Richard Clarke, who was appointed special adviser to President Bush last week, will be the president's principal advisor on all matters related to cybersecurity. He also will serve as chairman of a government-wide board that will coordinate the protection of critical IT infrastructure systems.

Clarke served as deputy assistant secretary of state for intelligence under President Reagan, and as assistant secretary of state for political military affairs under President George Herbert Walker Bush. President Clinton appointed Clarke as the first national coordinator for security, infrastructure protection, and counter-terrorism in May of 1998, and he quickly became known as the nation's cyberterrorism czar.

The day before Clarke was appointed, Attorney General John Ashcroft declared the nation's IT infrastructure a potential terrorist target and placed the nation's corporate IT systems at the highest level of alert. Upon his appointment, Clarke said, "America has built cyberspace, and America must now defend its cyberspace." He said that can only be done by a partnership of government and industry.

The day after Clarke was appointed to his new role, he spoke with InformationWeek senior writer Steve Konicki.

InformationWeek: What kind of companies are potential targets?

Clarke: We don't have any specific intelligence that indicates a particular company or a particular type of company would be a target.

That having been said, it is clear that the attacks on the World Trade Center were more than attacks on symbolic targets. They were going after our financial systems. They knew what was there. I believe their goal was actually to do more damage than they did. I think they might have thought that the towers would actually fall over sideways and collapse on the financial district.

So I think we need to be aware that this enemy is not out merely to attack us symbolically, but actually to hurt us in ways that hurt our economy as well as our military capability.

InformationWeek: What does that lead to, in terms of Internet security and IT security?

Clarke: I think it means what we have already been saying for some time, which is: People have to have redundant systems; they have to have backups; they have to have recovery plans.

The attack on the World Trade Center in 1993 led a lot of people in the World Trade Center and in the Wall Street and lower Manhattan area to develop new plans: plans for redundancy; off-site backup in close to real time; redundant paths for telecommunications. Without what they did between the 1993 attack and the 2001 attack, we would not have been able to recover as quickly as we did.

InformationWeek: Is the thinking that every company in America that depends on its IT systems and the Internet needs to be taking precautions?

Clarke: Yes. Obviously, the size of the company and the nature of what the company does will dictate what they do.

But I think everyone needs to ask themselves, "Do I have adequate off-site backup of my key information? Do I have a reconstitution recovery restoration plan? Do I have continuity of operations plan? Do I have redundant communications?"

InformationWeek: We've had problems for some years now with viruses, most recently Code Red and Nimda. Is there a feeling that there could be malicious coders who could generate a virus or worm that could be used to attack systems simultaneously on a larger scale than the Code Red? Is that a danger that we need to face?

Clarke: Whether or not it actually happens, we have to wait and see. We need to think about what we would do if it did happen. We can't be surprised when things like this happen, and have to invent responses on the spot.

InformationWeek: Are you saying that every company whose IT system is connected to the Internet needs to take a new look at security?

Clarke: Yes. They may need a VPN. They may need a private line. Some of these companies may not be able to afford it on their own, and they may need to look at it as an industry group. For example, the electric power industry, power generation and transmission industry may need to think about whether or not it wants to pool its assets and establish its own system that's more secure.

You have to ask yourself how long you can be down, in terms of telephone communications, Internet communications, or in terms of your main on-site information systems not working. How long can you rely on backup mechanisms?

In some cases, particularly in certain types of manufacturing, you can get by for 72 hours, 96 hours, without a lot of elaborate connectivity. In other industries it's different.

The problem that we think heavy manufacturers need to look at is: how secure are the SCADA automated factory line control systems, or the additional manufacturing systems that are running their plants? Are they accessible from outside, or are they accessible to insider threat?

Most heavy manufacturing--whether it's a chemical plant or a steel factory--these days, the plants are run by software that controls the movement of most things in the plant. That's not an Internet security problem necessarily, but it is a software security problem if a potential terrorist can access the system. And there are only a handful of these SCADA software systems; they are knowable.

InformationWeek: So, a key safeguard is for companies to take a deeper look at who can access their systems and the background of those people?

Clarke: You need to do two things. One, you need to be sure of the background of the people.

But number two: you need to have the controls in place, so that some critical functions require two people to approve them. And make sure that unauthorized people just are not able to get root access or system administrator controls to these systems. Right now, it's pretty easy to get root access or sys-admin control status, if you really want to, on most systems.

So there may be certain functionality that you want to airgap require two people on SCADA systems and in digital manufacturing controls.

InformationWeek: Some companies were surprised to learn that the government was notifying IT departments that they may be the target of terrorists. What is the main mechanism the government is using to continue to notify companies of IT-related alerts?

Clarke: Well, what the FBI did through the National Infrastructure Protection Center was to reach out to all the existing industry Information Sharing and Analysis Centers. There are centers in the banking industry, the rail industry, the IT industry, and several others. These are places that we have asked the industries to create and come together. So there is a single point of contact for the government where we can pass information, and they do an information tree down to all the members of their industry.

InformationWeek: How would you summarize the government's message to the IT industry and corporate IT departments?

Clarke: In the short term what people need to do is increase security awareness in their companies.

We are all sloppy with access to our systems, with password security. We don't conduct information security awareness programs very often. We are all now being more cautious about access to buildings, wanting to know what's in a truck before it comes near a building, all of the kinds of things we are doing for physical security.

We also need to be more cautious with information security, virtual security, as well. Most companies have information security specialists on staff or a contract with security firms that can tell them what to do. The bottom line is, stop being sloppy.