It\u2019s a quarter to noon on a muggy Thursday in the nation\u2019s capital, and Richard Clarke is offering milk and cookies to visitors on the 10th floor of the old Secret Service building, two blocks west of the White House. There\u2019s a simple reason for his snack choice. Earlier in the morning, Clarke (whom headline writers like to call President Bush\u2019s cybersecurity czar) hosted an event for schoolchildren about staying safe online?this decade\u2019s version of just saying no to drugs. Even so, leftover sandwich cookies seem an appropriate offering from a man whose job is to persuade bureaucrats, businesspeople and technology vendors to do two things they might not have thought about since kindergarten: share and cooperate.It\u2019s a lofty goal?to get executives not only to tell the federal government about attacks on their computer networks but to work with competitors to protect the country from all manner of electronic threats, from website defacements to information warfare. But that\u2019s why President Bush recruited Clarke last October as chairman of the newly created Critical Infrastructure Protection Board, now part of the Office of Homeland Defense. And it\u2019s why in February, Clarke got Howard Schmidt, then chief security officer of Microsoft, to become vice chairman of the board.Despite the duo\u2019s high profile, it wouldn\u2019t take a pessimist to call theirs an impossible task. Thus far, their work has had a dogged Washington flair?hold meetings, issue reports, beg Congress for attention and most important, recruit volunteers. One way to improve critical infrastructure protection would be for Clarke and Schmidt to advocate legislation that would give them a hammer to force companies to work with the government and report information about attacks. But the two have been staunch opponents of such legislation. "We don\u2019t want to regulate because we don\u2019t think we do it very well," says Clarke, age 51, who made his name as President Clinton\u2019s counterterrorism adviser for most of the 1990s and is the political counterweight to Schmidt, age 52, whose sympathies lie more with the private sector and vendor community. The process of improving security "works better if people think they\u2019re doing it in their own best interest," Clarke says.\nTo hear Clarke and Schmidt tell it, people are joining the fight in their own best interest, and any perceived reluctance on the part of corporate America is merely a marketing problem. The duo make themselves out to be patriots as well as consummate political insiders?Schmidt with the obligatory American flag pin on the lapel of a jacket draped over his chair, Clarke sipping from a blue and gold coffee mug from the White House Situation Room. But as much as anything, they are the chief publicists of a vision for improved cybersecurity around the world. CIO caught up with them for an interview about how far critical infrastructure protection has?and hasn\u2019t?come since Sept. 11, and how they\u2019re trying to coax corporate and vendor leaders into playing a greater role.\n\n \n\n\n\n\nCIO: A recent survey shows fewer companies reporting cybercrimes than a year ago. Does that affect your mission?\n \n\nRichard Clarke: We don\u2019t think about [critical infrastructure protection] primarily as a criminal justice problem. If you discovered break-ins in your town but most of the houses didn\u2019t have locks, would you hire more police or buy more locks? Criminal justice plays a very important role here, especially in terms of deterrence. We have to arrest people and prosecute them in order to deter others. But fundamentally, cyberspace security is about buying and using door locks.\nHoward Schmidt: Imagine there\u2019s a failure of a locking assembly, which results in a break-in, which results in a report to a law enforcement agency, which results in an investigation. You could have one track from that investigation directed toward the criminal justice system; the other track goes to [us, and we ask], "How could this have been prevented?" We have a constant feedback loop, which means eventually we have better security on the front end and the law enforcement authorities have less to investigate.\n\n \n\n\n\n\nYou\u2019ve said that the Freedom of Information Act [FOIA] exemption is the single most important policy change to improve information security. [Note: This controversial exemption?debated in Congress and advocated by many CIOs?would ensure information given to the the federal government about computer attacks would not be made public.] Why is the exemption so important?\n \n\nClarke: The Nimda virus last November was a major attack that caused billions of dollars worth of losses in the private sector, yet not one company called us up to tell us they had been attacked because they wanted to be able to keep it secret. They don\u2019t want customers and stockholders to lose confidence. We understand that. But as a result, we have an inadequate perception of what\u2019s going on in the American information infrastructure.\nSen. Robert Bennett [R-Utah] probably puts it best when he says, Imagine you are a commander in charge of a battlefield, and you could only see or know 15 percent of what was going on in that battlefield. How would you defend yourself? Well, if you look at our critical infrastructure, about 85 percent of it is in the private sector, and unless we can have some knowledge as to what\u2019s going on there?like attacks, viruses, worms, denial-of-service attacks?then we\u2019ll never be able to help defend it. Only by getting a Freedom of Information Act exemption, narrowly written, will we ever be able to persuade companies that they can trust us, the government, with information about vulnerabilities or about hacks.