Suddenly, the vulnerability of almost every business' IT infrastructure has become a matter of national security. Following the United States' first strikes against sites in Afghanistan, Attorney General John Ashcroft said last week that the FBI and other federal law-enforcement officials had advised thousands of CIOs, chief technology officers, and IT managers that their IT systems may be targeted in retaliatory terrorist attacks-or used to launch them. As companies heed Ashcroft's advice to maintain "the highest state of alert," the way they do business may change.

Companies have always faced the risk of hackers stealing sensitive data or launching virus and denial-of-service attacks. But now the stakes are higher and may lead businesses to question the whole idea of Internet collaboration. Richard Clarke, who last week was appointed special adviser to the president for cyberspace security, told InformationWeek, "The terrorists aren't out to hurt us symbolically-they're out to hurt us in ways that hurt our economy." For instance, viruses could exploit security holes in networks to create a large, orchestrated attack on corporate IT systems, he says.

"We can't be surprised when things like this happen and then have to invent responses on the spot," Clarke says. He recommends that at a minimum, companies maintain off-site, near-real-time backups, redundant paths for telecommunications, and a plan for reconstituting their operations in case of a disaster. Clarke, who has held key security posts in three previous administrations, also suggests that companies reduce the number of network administrators with unfettered access to applications and data.

But Clarke's most radical proposition flies in the face of 21st-century business. He suggests moving some business-to-business operations from the Internet to more secure virtual private networks or back to dedicated lines. Last week, he proposed moving all government activity, except for informational Web pages, off the public Net.

Deciding which applications to remove from the public Internet, however, is tricky. "You'd have a hard time getting customers to use VPNs because of the cost and inconvenience," says Jim MacDonald, CIO of Fidelity Management and Research Corp., a subsidiary of Boston's Fidelity Investments. But he can envision Fidelity using the public Internet to take an order and a private network to process payment.

It's a radical idea for uncertain times. Late last week, the FBI warned that the government had information indicating there might be new attacks against the United States, but the nature of those attacks was unknown. Charles Neal, head of cyberterrorism detection and incident response at Web-hosting provider Exodus Communications Inc. and a former member of the FBI's cyberterrorism attack team, isn't worried about an organized attack on the nation's computing infrastructure right now. But if the war on terrorism is prolonged, IT systems are likely targets, he says. Pakistan, which has a vocal minority of Taliban sympathizers, is also home to a large number of programmers and IT systems administrators. If Osama bin Laden's faction were able to recruit some of them, Neal says, "those people have the knowledge and the resources to do some nasty things."

In light of the dangers, "everyone needs to ask themselves, 'Do I have adequate security?'" Clarke says.

For many companies, the answer could well be no. Businesses haven't taken the necessary steps to guard against break-ins and espionage, according to InformationWeek Research's 2001 Global Information Security Survey, fielded by PricewaterhouseCoopers from April to July. Almost half of 2,131 U.S. companies surveyed had no formal security policies in place, and most relied primarily on user passwords and multiple logons for protection. Clarke charges that businesses don't conduct information security awareness programs often enough, a finding supported by the survey. Only 49% of U.S. companies had plans to raise user awareness of policies and procedures in the next 12 months.

What's more, only half of 150 companies surveyed by InformationWeek Research one week after the terrorist attacks say they plan to reassess the security of their facilities in light of those events. "We need more people to be doing more creative thinking about computer security," U.S. Rep. Sherwood Boehlert, R-N.Y., said in a House of Representatives Science Committee hearing last week on the security of the nation's corporate IT infrastructure. "That's what our adversaries are doing."

Fortunately, some companies are realizing the need for constant vigilance. "Sept. 11 was a wake-up call," says David Albrecht, IT operations manager for the mid-Atlantic region of Exelon Corp., a $7.5 billion Chicago power utility. Before the attacks, Exelon defined IT security primarily as protection against malicious viruses such as Code Red and Nimda. Now, Albrecht says, he's also on guard against hackers using Exelon's IT systems to launch a cyberattack on others. Exelon's security has been raised to yellow-alert status, which mandates increased auditing of Internet gateways, Web servers, firewall logs, and intrusion-detection systems.

The alert was intended to last until Oct. 11, but the recent U.S. military action has prompted Exelon to continue the condition. "Security deserves that level of attention," Albrecht says.

Gartner, an IT research firm that advises businesses and government agencies such as the FBI and the CIA, is also taking Ashcroft's warning seriously. CIO Bart Stanco says the firm took action last week-he wouldn't specify exactly what was done-to limit outside data feeds from Internet sources so they can't be used by hackers to create back doors into Gartner's systems.

The probability of terrorists damaging any particular company's IT systems is low, says Pete Lindstrom, director of security strategies at Hur-witz Group-except for companies that provide essential communications services. It's more likely that terrorists will hijack a company's computers as part of a concentrated attack on targets that provide critical services, flooding their systems with service requests. Companies can guard against such action by securing their systems with firewalls and strong access controls, Lindstrom says.

Still, no company can be certain it won't be the object of a cyberattack. The National Infrastructure Protection Center, a federally sponsored organization that works with the private sector to protect the country's critical infrastructures, says it expects an increased level of hack attempts. The Web sites of retailers and financial institutions have already seen increased hacking attempts over the last several months.

"Concerns about cyberterrorism are valid," says Fidelity Management and Research's MacDonald. After the recent Nimda virus, Fidelity began conducting regular meetings to ensure that all of its IT defense plans were up-to-date.

Clarke also wants companies to double-check the backgrounds of people authorized to use critical systems and to put controls in place so key func-tions require two people's approval.

Michael Ereli, VP of technology at CheMatch.com, a bulk chemicals pub-lic exchange in Houston, says its members are concerned about the possibil-ity of unauthorized employees using their systems to obtain dangerous products. "Companies in the chemicals business need to be very concerned about the potential for a malicious use of their systems," he says.

Last week, CheMatch began offering its members biometric technology from Cavio Corp. Instead of relying solely on easily stolen user names and passwords, users will have to submit to a fingerprint scan at their PCs to prove they're authorized to engage in a transaction. The attacks put plans for deployment of the technology into hyperdrive.

CheMatch competitor ChemConnect Inc. is also re-evaluating security. The San Francisco company is now continually scanning for updates to the State Department's constantly changing list of people, companies, and nations barred from doing business with U.S. companies. NextLinx Corp., an IT vendor that helps companies meet U.S. and international trade requirements, last week began offering free access to its Web software that provides real-time updates of the State Department's expanding do-not-trade list.

As companies increase emphasis on security, will the steps they've taken to collaborate more closely with partners, customers, and even competitors suffer? American International Group Inc., a New York insurer located four blocks from the World Trade Center, thinks so. The company has increased its use of consulting firms that try to hack into its systems to identify weaknesses and is looking for better public key infrastructure tools, CIO Kevin Murray says.

"We're accelerating everything to do with security. It's likely we'll spend less time on collaboration and more time securing the home front," Murray says. "We were all fat, dumb, and happy. Now we'll spend time putting up our guard."

--with Martin J. Garvey, Alorie Gilbert, Larry Greenemeier, and John Rendleman

Useful Links and Resources:
Link to the National Infrastructure Protection Center (NIPC) http://www.nipc.gov/

Link to InfraGard http://www.infragard.net/

Link to the SANS Institute's top 20 Internet vulnerabilities list http://66.129.1.101/top20.htm/

Link to summary of the House Science Committee hearing on cyberterrorism Oct. 10 http://www.house.gov/science/press/107pr/107-96.htm/

Link to the governments (old name: the computer emergency response team) CERT Response center: http://www.cert.org/security-improvement/