Howard Schmidt: Imagine there’s a failure of a locking assembly, which results in a break-in, which results in a report to a law enforcement agency, which results in an investigation. You could have one track from that investigation directed toward the criminal justice system; the other track goes to [us, and we ask], "How could this have been prevented?" We have a constant feedback loop, which means eventually we have better security on the front end and the law enforcement authorities have less to investigate.


You’ve said that the Freedom of Information Act [FOIA] exemption is the single most important policy change to improve information security. [Note: This controversial exemption?debated in Congress and advocated by many CIOs?would ensure information given to the the federal government about computer attacks would not be made public.] Why is the exemption so important?
Clarke: The Nimda virus last November was a major attack that caused billions of dollars worth of losses in the private sector, yet not one company called us up to tell us they had been attacked because they wanted to be able to keep it secret. They don’t want customers and stockholders to lose confidence. We understand that. But as a result, we have an inadequate perception of what’s going on in the American information infrastructure.

Sen. Robert Bennett [R-Utah] probably puts it best when he says, Imagine you are a commander in charge of a battlefield, and you could only see or know 15 percent of what was going on in that battlefield. How would you defend yourself? Well, if you look at our critical infrastructure, about 85 percent of it is in the private sector, and unless we can have some knowledge as to what’s going on there?like attacks, viruses, worms, denial-of-service attacks?then we’ll never be able to help defend it. Only by getting a Freedom of Information Act exemption, narrowly written, will we ever be able to persuade companies that they can trust us, the government, with information about vulnerabilities or about hacks.


I’ve heard you aren’t so sure the exemption is necessary; it’s more that businesses think it’s necessary. Are you offering it to corporate America as sort of a contract: Trust us, and we’ll help you out?
Clarke: No, not really. We’ve looked at the legal question: Are there already adequate provisions in the law that would exempt this kind of information from a Freedom of Information Act request? Our lawyers say the law, as currently written, would allow us to protect that information. But that doesn’t persuade companies to give us the information. Their lawyers believe they need additional protection; therefore we need to get additional protection.


If the law passes, will there be an onslaught of people reporting information to you?
Schmidt: It’s hard to tell. We think we’ll have some companies come forth right away. In other cases, there’ll still be some hesitation, some guarded discussions. I’m sure there’ll be a little bit of giving of information, seeing how that plays out. I don’t think it’s going to suddenly open the floodgates.


One line in the executive order creating the Critical Infrastructure Protection Board says, "Implementation of this policy shall include a voluntary public-private partnership, involving corporate and nongovernmental organizations." So in a way, your job is to force people to volunteer. How?
Clarke: The Partnership for Critical Infrastructure Security [PCIS] was formed two years ago. We’ve had six or seven industry groups form Information Sharing and Assessment Centers [ISACs] before 9/11. So I’m not concerned that people won’t cooperate. But this is more than just patriotism. It’s economic self-preservation. Many companies participating in this partnership on a voluntary basis realize that they’re doing it because they can only grow if IT grows, if IT is secure. For us really to go to the next stage of IT in the workplace?IT in the home?we really need to increase consumer confidence.