At a meeting with Flatrock Inc. officials in Portland, Ore., earlier this month, Special Advisor to the President for Cyberspace Security Richard Clarke was so impressed by the companys network security technology that Clarke turned over a list of potential buyers at federal agencies on the spot—something the nations top security evangelist is reportedly doing with frequency these days.
“He got out his address book and started giving us names and phone numbers of people we should talk to,” said CEO Doug Fullaway. “I think theyre looking for some people to prompt some change.”
The governments effort to bring more commercial technologies and better business processes to Washington illustrates a growing merger of IT interests between the public and private sectors. As federal agencies scramble to adopt business practices to improve IT efficiency and efficacy, corporate America is scrambling to take a security cue from the defense and intelligence communities. Increasingly, security-related IT companies are hiring and touting experts with military backgrounds.
In the case of Flatrocks technology, the needs of the private and public sectors coincide, according to Fullaway, a former U.S. Marine Corps officer who is beginning to wade into government contracting. Flatrocks products, which enable agencies with disparate networks to share information, can be installed in government networks without modifications, a feature that jells with the administrations initiative to buy more off-the-shelf technology.
However, the interests of Washington and commercial enterprises do not always advance together, and sometimes, the security needs of agents in the war against terrorism can be at odds with the security needs of customer-oriented businesses.
“In the government side of the world, security is pretty much black and white,” said Gary Lynch, vice president for commercial infrastructure assurance at Booz Allen Hamilton Inc., in New York. “In the commercial sector, security is negotiable.”
Unlike the government, enterprises have to consider the impact their security initiatives have on service levels and customer satisfaction, said Lynch, who joined Booz Allen in April, having previously worked with the FBI, the National Security Agency and the U.S. Secret Service, among other organizations. Implementing stricter authentication controls can frequently improve a companys network security, but it can come at too steep a cost. For example, requiring call center agents to demand additional authentication beyond a password can reduce the incidence of fraud, but it also slows service, which can alienate customers.
Tightening information access restrictions is another security tool thats popular with the government but does not necessarily benefit the private sector, according to Lynch. In the insurance industry, for example, restricting the number of processors with access to claims enhances the security of a companys data, but it also slows the processing time—something that insurance companies increasingly use to differentiate themselves.
Although the Bush administration is working diligently to encourage better security practices and products in the private sector, officials such as Clarke are quick to assure IT professionals that they do not intend to set standards or interfere with the direction of technology. Instead, they are pursuing a strategy of what Clarke calls “nudging,” a behind-the-scenes method of encouraging IT users to promote improved security through their own demands.
In addition to encouraging businesses to take a closer look at the quality of the security products they install, Clarke and his colleagues are pressing for public/private information sharing, more federal research and development funding, cyber-security insurance, and private-sector-driven certification for security personnel.
“It became quite apparent that the mode of operation here is proposing guidelines to grease the skids,” Flat-rocks Fullaway said of Clarkes recent visit to Portland. “Its very easy for the government to fall over into a Thou shalt do things this way approach, but, instead, I found a real sensitivity to the idea of going and getting the best of the marketplace.”
The White Houses recent call for a new Cabinet-level Department of Homeland Security is expected to serve, among other things, as the central purchasing point for vendors in vying for a share of the $53 billion the country is slated to spend on IT next year.
By mid-September, the White House is slated to release a national strategy for cyber-security, which is being drafted as a road map for industry, Congress and the administration to pursue a united campaign for more-secure networks. While the document will establish guidelines and outline the administrations priorities, Clarke has repeatedly assured the industry it will remain fluid in an effort to evolve with changing threats and changing technologies.