Gen. Clark wants more proactive government role in cybersecurity

Computerworld - PHILADELPHIA — Retired supreme allied commander Gen. Wesley K. Clark said today that the insurance industry and tougher government enforcement of security standards are keys to improved cybersecurity and critical-infrastructure protection.

Clark, who hasn't made a final decision about a presidential bid in 2004, told hundreds of government and private-sector representatives here that a better balance between market incentives and government regulation is urgently needed, particularly in the areas of cybersecurity and critical-infrastructure protection.

"We've got to have standards in this country" that must be communicated to the private sector and enforced if the homeland security effort is to succeed, Clark said.

Clark's comments, made during the second annual Government Symposium on Information Sharing and Homeland Security, come one week after Microsoft Corp. Chairman Bill Gates and other industry officials publicly threw their support behind greater use of government testing, evaluation and certification of commercial software.

In an interview after his keynote speech, Clark acknowledged what critics have long said about the Bush administration's National Strategy to Secure Cyberspace: that it lacks teeth and requires little or no action by the private sector, which owns and operates more than 85% of the nation's critical infrastructure.

"What you need is an arrangement with federal risk-sharing and counterterrorism insurance," said Clark. "To make the standards work in the private sector, you start with insurance and with the federal government underwriting risks. [However], there may be areas where you can't do that and you simply have to mandate it and say that in order to be licensed as a business, you must meet certain standards."

Gen. Wesley K. Clark (Ret.)

According to Clark, the government must do more to push the private sector toward better cybersecurity. "Here's where you have a private-market flaw. In my experience, very little has been done in business in terms of cybersecurity." He said there is little or no incentive for the private sector to move away from the current security model, which is centered on not reporting security incidents.

The government also faces challenges when it comes to information-sharing, he said. "There are enormous barriers between databases," said Clark. "Some are physical barriers, some are procedural barriers, and some are institutional and policy barriers. We don't need a single ... room-size data storage model. With the correct use of information technology, we can create virtual databases that will enable the Department of Homeland Security to become a real department instead of negotiating with its constituent parts."