Expert shares ideas for protecting government data

A former White House cyber-security adviser to President Bush and former President Clinton on Tuesday offered a prescription to federal agencies and companies searching for ways to prevent security breaches.

Richard Clarke said during a speech to government officials and companies that the security breaches at the Energy and Veterans Affairs departments and Internal Revenue Service show a crisis in data security.

He said he sympathizes with the VA employee who wanted to work extra from home. His laptop, along with the personal data on 26.5 million veterans, was stolen in a home burglary.

"Was he at fault or was the department at fault for not putting in place a system to protect the data?" Clarke asked. "It's not rocket science. There really are available technologies today that can solve so many of these problems."

"They are relatively cheap, relatively easy, relatively user friendly," Clarke added.

He offered a four-step plan to solve the typical problems he called "the low-hanging fruit."

First, he said the ability to remotely tell a laptop to stop working would solve the problem of stolen laptops. He said the devices essentially would telephone home when such laptops connect to the Internet and then get a command to stop working.

He also said sensitive data like e-mail, whole disks or data at rest should be encrypted, and cards to allow network access should be issued. Clarke said the Defense Department is working toward giving all government employees, dependents and contractors such cards to access buildings and computers.

Finally, he endorsed a newer concept called enterprise-rights management. It allows an agency or department to control data at all points. For example, the department, not the author, could decide who gets to read, print, copy or e-mail a document. The other feature tracks the data, and can tell who has it and what they are doing with it -- or trying to do.

"These will someday be as elemental and essential in doing our job in cyberspace as airbags, seatbelts and crash-testing for cars," Clarke said.

Michael Smith, a Harvard computer science professor, agreed. "Policies protecting the data should move with the data," he said.

While Microsoft and Adobe offer solutions to protect their own documents, only a few companies offer such security compatible with various document types.

Clarke favors Liquid Machines, a company which has been selling to Goldman Sachs and Wells Fargo but just entered the government market earlier this year. In an interview with Technology Daily, Liquid Machines CEO Michael Ruffolo said the company's biggest obstacle is breaking through the information overload to explain what it does.

Clarke had some advice to federal workers on how they can get heard to make security changes: Try meeting with top officials. "Most Cabinet members haven't met their chief information security officer," he said. "Most Cabinet members don't even know they have a CISO."

If that does not work, he added, there are always the department or agency inspectors general.