[ISN] Cybersecurity's New Guard

[InfoSec News <alerts@xxxxxxxxxxxxxxx>]

http://www.businessweek.com/technology/content/mar2008/tc20080320_011308.htm

By Keith Epstein
Business Week
March 21, 2008

Rod Beckström may seem like an unconventional choice to be the nation's 
top cybersecurity watchdog. On Mar. 20, the Bush Administration named 
Beckström head of the National Cyber Security Center, an interagency 
group quietly created by a national security directive signed by 
President Bush in January.

Beckström, 47, is a Silicon Valley entrepreneur, a former derivatives 
trader, and a champion of conflict resolution in Africa. He's better 
known as the founder of business collaboration software provider 
Twiki.net and as an author specializing in the agility of decentralized 
organizations than for connections inside the Beltway or expertise in 
cybersecurity.

Is he really the best choice for defending U.S. computer networks from 
cyberattacks? Does Beckström have the bona fides to secure the 
government's computer systems, which have been penetrated with 
regularity in recent years, and against which the government has failed 
to orchestrate a coordinated, centralized response? Absolutely, say some 
network security professionals and insiders at the Pentagon, the 
National Security Agency, and the White House.


Decentralization Expertise

Who better to come against the splintered, decentralized bands of 
hackers and cybercriminals who pose the biggest threat to computing 
systems than an expert in, well, decentralization? Beckström highlights 
the benefits of not having a traditionally hierarchical, identifiable, 
and centralized organizational structure in The Starfish and the Spider: 
The Unstoppable Power of Leaderless Organizations [1], a book he 
co-authored in 2006.

For one, leaderless groups are more nimble. They can be more creative. 
Think of the creation and organic growth of Craigslist, Wikipedia, and 
even terrorist cells. Then there are hackers, whose ability to mask 
identities, navigate the unregulated wilds of the Internet, and insert 
malware where chief information officers least expect it gives them 
disproportionate power and reach. Whether in the marketplace or the 
battlefield, the advantage goes to those who are harder to identify and 
locate, and who lack a clear headquarters or chain of command.

"Decentralization has been lying dormant for thousands of years," wrote 
Beckström and co-author Ori Brafman. "But the advent of the Internet has 
unleashed this force, knocking down traditional businesses, altering 
entire industries, affecting how we relate to one another, and 
influencing world politics."

Beckström and co-author Brafman add: "The absence of structure, 
leadership, and formal organization, once considered a weakness, has 
become a major asset. Seemingly chaotic groups have challenged and 
defeated established institutions. The rules of the game have changed."


Spider vs. Starfish

The title comes from organizational properties. "Spider" organizations 
are rigid and centralized. People follow the leader. Encounter big 
problems at the top and the entire structure collapses. Better to think 
like a "starfish," which moves forward thanks to the independent 
movement of multiple arms that can regenerate if severed.

The question now, of course, is just how far Beckström can take his 
thesis. He has supporters who think similarly in the Pentagon, where 
senior military officials have mentioned his book while discussing 
computer security issues and in gatherings of computer security 
specialists in the few weeks prior to Beckström's selection.

As one such security consultant noted in an early March presentation to 
computer-system managers working for defense contractors, power 
companies, and universities: "What sense does it make to let the enemy 
know the Air Force has a Cyber Command up and running? Maybe it makes 
more sense to think as Rod Beckström advocates—dispersing our networks, 
spreading our response to them around, creating the same kind of 
uncertainty in their minds about where we are that we have about where 
they're coming from."

Federal bureaucracies have been struggling for years with hacker 
intrusions and attempts to manage varying efforts within agencies. But 
despite new laws and rules, new programs within individual agencies, and 
a 2003 national "strategy" intended to secure cyberspace, many 
government networks remain insecure. The General Accountability Office, 
the investigatory arm of Congress, last October noted that agencies 
often lack information security on their networks and had not secured 
data.

"We're simply stalled as a nation when it comes to cybersecurity," says 
Vic Maconachy, a former top computer science official with the National 
Security Agency. "We can no longer wait for someone to come along and 
lead the way."

The impulse for a coordinated fix is now accompanied in some circles by 
a yearning for a decentralized approach. Cybersecurity specialist Paul 
Kurtz, a former homeland security and national security official during 
the Bush and Clinton administrations, is among Beckström's fans.

"Rod can help the government bureaucracy help itself," says Kurtz. 
"Rather than centralized command and control, Rod brings new thinking 
about how decentralized organizations can help defend government 
networks."

Beckström has made no bones about his criticism of the Bush 
Administration's approach to terrorism. "After 9/11…we took all the 
different police forces and intelligence forces and put them all under 
Homeland Security," he noted in a Jan. 1, 2007, interview with The 
Washington Post. "That was a major centralization move, and typical: 
When a fairly centralized player gets attacked by a decentralized force, 
like al Qaeda, the first reaction is to centralize further, and that's 
usually a strategic mistake." Added Beckström in that interview: "We can 
centralize our opponents and decentralize our own activity."


A Serial Entrepreneur

Homeland Security Secretary Michael Chertoff welcomed Beckström in a 
brief statement, saying he would help government agencies "implement 
cyber security strategies in a cohesive way" and improve "situational 
awareness and information sharing." Chertoff noted Beckström has "unique 
entrepreneurial and creative business thinking." A Homeland Security 
spokeswoman says Beckström is currently declining requests for 
interviews.

Twiki.net, an open-source collaboration platform for businesses, 
including many blue chip companies, replaced its co-founder with Thomas 
Barton as interim CEO.

A native Oklahoman, Beckström started his first company at age 24 in a 
garage apartment. He was attending Stanford Business School at the time, 
and had previously worked in London for two years as a derivatives 
trader at Morgan Stanley (MS). By stringing together student and other 
loans, he created financial software that eventually became CATS 
Software. The software helped banks estimate the risk of derivatives 
used as a hedge against losses in currency and interest rates.

Beckström co-founded Mergent Systems, eventually sold to Commerce One, 
and has been an adviser to venture capitalists. He also serves on boards 
of African microlender Jamii Bora Trust and the Environmental Defense 
Fund.

Epstein is a correspondent in BusinessWeek's Washington bureau.

[1] http://www.amazon.com/exec/obidos/ASIN/1591841437/c4iorg

___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn