Dave Eberhart
Monday, Aug. 12, 2002

After a while it became clear to Clarke and his staff that the 700 percent spike in traffic that was jamming the cyber highways appeared to be coming from a relatively small number of computers, allowing Internet providers to protect their networks by filtering data from the attacks.

Just days before the disquieting attacks, Clarke told National Public Radio about his estimate of the worst-case scenario – that looming cyber "Pearl Harbor" he talks about as he travels the country pitching the virtues of security to private enterprise, the owners and overseers of 85 percent of the nation's fragile and vulnerable cyber infrastructure.

"Then there's the unknown. Have our enemies already penetrated our critical infrastructure successfully and we don't know it? Or are they in a position where – if there is a big conflict between us and them – they are already in a position to disable our critical infrastructure?"

Currently, Clarke and his second-in-command, Howard Schmidt, the former chief security officer of Microsoft, fall under the Office of Homeland Security and occupy offices on the 10th floor of the old Secret Service building, two blocks west of the White House.

Clarke makes no secret of the fact that he is waiting with bated breath for the emergence of the giant Department of Homeland Security.

"It will have the National Infrastructure Protection Center, transferred from the FBI; the Critical Infrastructure Assurance Office, transferred from the Department of Commerce; the National Communications System, transferred from the Department of Defense; and [a federal security unit], transferred from the General Services Administration…."

"It will concentrate our forces." Clarke enthuses. "It will concentrate the skilled staff that we have, and it will ensure added cooperation and added coordination both within the government and with the private sector.''

In the meantime, Clarke and Schmidt must content themselves with badgering industry and cyber security vendors to get on the same dance card. Part of the rhetorical arsenal is a hefty collection of war stories designed to make the most lackadaisical cringe and crack open the company coffers to invest in those software patches, firewalls and other paraphernalia of the Internet security game.

'Door Locks'

"Fundamentally, cyberspace security is about buying and using door locks," advises Clarke. "Last year, it cost $15 billion to recover from viruses, worms and denial-of-service attacks," he warns.

One of Schmidt's favored teaching anecdotes: "When the Melissa virus hit at one company … it took about $14 million to bring that whole system up online after 10 days. When the Anna Kournikova virus hit the same company, they were able to contain it within 30 minutes with better processes, and that 30 minutes translated into about $12,000 worth of effort – quite a difference."

For his part, Clarke likes to hash over the invasions of "Code Red" and "Nimda" viruses that made the rounds last summer.

"We [the Critical Infrastructure Protection Board, of which he is chairman] had Cisco, Microsoft and WorldCom all on conference calls, when we finally figured out this thing had infected thousands of servers. We were able to take apart the code and learn what it would have the servers do and when it would have the servers do it. At 4 p.m., we discovered that at 8 p.m. that night it would have all the servers attack one site – www.whitehouse.gov.

"What we were able to do … was to get to the major [Internet service providers such as AOL, MSN, etc.], asking them to block the White House … address on their edge servers. When you dial up on your AOL modem, the first place it hits on AOL is the local, or edge, server. Because we were able to act quickly, the tsunami [cyber attack] just fizzled. That's a classic example of how government and industry work together."

Clarke, 51, has experience in crisis management, having served as President Clinton's counterterrorism adviser for most of the 1990s. Although seldom dwelling on those days, he does draw an analogy between yesterday's unheeding aviation industry and today's sometimes dangerous complacency in that big hunk of the nation's privately owned infrastructure:

"There were many in the aviation industry who, knowing their vulnerabilities to stop terrorism, nonetheless did not take care of them because they thought they would be inconvenient. They thought it would be costly. They thought it would raise questions about the goals and missions of the aviation industry. The aviation industry now wishes it had done otherwise. We – all the rest of us – still have an opportunity to take a look at our vulnerabilities.''

When not beating the security drum, Clarke and Schmidt are busy educating Congress. The big bogeyman in that department is the much-debated exemption to the Freedom of Information Act [FOIA] that would ensure information given to the federal government about computer attacks would not be made public.

Security Flaws

CEOs are keen on the exemption because they are concerned about losing the confidence of customers and stockholders if it gets out to the world that their systems are vulnerable to hackers.

And it's not just systems at stake, but also the reputation of expensive software packages, the grist of the industry. Clarke notes that last year 2,000 security flaws in software were discovered in this country. He's looking for a figure closer to 3,000 this year.

"Our lawyers say the law, as currently written, would allow us to protect that information," says Clarke. "But that doesn't persuade companies to give us the information. Their lawyers believe they need additional protection; therefore, we need to get additional protection."

Amendments to the FOIA aside, Clarke would be happy to simply get the private sector to follow the lead of the federal government, which is moving toward spending 8 percent of its IT budget on IT security.

Clarke likes to quote a Forrester Research survey indicating Fortune 500 companies spend an average of 0.0025 percent of revenue on security – less than the budget of the coffee concession.

"If you spend more on coffee than you do on security, you will be hacked. And moreover, you deserve to be hacked," Clarke sums up.

Read more on this subject in related Hot Topics:
War on Terrorism

A product that might interest you:
Watch Your Kids – Monitor Use on Your Computer