News Feature

SECURITY Q&A - They Want You for a Safer Infrastructure

By Sarah D. Scalet

June 15, 2002 — CIO — It’s a quarter to noon on a muggy Thursday in the nation’s capital, and Richard Clarke is offering milk and cookies to visitors on the 10th floor of the old Secret Service building, two blocks west of the White House. There’s a simple reason for his snack choice. Earlier in the morning, Clarke (whom headline writers like to call President Bush’s cybersecurity czar) hosted an event for schoolchildren about staying safe online?this decade’s version of just saying no to drugs. Even so, leftover sandwich cookies seem an appropriate offering from a man whose job is to persuade bureaucrats, businesspeople and technology vendors to do two things they might not have thought about since kindergarten: share and cooperate.

It’s a lofty goal?to get executives not only to tell the federal government about attacks on their computer networks but to work with competitors to protect the country from all manner of electronic threats, from website defacements to information warfare. But that’s why President Bush recruited Clarke last October as chairman of the newly created Critical Infrastructure Protection Board, now part of the Office of Homeland Defense. And it’s why in February, Clarke got Howard Schmidt, then chief security officer of Microsoft, to become vice chairman of the board.

Despite the duo’s high profile, it wouldn’t take a pessimist to call theirs an impossible task. Thus far, their work has had a dogged Washington flair?hold meetings, issue reports, beg Congress for attention and most important, recruit volunteers. One way to improve critical infrastructure protection would be for Clarke and Schmidt to advocate legislation that would give them a hammer to force companies to work with the government and report information about attacks. But the two have been staunch opponents of such legislation. "We don’t want to regulate because we don’t think we do it very well," says Clarke, age 51, who made his name as President Clinton’s counterterrorism adviser for most of the 1990s and is the political counterweight to Schmidt, age 52, whose sympathies lie more with the private sector and vendor community. The process of improving security "works better if people think they’re doing it in their own best interest," Clarke says.

To hear Clarke and Schmidt tell it, people are joining the fight in their own best interest, and any perceived reluctance on the part of corporate America is merely a marketing problem. The duo make themselves out to be patriots as well as consummate political insiders?Schmidt with the obligatory American flag pin on the lapel of a jacket draped over his chair, Clarke sipping from a blue and gold coffee mug from the White House Situation Room. But as much as anything, they are the chief publicists of a vision for improved cybersecurity around the world. CIO caught up with them for an interview about how far critical infrastructure protection has?and hasn’t?come since Sept. 11, and how they’re trying to coax corporate and vendor leaders into playing a greater role.

CIO: A recent survey shows fewer companies reporting cybercrimes than a year ago. Does that affect your mission?
Richard Clarke: We don’t think about [critical infrastructure protection] primarily as a criminal justice problem. If you discovered break-ins in your town but most of the houses didn’t have locks, would you hire more police or buy more locks? Criminal justice plays a very important role here, especially in terms of deterrence. We have to arrest people and prosecute them in order to deter others. But fundamentally, cyberspace security is about buying and using door locks.