Waiting for a digital Sept. 11

After a rash of security flaws wreaked havoc upon millions of people who use Microsoft's operating systems, Steve Ballmer blew into Silicon Valley this week to make a public mea culpa in front of a roomful of industry executives.

Speaking at the Commonwealth Club, Microsoft's chief executive confessed to being "humbled" by the attacks and pledged to redouble the software maker's efforts to make its products more secure.

I don't think a staged P.R. event will mollify angry computer users. Ballmer's handlers no doubt recognized the groundswell of resentment building in reaction to the security holes turning up in Microsoft software. Still, there's a limit to how far you can dun Microsoft for faults, real and imagined. The company obviously has a lot of work to do. But in pinning blame for the seemingly never ending series of cyberattacks, don't lose sight of the fact that the real culprits in this novella are the bad guys who break the law by writing viruses.

And if you think the problem is confined to the struggles of one company, think again. This is a lot bigger than Microsoft. In a world populated by "thieves, con artists, terrorists and hackers"--to borrow Ballmer's phrasing--the worm outbreaks like MSBlast may very well go down in history as mere child's play when compared with what's being hatched in some cave along the Pakistan-Afghanistan border.

The bigger worry is the slow-motion response of the federal government to attach the same seriousness to computer attacks that it does to terrorism. Unfortunately, the hired help in Washington just does not get it. If they do, they're going out of their way to disguise the fact. No less than a personage than Richard Clarke is now blasting his former employer for taking a lackadaisical approach to protecting the nation's information infrastructure. A counterterrorism adviser to Presidents Bill Clinton and George W. Bush, Clarke is at a loss to explain the government's lack of urgency about combating cyberterror.

"The government is less capable now of securing its network than it was a year ago," Clarke said at a recent press conference, adding that "the reorganization of security into (the Department of Homeland Security) has, in the short term, made things worse."

The bigger worry is the slow-motion response of the federal government to attach the same seriousness to computer attacks that it does to terrorism.

That's bad news in bells because the assumption that terror groups are too focused on staging another Sept. 11 to launch a sophisticated cyberattack is wishful thinking. IT has always been a major interest of al-Qaida, according to Clarke.

"It is a huge mistake to think that al-Qaida isn't technologically sophisticated," he said, "a fatal one."

The appointment of cybersecurity expert Amit Yoran to manage the National Cyber Security Division in the Department of Homeland Security is a start. Yoran, a highly regarded executive who was the vice president for Managed Security Services at Symantec, is now responsible for making sure the nation's computer networks stand up to attacks from computer worms, viruses and terrorists.

That's a huge job. But Yoran will need to skillfully navigate the bureaucracy to make sure he doesn't occupy a ceremonial post. The buzz around town is that that the job took a long time to fill because would-be candidates feared it wouldn't carry much of a stick.

Despite promises that more manpower would be on its way last spring, Yoran's new office remains shorthanded. Most of the staffers who were supposed to transfer over from the National Infrastructure Protection Center remained at the FBI, a situation that has damaged the department's efforts to get up and running.

Watching all this with a feeling of deja vu, one hopes it doesn't take a cyberattack of Sept. 11 proportions to wake folks up. Truth be told, I'm not all that optimistic.