Expect Some “New Thinking” on Cyber Security…

FACT: Department of Homeland Security head Michael Chertoff last week: “I am pleased to announce my appointment of Rod Beckstrom as the first Director of the National Cyber Security Center. Rod will serve the department by coordinating cyber security efforts and improving situational awareness and information sharing across the federal government.”

ANALYSIS: There are people who think inside the box, those who think outside the box, and those who ask: What box?

Then there are “the anti-box people.”  They see the box, shove it on its side, stomp on it to squeeze it flat, and consign it to recycling where it belongs.

One of those kind of people is Rod Beckstrom, a well-known Silicon Valley successful entrepreneur and author. I knew him at Stanford, aeons ago, and like others recognized his leadership drive when he ran successfully for student body president, and he left with both a BA and MBA on the way to forming his first successful software startup.

I was surprised when I read last week that Rod is moving to Washington to take a high-level government job.

In one of the bolder, more unpredictable personnel picks I’ve seen recently in the federal government, Rod has been named the first director of the new National Cyber Security Center. The NCSC will be in charge of coordinating all national-security efforts in protecting government computer networks from cyber attacks. 

The NCSC was created by a presidential directive signed in January, and the new position will be a direct report for Homeland Security Secretary Mike Chertoff.  The Cyber Security directive had other implications as well, and we can all expect further action throughout the year. Since joining Microsoft I’ve been working with the Intelligence and National Security Alliance on ways that industry can support these national-level initiatives.

Rod is not known for this topic area at all, but I can imagine that he was attracted by the global trans-enterprise scale of the challenges involved. After his first few tech startup successes over a decade ago, he was mostly known in the Valley for being a patron to innovative non-profit and community development groups, and for founding the “Global Peace Network.”  (Here’s a bio.)

But he recently cofounded TWIKI.NET, a company offering support for building and using “the industry leading open source enterprise Wiki,” and through that he has become very interested in optimzing large-scale enterprise systems. He also impressed many, including in forward-thinking circles in the Intelligence Community, with his book, “The Starfish and the Spider” which argues for decentralized organizations vs centralized (e.g. Craigslist vs traditional advertising models, or al-Qaeda vs the Pentagon). My colleague Bob Gourley of Crucial Point is a fan of that book and has blogged about Beckstrom’s likely approach to national cyber security.

If you want to anticipate some of his “anti-box” thinking on cyber security, I could point to one interview he gave over a year ago which might give some hint on how he will think, at least; though it isn’t on the topic itself, the examples he cites bring to mind some potential avenues of “New Thinking” with security implications for government at all levels, including state and local “fusion centers” and the ability of DHS to support cyber security top to bottom.  The full interview is here, but below are some interesting excerpts:

Q. You say that when our founding fathers sculpted our Constitution, they put the government in the “sweet spot,” between centralized and decentralized. Are we still there?

A. We’ve drifted strongly back toward centralization over time as a country, and of course we wobble back and forth a little bit. One of the biggest examples was after 9/11, when we took all the different police forces and intelligence forces and put them all under Homeland Security. That was a major centralization move, and typical: When a fairly centralized player gets attacked by a decentralized force, like al-Qaeda, the first reaction is to centralize further, and that’s usually a strategic mistake.

Q. So how do we get back into the sweet spot?

A. One way is to push responsibility back to the state governments. In some areas you can decentralize by outsourcing services further. One of the ultimate moves in terms of combating terrorism is to have the government use more Special Operations forces, which tend to be more decentralized, working in small teams that in general are given a high level of autonomy. . . . I gave a presentation at Stanford in 2004 to 50 CEOs from around the world. One CEO took it back to a head of state in a Middle Eastern country to the top levels of government. Based on it they decided to start their own local special operations in a selected city, and found it to be much more effective than their traditional, centralized counterterrorism operation — at a very small fraction of the cost. The people living in any community have the best sense of what is really going on in that community. They have local intelligence. The best information is at the edge of a network . . . where people are bringing what they want into the network and taking out what they want, without any centralized control.

In an email, Rod has asked me to suggest some key articles or white-papers to read on cyber security from a government and enterprise perspective, so I’m soliciting ideas to pass along.

Email this post to a friend