Survival Guide: John McCarthy, executive director of the Critical Infrastructure Protection Project

What can the academic community add to our understanding of cybersecurity? Plenty, said John McCarthy.He is executive director of the Critical Infrastructure Protection Project, a joint program of Virginia's George Mason and James Madison universities that brings together research in law, policy and technology to tackle problems related to cybersecurity and protecting the nation's critical infrastructure.Formed in May 2002, the program has more than 30 research projects under way. One project is studying Internet infrastructure to develop a comprehensive map of the United States' telecommunications infrastructure. The map will enable researchers to understand how Internet connectivity and performance would be affected if key facilities were destroyed.Another study, the Insurance and Critical Infrastructure Protection project, will develop solutions for promoting a risk-allocation mechanism for cyberinsurance. And the Estimating Premiums for Insurance for HIPAA project will set premiums for insurance under the Health Insurance Portability and Accountability Act, crucial to creating instant incentives for improving the security of health databases and operations.McCarthy is well-suited to spearhead the program. He was a consultant to government clients while with KPMG LLP; he served as a professional staff member of the Critical Infrastructure Assurance Office, supporting the National Security Council; and he worked for the Assistant to the President for Y2K, coordinating cybersecurity preparedness planning efforts.Staff Writer Patience Wait spoke with McCarthy to find out how the project is helping strengthen the nation's cybersecurity and critical infrastructure.  With all the attention being paid to cybersecurity by various government agencies and private-sector groups, what does the Critical Infrastructure Protection Project contribute that is unique? What is unique is that we've tried to bring together law, governance and policy -- lawyers together with economists and technicians. You've got several research projects under way. What is the most important project? Which will come to fruition first? All of the projects are important. It's difficult to categorize, because there are three or four different levels of research. One is awareness -- just getting the researchers to turn from their normal focus five degrees to the right, and look at the work in a different way. [For instance] in transportation, look at the principles there and apply that to how packets move around the Internet. That's a direct response to an articulated need outside, [which is] work not being done in the government or private sector. Then there's research ... looking out over the very far horizon. One example: We have the most recent winner of the Nobel Prize in economics, Vernon Smith, looking at the economic models behind the energy sector, moving to [a model] that accounts for security and vulnerability.Do you think the administration is paying sufficient attention to cybersecurity, given the recent flap over the placement of the function within the directorate at the Department of Homeland Security and the dissolution of the White House office? It's an interesting question. ... Think about what was done by Dick Clarke and the Office of Cybersecurity. An incredible effort, what they did going from the findings of the presidential commission in 1997, to the year 2000 [effort], to now -- that's basically warp speed. [They took] an issue that previously got almost no attention, and [got] it to the top of the agenda in two administrations.[Some are unhappy] because they say if you don't have a special adviser, you've lost the focus. But one thing the Office of Cybersecurity didn't have was a whole department to turn to... At this point, it would be almost awkward to have a highly centralized White House element with a department trying to build a cyber and physical security structure. ... We applaud Dick Clarke for getting this agenda moving; now it's time to put it back in a departmental structure and let it grow from there. What is missing in approaches to cybersecurity? I think the biggest thing that's missing from the big agenda is a broad conceptual framework that everyone buys. We have a national strategy, and I concur with that strategy. We have a new department. The level of awareness over the last decade has risen from it being a techie issue to being discussed in the boardroom. The frustration level -- when you want everything to happen yesterday -- is not having a broad framework where every stakeholder can reach up, whether in government, academics or the private sector, and feel, "This is where I plug in."