "cannot effectively function as the cybersecurity focal point intended by law and national policy" at the moment, and even warned that it may be "unprepared to effectively address cyber emergencies."
I know that lackluster performance in the past wasn't your fault. And it may have been inevitable; when thenearly three years ago, it was bequeathed a clutch of unrelated computer security centers from the FBI, the Defense Department, the Commerce Department and the Energy Department.
Just as important is your relationship with the private sector: the technologists, network administrators and executives who are the ones busy expanding the Internet and finding better ways to secure it.
You may wish to consider the performance of, one of your predecessors, as an example not to follow.
Clarke made a habit of showing up at security conferences and lecturing the attendees on topics that they usually knew more about than he did.
In oneat the 2002 RSA Conference, Clarke proclaimed: "If you spend more on coffee than on IT security, then you will be hacked. What's more, you deserve to be hacked."
Those kind of statements may have endeared Clarke to the media, but they weren't exactly a way to establish lasting relationships with technology companies. No wonder he left his White House post in a huff.
You might want to demonstrate a bit less hubris. Remember, you've been appointed as a servant of the American people--not their master--and a little modesty goes a long way. (Also, lectures on cybersecurity tend to be taken more seriously from an agency that has its own problems under control. See above.)
Besides, how do you know whether a company is spending too little or too much on computer security? Perhaps a company would be better served to focus on R&D to avoid being beaten by a rival. Maybe a CEO should spend more on physical security because valuables are being expropriated by thieves. Perhaps a board of directors should offer more vacation to their employees, or extend product warranties, or relocate to a different city, or a zillion other possibilities.
It's true that an outsider without knowledge of those details can offer some uninteresting platitudes like "security is important" or "use firewalls and VPNs." But in the real world, resources are finite. Realistically, only someone with direct knowledge of a company's individual situation can even hope to know what tradeoffs are wise.
That's individualized knowledge that you--and other government bureaucrats--simply don't have.
Two other ideas might be worth considering. To Clarke's credit, hea national ID card. But now the Homeland Security to create what could amount to be one. You have some influence here, and could choose to use it to ensure this card--due in May 2008--will be secure and privacy-sensitive.
Finally, you could be an advocate for the widespread use of encryption. Yes, it may foil some police surveillance operations, but the privacy benefits almost certainly outweigh the inconvenience to law enforcement.
Above all, show humility. It will serve you well in this job--and differentiate you from your predecessors in a very complimentary way.