When it comes to reducing risk from cyber terrorism, the federal government faces the same difficulties as the private sector. This was one of my takeaways from an invite-only bloggers roundtable with the chief of Homeland Security, Michael Chertoff, the current secretary of the DHS.

In a room much too large for the 3 bloggers and a single member of the SF Chronicle press on the Stanford campus, we were afforded a unique opportunity to speak candidly with the co-author of the Patriot Act and the second person to hold the highest national security position post-911.

We were told to arrive at the designated location with enough time to clear security. After finding the golden trophy of a guest parking spot at Stanford, I fumbled around the campus in an attempt to find the correct building. Walking into the foyer of a stone building that fit perfectly into the pristine and majestic grounds, a man in a black suit with a blackberry and surveillance ear piece decided I was in the correct location. Soon I was meeting members of the Secretary's entourage and instructed to move down the hall and past the bomb-sniffing dog where the others were waiting. Minutes later we were passed thru security and were "OK'd" to enter the conference room.

The four of us took our seats and began to wonder aloud if we "were it." A few minutes passed before Mr. Secretary stepped into the room. We introduced ourselves and I had expected at least some kind of small presentation. Instead, Mr. Chertoff offered no more than 3 sentences of welcoming remarks and the floor was open to questions. I felt a bit dumbfounded by the lack of structure, the openness of the situation, and honestly, by the fact that I was sitting just a few feet away from a member of the President's cabinet.

We learned that members of the Secretary 's staff knew that all of us had solicited questions from our reader base via blogs, Twitter and Facebook. Chertoff said these questions would be a good place to start. An uncomfortable smile crossed my face. It was the smile anyone would have when you hear first-hand that the federal government has been reading your blog and Twitter stream. The feeling was partly creepy and partly pride with a dose of "that's not entirely surprising" thrown in for good measure. They did invite me after all, so they had to have done some kind of homework. It turns out that even the federal government uses Google.

We started with questions submitted by our readers, friends and colleagues. In the day leading up to the event I had heard several criticisms that an event like this was a waste of taxpayer dollars. One Twitter buddy went so far as to suggest I was spending his economic stimulus package. The Secretary had anticipated this question. He was on the West Coast for other events and recognized value in speaking with bloggers.

Obviously the Secretary's staff is aware of the ongoing shift away from traditional news to blogs and online outlets. Nielsen Online (1) continues to show a strong uptick in readers moving to non-traditional readership outlets. If you want to get your message out, then you have to engage with the new media, and bloggers are a key part of the new PR world. While the Secretary discussed his likes and dislikes of bloggers, especially "the rants," as he called one of them, I realized that everyone at the table was somehow defined as a leader in that new paradigm.

I asked an obvious question, "What do you expect or anticipate of us as bloggers after today's meeting?" The answer from Chertoff was "to blog." OK then. My first question out of the gate wasn't very interesting and it definitely didn't get me any bonus points.

My follow up question, "When are we going to see a DHS blog?" was also ridiculous since the Secretary does have a blog. Interesting enough, Chertoff said he writes it himself, with some editing help from time to time. I was feeling pretty small since this was something I should have known, until I realized that if I didn't know that the head of DHS has a blog, it's pretty likely that most of America doesn't know either.

My fellow blogger quickly shifted the topic to air transportation security. He asked, "When can we stop taking off our shoes at the airport?" Chertoff answered, "When we have sufficient technology." Airline travel proved to be a hot topic and Chertoff spoke with some consternation about the difficulty of thwarting attacks from a class of terrorists with minimal skills. "And wouldn't it be easy to stow away explosives in a sealed compartment inside my own laptop?" asked another blogger. Typing notes into my laptop, I paused and looked at the questioner from the corner of my eye. I thought, "That guy is about to find himself on the no-fly list."

Ten minutes into the roundtable and I came to a moment of internal clarity. This man was a true professional and he had heard it all. This realization allowed me to settle into a more comfortable position in my chair; I started to feel much more at ease. I realized that this meeting was no different than any of the executive meetings I attend as part of my professional life. And, it was certainly a lot less stressful than being on live national TV. While the others in the room had probably already come to this realization before they entered the conference room, I've never been a quick study on the psychology of Andrew Storms.

I jumped back into the fast paced question and answer situation. I rattled off a question as if I were at the office water cooler: "Cyberterror; Georgia and Estonia have been reportedly been attacked by home-based users in a coordinated denial of service attack. What is the federal government doing to protect our networks from that kind of event?" Chertoff answered methodically and with surprising candor. He said, "Reduce the number of entries (Internet connections), block attacks in real time, do background checks." The answer was almost a direct quote from federal government policy documents. The delivery, on the other hand, was purely genuine. Whether or not he believed these tactics were sufficient, they were the tactics the department is using. Chertoff's reply was crystal clear.

I blurted out my next questions as if I were a Fox News anchor. "Do you have ways to measure your effectiveness?" This question proved to be the catalyst I had been hoping for. It sparked a visible thought process by the Secretary. While saying he did have measurement statistics showing an overall reduction in risk, Chertoff shifted his focus and started speaking about his list of the 4 different categories of risk - network, software/hardware compromise, insider threats, physical threats.

He followed the risk conversation with some thoughts on his own personal philosophy for dealing with the private sector - one of collaboration. He made it clear that he had no desire to force private sector into working with the government to secure their systems. He did not want to be imposing, but if the private sector asked for help, the DHS would be entirely willing to help where they could. The Secretary spoke at some length about points of collaboration, the philosophy of incentives for motivation and his opposition to edicts.

It was tempting to stop and contrast this collaborative approach with the previous topic of airport security where participants are forced to participate in security measures, but the contradiction could easily be explained by the fundamental differences in the complexity of the problem and nature of the two different types of risk.

Unfortunately, there was no time to explore this topic in detail because questions were flying at the Secretary from everyone around the roundtable. The conversation shifted rapidly across a wide range of topics but after a while a new conversation thread with some longevity emerged.

The conversation moved away from securing federal government networks to securing private citizens' confidential information. While the bloggers were ready to blame the FDCC, the general lack of encryption and the loss of physical assets for the staggering loss of private information, Chertoff didn't buy in. He mentally shifted into CTOs' mindset and brushed aside tactical concerns to focus on a more strategic issue. He pointed out that our identity systems are at fault. We use our private information so often for authentication that the risk of compromise has risen to uncomfortable levels. The irony of this response did not escape me. If, in the last years of his cabinet position, he hadn't been so busy with post-911 defensive tactics, would he have been successful at delivering a significant change to our identity systems? The irony is, of course, that if it weren't for 911 this cabinet position would not have existed.

Aside from learning that the no fly list is actually 2500 names instead of the 20 million some had suggested, I didn't learn anything new or groundbreaking. The surprise was that the insightful, intelligent person in charge describing these problems was no different from listening to my own CEO.

For me this was a powerful demonstration of the value of personal communication.
Was it worth the taxpayer dollars to hold this kind of meeting? That's up to you to decide.

Additional Information

Talking to Michael Chertoff (Martin McKeay)

Roundtable with Secretary of Homeland Security Michael Chertoff
(George Ou)

Michael Chertoff: "only 2,500 people on the no-fly list" ( Deborah Gage, SFGate)

More pictures of the event (my Flickr set)

References:

1. http://www.naa.org/blog/digitaledge/1/2008/07/Nielsen-Drudge-Report-Leads-Top-30-in-Sessions-per-Person-Newspapers-Shift-on-List.cfm