\n\n \n\n\n\n\nI\u2019ve heard you aren\u2019t so sure the exemption is necessary; it\u2019s more that businesses think it\u2019s necessary. Are you offering it to corporate America as sort of a contract: Trust us, and we\u2019ll help you out?\n \n\nClarke: No, not really. We\u2019ve looked at the legal question: Are there already adequate provisions in the law that would exempt this kind of information from a Freedom of Information Act request? Our lawyers say the law, as currently written, would allow us to protect that information. But that doesn\u2019t persuade companies to give us the information. Their lawyers believe they need additional protection; therefore we need to get additional protection.\n\n \n\n\n\n\nIf the law passes, will there be an onslaught of people reporting information to you?\n \n\nSchmidt: It\u2019s hard to tell. We think we\u2019ll have some companies come forth right away. In other cases, there\u2019ll still be some hesitation, some guarded discussions. I\u2019m sure there\u2019ll be a little bit of giving of information, seeing how that plays out. I don\u2019t think it\u2019s going to suddenly open the floodgates.\n\n \n\n\n\n\nOne line in the executive order creating the Critical Infrastructure Protection Board says, "Implementation of this policy shall include a voluntary public-private partnership, involving corporate and nongovernmental organizations." So in a way, your job is to force people to volunteer. How?\n \n\nClarke: The Partnership for Critical Infrastructure Security [PCIS] was formed two years ago. We\u2019ve had six or seven industry groups form Information Sharing and Assessment Centers [ISACs] before 9\/11. So I\u2019m not concerned that people won\u2019t cooperate. But this is more than just patriotism. It\u2019s economic self-preservation. Many companies participating in this partnership on a voluntary basis realize that they\u2019re doing it because they can only grow if IT grows, if IT is secure. For us really to go to the next stage of IT in the workplace?IT in the home?we really need to increase consumer confidence.\nSchmidt: When the PCIS was formed, I was in the private sector, and [security] was not an issue in many companies. You worried about earnings per share, shareholder value and so on. Dick [Clarke], John Tritak [director of the Commerce Department\u2019s Critical Infrastructure Assurance Office] and the folks in the government at that time provided a forum for us to become more aware of the government\u2019s interest in the area of critical infrastructure protection. It was natural to pull everybody in and say, "Listen, this is important to the president. We want you to help us." Who would not want to answer that call? You\u2019ll see the momentum that we\u2019ve got today, where people are literally calling up and saying, "What can we do?" It\u2019s based on the trust that was developed by the government initially reaching out to companies saying, "We\u2019re not here to regulate you or ruin your business model. We want what\u2019s good for the country, for all of us." \n\n \n\n\n\n\nIt sounds like you\u2019re talking about this volunteerism as a substitute for regulation.\n \n\nClarke: We don\u2019t want to regulate because we don\u2019t think we do it very well. We\u2019d like voluntary cooperation, voluntary adoption of best practices, voluntary sharing of information, because it works better if people think they\u2019re doing it in their own best interest, rather than if they think they\u2019re doing it because they have to.\n\n \n\n\n\n\nIt\u2019s a marketing job as much as anything?\n \n\nClarke: About half our job is marketing.\n\n \n\n\n\n\nWhat\u2019s the other half?\n \n\n[They both laugh.] Clarke: A lot of what we do is make priorities?budgetary, legislative, priorities in terms of what parts of the infrastructure we work with the most. What are the most important things to fix? Imagine the intersection of where the vulnerabilities are highest and where the effect of failure is the highest. That\u2019s what we\u2019re trying to find.\n\n \n\n\n\n\nIf you look at the state of critical infrastructure on Sept. 10 versus now, have there been measurable improvements?\n \n\nClarke: The federal government is getting more secure in its cyberspace networks. The budget the president sent to Congress in February asks for a 64 percent increase in funding to defend federal departments and agencies?that\u2019s more than 8 percent of the federal IT budget spent on IT security. We\u2019re trying to do two things with that [funding increase]. Obviously we\u2019re trying to fix very serious problems that the federal departments have. And two, we\u2019re trying to set a model for the private sector?for members of corporate boards of directors, for CEOs, saying, "Gee, the federal government is spending 8 percent of its IT budget on IT security. What are we doing at our company?" Unfortunately, most companies are not going to be able to say that they\u2019re spending anywhere near 8 percent on security.\n\n \n\n\n\n\nYou like to quote a report that most companies spend more on coffee than on security. Is 8 percent for catch-up? Is it enough?\n \n\nClarke: It\u2019s catch-up for the federal government, and it won\u2019t be enough if we don\u2019t sustain it at that level or perhaps even slightly higher over several years. There\u2019s no good figure that is appropriate for every company or every institution. That\u2019s why we\u2019re not saying 8 percent is the target.\n\n \n\n\n\n\nAre you advocating any kind of tax benefits for spending on security?\n \n\nClarke: No, I think there\u2019s enough benefit inherent for spending on security that we don\u2019t need to give people a tax break. The benefit comes from being secure. It\u2019s more expensive in the long run to be insecure.