TechTalk: A Conversation with Richard Clarke –

He is the man of the moment. A 30-year veteran serving as senior advisor to three presidential administrations, a best-selling author, and most recently the voice of those critics of the White House who contend that more could have been done to prevent 9/11.

For the moment, Richard “Dick” Clarke looks to the future rather than the past, offering his views that the war on terrorism must be fought by the private and public sectors alike. That even as we bear witness to threats to our nation’s security, opportunities exist for creative and entrepreneurial minds to assist in securing our nation’s formidable business enterprise and critical infrastructure.

I met Dick and his team in March of this year to discuss opportunities some of our companies might have working with Good Harbor Consulting, where he is chairman. Each of my companies could use more revenue, and the government, in many areas, is an active buyer of software and technology products. Though there a several firms like Good Harbor, I was partial to it, as one of my CEO’s brother-in-laws, John Schoew, had recently joined the firm and spoke highly of the principals.

We ended up having a good meeting, and I didn’t think much more about Dick other than that he was extremely sharp, knowledgeable about goings on in Washington, and that my companies could probably benefit from his insight. It wasn’t until he was in the news for the third night in a row that it struck me what a unique role he played for our country for the better part of three decades. Soon thereafter, I asked Dick if he would sit down for a Q&A to share his insights in security and technology with readers of VCJ. He was gracious enough to grant a phone interview, which is transcribed below.

Ravi: Your testimony, and your book – Against All Enemies – have made quite a splash recently. But there probably aren’t many people who know about your other major endeavor, Good Harbor Consulting. What is Good Harbor, what does it have to do with winning the war on terror, and how is its mission relevant to the venture community?

Dick: Good Harbor is a small consultancy that helps companies concerned with cyber security, corporate security/risk management, counter-terrorism and homeland security. We firmly believe that the private sector can contribute to the war on terrorism by appropriately securing its own assets and, in some cases, by developing products that can help the government and other companies secure theirs.

Vis-a-vis your recent publicity, do you have any regrets/admonitions as to what the media has been focused on? Sound bytes have made it seem like a partisan critique of the Republican Administration. What was the real point of your testimony?

The media have focused on my comments about the Bush Administration prior to 9/11, [yet] the book is also about the preceding years, including missteps by the Clinton, Bush 1, and Reagan Administrations. What has not been focused on as much have been the several proposals about how to prevent future terrorism.

In an interview you gave last August in CIO Insight Magazine you mentioned that IT security audits of 22 government departments yielded 14 grades of “F” and 8 passing grades but none better than C+. How can the government still get 14 completely failing grades in IT security preparedness in a post-9/11 world? Can you drill down and pick this apart in terms of concerns first, and then opportunities second?

Federal government agencies range from highly secure to pathetically open to cyber attack. Within the huge federal bureaucracy there are examples of the best practices and technology [in parts of the Department of Defense] to departments so bad that they have been ordered to disconnect from the Internet for their own protection [the Department of the Interior].

Could the lack of preparedness within some of those departments be seen as an opportunity by the technology industry to help the government catch up? And, if so, whom should Silicon Valley call to get a purchase order?

Most departments work through a few major systems integrators, such as Lockheed Martin, General Dynamics, Raytheon, Northrop Grumman, SRA, Unisys, CSC, and EDS. Vendors should work with these [systems integrators] to access the federal market, which is about $5 billion a year for IT security.

There are people who have read your book who now consider you a hero – the first person to ever apologize to the families of the victims of 9/11. That apology showed a sense of humility not often seen in government or at the highest levels of business today. In some ways, it seems that the arrogance of corporate management has neglected shareholders in the same way the arrogance of the government elite has neglected the electorate. With that said, is there something fundamental about the lack of humility that has resulted in a lack of progress on terrorism?

We are all guilty of insufficient humility, especially in terms of questioning our assumptions. The United States also has a tendency to underestimate the enemy, as we did in Vietnam. The enemy today is well educated, many with graduate degrees from U.S. schools. They are in it for the long haul. The war on terrorism is going to take a generation or more, just as the Cold War did.

In your writing, you’ve consistently referred to the persistent threats to the nation’s critical infrastructure and the little we’ve done to address it. What are the top three to five things that could be done?

The best thing we could do would be to develop low-flaw software, especially operating systems and widely proliferated applications. Flaws in software create vulnerabilities which hackers exploit, as well as requiring costly patches. Short of that, we need to employ software scanners to detect the flaws and automated vulnerability audit tools. Use of authentication, access controls and identity management systems, along with widespread use of encryption would also go a very long way to securing corporate systems.

If a limited partner gave you $100 million to invest in 10 companies, given your background and experience, which ones would you pick? If you’d rather not pick specific companies, name at least five areas in IT security that make sense to you.

Near- term I think there is an emerging market for patch-management systems and for software scanning and tamper-proof software. Mid-term, I would invest in companies that see an opportunity in the forthcoming global shift from Internet Protocol Version 4 to IPv6. Also interesting are companies that are moving into the market for Linux-based PCs, for both operating systems and applications. Europe and Asia are ready to shift to the Linux PC. Longer term, I would look for opportunities within quantum computing, which will revolutionize cryptography, and nano-computing – nano-chips, etc.

There is a perception that the Office of Homeland Security has lots of money to spend. Is there really a pot of gold coming online in government spending on technology? And is navigating the bureaucracy even worth the amount of budgeted money available to potential technology vendors?

I would advise most companies to stay away from the Homeland Security department for now. Its procurement system is not well developed and is very time consuming. Most of the Homeland money is going in grants to states and some to cities. If you can market to 20-plus states, then it might be worth it. However, most of that money is going for radios and not for bleeding-edge technology. There is some funding for detection systems and data mining, but less than most people seem to think.

Though Bush and Kerry have different approaches to fighting the war on terror, what are the common policies that likely will be pursued regardless of the victor in the presidential race? Are there businesses or market opportunities in this area that have yet to be conceived?

Whoever is elected this year, there will continue to be a big emphasis on homeland security and cyber security in the years ahead. If someone can create a multi-layered Internet – with some parts being more secure, higher priority, and with authentication [capabilities] – there would be widespread interest.

You’ve referred to the consolidation of all agencies within the Department of Homeland Security as pulling together the biggest mergers we’ve seen in technology – Compaq and HP plus Time-Warner and AOL – and then multiplying that by 10. That sounds like a recipe for disaster. Is there any hope for success or even improvement in the overall management and communications flow within our government’s security agencies, or were we better off before?

We were better off before, and it will take many years to make the 22 agencies work well together, but what’s done is done and we can now only try to reduce the time needed for integration.

Given that VCs, CEOs and entrepreneurs will read this interview, what is your main kernel of advice for helping to create a secure business environment?

Any company in which you invest – and indeed your own companies – should conduct an outside risk audit annually to insure that cyber security, physical security, regulatory compliance, business continuity, and personnel integrity concerns are adequately addressed against some set of best practices and standards. Certain things have now become foreseeable risks. Moreover, doing things properly from a risk-management perspective can have ROI benefits. It may also distinguish you in the marketplace, and ultimately attract new business.

Ravi Chiruvolu, a general partner of Charter Venture Capital, is a regular technology columnist for VCJ. He can be reached at