Schmidt: When the PCIS was formed, I was in the private sector, and [security] was not an issue in many companies. You worried about earnings per share, shareholder value and so on. Dick [Clarke], John Tritak [director of the Commerce Department’s Critical Infrastructure Assurance Office] and the folks in the government at that time provided a forum for us to become more aware of the government’s interest in the area of critical infrastructure protection. It was natural to pull everybody in and say, "Listen, this is important to the president. We want you to help us." Who would not want to answer that call? You’ll see the momentum that we’ve got today, where people are literally calling up and saying, "What can we do?" It’s based on the trust that was developed by the government initially reaching out to companies saying, "We’re not here to regulate you or ruin your business model. We want what’s good for the country, for all of us."


It sounds like you’re talking about this volunteerism as a substitute for regulation.
Clarke: We don’t want to regulate because we don’t think we do it very well. We’d like voluntary cooperation, voluntary adoption of best practices, voluntary sharing of information, because it works better if people think they’re doing it in their own best interest, rather than if they think they’re doing it because they have to.


It’s a marketing job as much as anything?
Clarke: About half our job is marketing.


What’s the other half?
[They both laugh.] Clarke: A lot of what we do is make priorities?budgetary, legislative, priorities in terms of what parts of the infrastructure we work with the most. What are the most important things to fix? Imagine the intersection of where the vulnerabilities are highest and where the effect of failure is the highest. That’s what we’re trying to find.


If you look at the state of critical infrastructure on Sept. 10 versus now, have there been measurable improvements?
Clarke: The federal government is getting more secure in its cyberspace networks. The budget the president sent to Congress in February asks for a 64 percent increase in funding to defend federal departments and agencies?that’s more than 8 percent of the federal IT budget spent on IT security. We’re trying to do two things with that [funding increase]. Obviously we’re trying to fix very serious problems that the federal departments have. And two, we’re trying to set a model for the private sector?for members of corporate boards of directors, for CEOs, saying, "Gee, the federal government is spending 8 percent of its IT budget on IT security. What are we doing at our company?" Unfortunately, most companies are not going to be able to say that they’re spending anywhere near 8 percent on security.


You like to quote a report that most companies spend more on coffee than on security. Is 8 percent for catch-up? Is it enough?
Clarke: It’s catch-up for the federal government, and it won’t be enough if we don’t sustain it at that level or perhaps even slightly higher over several years. There’s no good figure that is appropriate for every company or every institution. That’s why we’re not saying 8 percent is the target.


Are you advocating any kind of tax benefits for spending on security?
Clarke: No, I think there’s enough benefit inherent for spending on security that we don’t need to give people a tax break. The benefit comes from being secure. It’s more expensive in the long run to be insecure.


Don’t you think that’s a hard sell to CFOs?
Schmidt: Not at all. When the Melissa virus hit at one company that I have some very great insight into, it took about $14 million dollars to bring that whole system up online after 10 days. When the Anna Kornikova virus hit the same company, they were able to contain it within 30 minutes with better processes, and that 30 minutes translated into about $12,000 worth of effort?quite a difference. CFOs are saying, "It’s going to cost me just like anything else to do some risk management on the front end, but in the long term I’m going to be much more able to save money and reduce total cost of ownership."


Are you saying that viruses and worms actually helped as far as demonstrating that ROI?
Clarke: I think that there’s a silver lining to some of these viruses and worms, because you know when you get hit. People are penetrating networks, doing espionage, and we don’t know it because they’re successful. They’re not leaving traces. It’s helpful when we have major viruses and worms and denial-of-service attacks because they’re noisy and they leave fingerprints, and we know it’s out there. People are then motivated to fix it.


How can you convince vendors to create more secure products?
Clarke: The vendors tell us, "We could create more secure products, but no one wants them." Then we talk to the procurement people?in banking, finance, energy, government?and say, "Do you want more secure products?" And they say, "Yes! But the vendors won’t make them." It’s what I call a "dialogue of the deaf." We try to bridge it by taking the critical infrastructure procurement people and the vendors by the hand and saying, "Vendors, could you make a more secure product?"?"Critical infrastructure companies, do you want a more secure product?"?"Now, can both agree that we’re going to have more secure products?" There’s actually a real role for us to bring people together to have dialogues that you would think naturally occur but don’t.