Interview: Ask yourself what your vulnerabilities are, say Bush officials

Richard Clarke and Howard Schmidt have a unique challenge. President George W Bush has charged them with securing the US...

Richard Clarke and Howard Schmidt have a unique challenge. President George W Bush has charged them with securing the US information technology infrastructure.

Clarke is President Bush's cyber security adviser and chairman of the president's Critical Infrastructure Protection Board, which was created last October. For most of the 1990s he was President Clinton's adviser on counter-terrorism.

The Critical Infrastructure Protection Board vice-president Howard Schmidt is the former chief security officer of Microsoft.

Together, the two men are the most prominent advocates of information security in the US and, in an exclusive interview, they discuss their role after last year's 11 September terrorist attacks.

A year after the attacks, Clarke was concerned with highlighting a measurable improvement in the security of the US government's IT infrastructure and to use this as an example to the private sector.

"The budget the president sent to Congress in February asks for a 64% increase in funding to defend federal departments and agencies," said Clarke. "That's almost 6% of the federal IT budget on IT security.

"We're trying to do two things with that," he added. "We're trying to fix very serious problems that the federal departments have. But we're also trying to set a model for the private sector, for members of corporate boards of directors, for chief executive officers."

Clarke admitted that the 6% figure was not a benchmark for the private sector. "It's catch-up for the federal government," he said. "And it won't be enough if we don't sustain it or, perhaps, even raise it over several years.

"There's no figure that is appropriate for every company or every institution. That's why we're not saying 6% is the target. We're saying that every CEO and every member of the board of directors should be asking the question, how much is enough for my company?"

Clarke accepted that many would find it hard to accept the idea of the US government as a role model for IT security.

"We'd like federal agencies to be a role model and, unfortunately, with few exceptions they've been a model of how not to do it," said Clarke. That's why President Bush is committed to fixing that problem. We have an obligation to put our money where our policy is."

Clarke and Schmidt conceded that it would be difficult to measure any improvement in IT infrastructure security.

"There are probably guideposts along the way, but there aren't measures of effectiveness that are more than anecdotal," said Clarke.

"You can look at the number of computer incidents; you can look at the dollar value of damage done by those incidents. Unfortunately those numbers are skyrocketing. That doesn't mean that we're not making progress."

Schmidt added: "If you have a metric in which you identify the number of viruses found when you scan systems, is a lower number good or is a higher number good? That's the challenge. If you're not catching many viruses, does it mean they're not there or that they're not affecting you?

"The other challenge is quantifying a negative: How many burglaries have I prevented by having extra police cars on the street? If you don't get broken into, that's a good thing, but was it because you did the right thing, or because they were hitting somebody else at the same time?"

Since 11 September, much of the public rhetoric from the Bush administration has focused on hunting down the enemies of the US. However, Clarke and Schmidt believe that looking for enemies, what they call the "threat paradigm", is the wrong way to approach IT security. Instead, IT security professionals should adopt a "vulnerability paradigm".

According to Clarke and Schmidt, this means: "Don't worry about who's going to do it. Don't worry about when it's going to occur. Ask yourself what your vulnerabilities are. And then find that intersection between the things that are the most vulnerable and the things that would be the most damaging.

"It's a shift from who, when and where, to where are my weaknesses, and what are the most important weaknesses that I have?"

Read more on IT risk management