\n\n \n\n\n\n\nDon\u2019t you think that\u2019s a hard sell to CFOs?\n \n\nSchmidt: Not at all. When the Melissa virus hit at one company that I have some very great insight into, it took about $14 million dollars to bring that whole system up online after 10 days. When the Anna Kornikova virus hit the same company, they were able to contain it within 30 minutes with better processes, and that 30 minutes translated into about $12,000 worth of effort?quite a difference. CFOs are saying, "It\u2019s going to cost me just like anything else to do some risk management on the front end, but in the long term I\u2019m going to be much more able to save money and reduce total cost of ownership."\n\n \n\n\n\n\nAre you saying that viruses and worms actually helped as far as demonstrating that ROI?\n \n\nClarke: I think that there\u2019s a silver lining to some of these viruses and worms, because you know when you get hit. People are penetrating networks, doing espionage, and we don\u2019t know it because they\u2019re successful. They\u2019re not leaving traces. It\u2019s helpful when we have major viruses and worms and denial-of-service attacks because they\u2019re noisy and they leave fingerprints, and we know it\u2019s out there. People are then motivated to fix it. \n\n \n\n\n\n\nHow can you convince vendors to create more secure products?\n \n\nClarke: The vendors tell us, "We could create more secure products, but no one wants them." Then we talk to the procurement people?in banking, finance, energy, government?and say, "Do you want more secure products?" And they say, "Yes! But the vendors won\u2019t make them." It\u2019s what I call a "dialogue of the deaf." We try to bridge it by taking the critical infrastructure procurement people and the vendors by the hand and saying, "Vendors, could you make a more secure product?"?"Critical infrastructure companies, do you want a more secure product?"?"Now, can both agree that we\u2019re going to have more secure products?" There\u2019s actually a real role for us to bring people together to have dialogues that you would think naturally occur but don\u2019t.\nWe also have a sort of honeybee role where we fly around flower to flower proliferating the message and sharing information. We\u2019re able to learn what products are out there. We don\u2019t recommend certain brands, but we do recommend certain kinds of services.\n\n \n\n\n\n\nWhat\u2019s the administration\u2019s position on holding vendors accountable for products that aren\u2019t secure? And liability for products that aren\u2019t secure?\n \n\nClarke: I think they\u2019re two separate issues. One is holding vendors accountable, one is doing [something about] it in court. We\u2019re in favor of holding vendors accountable. When a product fails, the vendor has a responsibility to quickly identify a way of fixing it and getting that patch out, and the patch not only should fix the problem, it should not interact badly with other widely utilized applications. But we don\u2019t think it\u2019s terribly valuable to litigate such problems. We\u2019d like to try to find solutions that are quicker than long, multiyear litigation.\nWe spend a lot of time worrying about patches, but we don\u2019t want to just put bandages on the current generation of systems. We want to think about what the next generation of systems should look like.\n\n \n\n\n\n\nWhat would be the signs that things were getting better?\n \n\nClarke: It\u2019s mostly anecdotal. You can look at the number of computer incidents; you can look at the dollar value of damage done by such incidents. Unfortunately the numbers are skyrocketing. That doesn\u2019t mean we\u2019re not making progress. If you look at traditional measures of effectiveness?the number of incidents and how bad they are?it would tell you we\u2019re getting worse. The number of people and functions connected to the Internet is going up, and the sophistication of the attack tools is increasing. At the same time, we are getting the awareness message out, getting more CEOs to care, getting spending in security in the public and private sectors, getting the hardware and software manufacturers to develop more secure systems.\nThen there\u2019s the unknown unknown. Have our enemies already penetrated our critical infrastructure successfully and we don\u2019t know it? Or are they in a position where, if there is a big conflict between us and them, they are already in a position to disable our critical infrastructure?\n\n \n\n\n\n\nWho\u2019s the "them"?\n \n\nClarke: We\u2019ve stopped asking that question. Before Sept. 11, people tended to think in terms of a threat paradigm: Who\u2019s the them, and when are they going to do it? They waited for that information before they acted. So, tell me the name of the terrorist group, what airplane they\u2019re going to hijack, what city they\u2019re going to attack. Tell me when it\u2019s going to occur, and then I\u2019ll do something to prevent it. We learned you don\u2019t always get the information?the attack just occurs. \nSo we\u2019re advocating instead a vulnerability paradigm that says, Don\u2019t worry about who\u2019s going to do it. Don\u2019t worry about when it\u2019s going to occur. Ask yourself what your vulnerabilities are. And then find that intersection between the things that are the most vulnerable and the things that would be the most damaging. It\u2019s a shift from who\u2019s going to do it, when and where, to where are my weaknesses, and what are the most important weaknesses that I have?People who are not now actively our enemy may be actively our enemy three years from now, five years from now. If all we do is collect intelligence about people we think are our enemies, we may miss what we should be doing.