Cyber-Attacks by Al Qaeda Feared

Bush ordered the Pentagon and key federal agencies to patch their systems. But most of the vulnerable networks were not government-owned. Since Feb. 12, "those who have the fix in their power are in the private sector," Schmidt said. Asked about progress, he said: "I don't know that we'd ever get to 100 percent."

Frustrated at the pace of repairs, Clarke traveled to San Jose on Feb. 19 and accused industry leaders of spending more on coffee than on information security. "You will be hacked," he told them. "What's more, you deserve to be hacked."

Tritak, at the Commerce Department, appealed to patriotism. Speaking of al Qaeda, he said: "When you've got people who are saying, 'We're coming after your economy,' everyone has a responsibility to do their bit to safeguard against it."

New public-private partnerships are helping, but the government case remains a tough sell. Alan Paller, director of research at the SANS Institute in Bethesda, said not even banks and brokerages, considered the most security-conscious businesses, tell the government when their systems are attacked. Sources said the government did not learn crucial details about September's Nimda worm, which caused an estimated $ 530 million in damage, until the stricken companies began firing their security executives.

Experts said public companies worry about the loss of customer confidence and the legal liability to shareholders or security vendors when they report flaws.

The FBI is having even less success with its "key asset initiative," an attempt to identify the most dangerous points of vulnerability in 5,700 companies deemed essential to national security.

"What we really want to drill down to, eventually, is not the companies but the actual things themselves, the actual switches . . . that are vital to [a firm's] continued operations," Dick said. He acknowledged a rocky start: "For them to tell us where their crown jewels are is not reasonable until you've built up trust."

Michehl R. Gent, president of the North American Electric Reliability Council, said last month it will not happen. "We're not going to build such a list. . . . We have no confidence that the government can keep that a secret."

For fear of terrorist infiltration, Clarke's critical infrastructure board and Tom Ridge's homeland security office are now exploring whether private companies would consider telling the government the names of employees with access to sensitive sites.

"Obviously, the ability to check intelligence records from the terrorist standpoint would be the goal," Dick said.

There is no precedent for that. The FBI screens bank employees but has no statutory authority in other industries. Using classified intelligence databases, such as the Visa Viper list of suspected terrorists, would mean the results could not be shared with the employers. Bobby Gillham, manager of global security at oil giant Conoco Inc., said he doubts his industry will go along with that.

"You have Privacy Act concerns," he said in an interview. "And just to get feedback that there's nothing here, or there's something here but we can't share it with you, doesn't do us a lot of good. Most of our companies would not [remove an employee] in a frivolous way, on a wink."

Exasperated by companies seeking proof that they are targets, Clarke has stopped talking about threats at all.

"It doesn't matter whether it's al Qaeda or a nation-state or the teenage kid up the street," he said. "Who does the damage to you is far less important than the fact that damage can be done. You've got to focus on your vulnerability . . . and not wait for the FBI to tell you that al Qaeda has you in its sights."

Staff researcher Robert Thomason contributed to this report.

CORRECTION-DATE: June 29, 2002

CORRECTION:

A June 27 article on concerns about cyber-terrorism misstated the capacity of the Roosevelt Dam in Arizona. It is 489 billion gallons.