The Cybersecurity Czar Who Wasn'tAssessing Howard Schmidt's Stint as Cybersecurity Coordinator
Expectations clashed with reality during the tenure of Howard Schmidt, who's retiring as the White House's first cybersecurity coordinator [see Obama Cybersecurity Coordinator Resigns].
See Also: What is next-generation AML?
Perhaps the job was doomed from the start, not fated for failure, but from making concrete advances in the nation's cyber defense as many people had hoped.
Schmidt's performance as cybersecurity coordinator was like a mountain climber scaling Mount Everest without a Sherpa guide and with very little equipment.
"Being the first to fill this position, you are the victim of the public's perception of what this job should be [instead of] how any predecessors fulfilled this role," says Robert Bigman, who retired this past spring as the CIA's chief information security officer.
The perception of the job was that of a cybersecurity czar, a term often used back in 2009 - but not by the White House as President Obama made IT security a major administration priority. Shortly before Obama took office, the bipartisan Commission for Cybersecurity for the 44th Presidency offered a new IT security agenda for the incoming president, including the creation of a strong cybersecurity leadership post.
But the job Schmidt assumed was never czar-like. And, because of a perceived lack of clout, a number of people - as many as two dozen, according to one White House insider - turned down the job before Obama named Schmidt to the post in December 2009 [see Schmidt: A Take-No-Nonsense Cybersecurity 'Czar'], a half a year after unveiling his Cyberspace Policy Review to much fanfare. "We owe Howard our gratitude for taking a tough job nobody wanted," says a highly regarded Washington IT security thought leader and one-time senior government executive.
How Special of an Assistant?
The cybersecurity coordinator holds the title of special assistant to the president. Despite the imposing sound of that title, two other levels of senior staffers - assistant to the president and deputy assistant to the president - stand between the cybersecurity coordinator and the Oval Office. "The fact that it comes from three levels down in the White House is unreasonable," says Melissa Hathaway, who led the team that developed Obama's cyberspace initiative. "He can't do it. He's not high enough in the whole positional food chain."
Another impediment was the job's reporting structure. The cybersecurity coordinator reports to the heads of the National Security Council and National Economic Council. To Obama and his top aides, the dual-reporting structure made sense because cybersecurity is a national security and economic security challenge. Yet, such a framework was seen as another shortcoming of the job because, at times, the staffs of those two bodies could be at loggerheads.
"Given the constraints on the position, Howard did a pretty good job," says Gene Spafford, a Purdue University computer professor who has testified before Congress on cybersecurity matters. "By constraints, I mean the odd dual-reporting chain, no funding and no authority."
Even with the job's shortfalls, former CIA CISO Bigman says Schmidt could have accomplished more if he had worked more closely with the federal government IT security practitioners in the trenches. "I don't recall Howard ever sitting down with the federal government CISOs and having a discussion about information security issues," Bigman says.
Schmidt, although approached several times, was unavailable for comment.
Cybersecurity is a complex arena, and it would be unreasonable to expect anyone accepting the cybersecurity coordinator's post to take on more than a fraction of the challenges and succeed. How tough was Schmidt's job? Internet Security Alliance President Larry Clinton compared Schmidt's performance as cybersecurity coordinator to a mountain climber scaling Mount Everest without a Sherpa guide and with very little equipment.
Schmidt's Significant Achievements
Still, Schmidt departs with some solid accomplishments. The most significant was leading efforts to raise the public's consciousness of IT security, traveling around the country to speak about the cyberthreats facing government, business and society. "Howard can be credited for being one of the major influences on the emergence of cybersecurity as a major issue requiring far more intensified public policy analysis and direction than was the case before Howard took office," Clinton says.
In his last weeks in office, Schmidt hosted a White House gathering promoting a government-private sector initiative to increase awareness on how to battle botnets, those networks of hijacked personal computers used to transmit spam and spyware [see 9 Principles to Battle Botnets). "His strength came from in-depth knowledge of the issues, worldwide contacts and his passion for getting people and organizations to work together," says former Interior Chief Information Officer Hord Tipton, who heads the IT security certification consortium (ISC)2.
Keith Alexander, the four-star Army general who heads the National Security Agency and military cyber command, credits Schmidt with helping shepherd new initiatives, such as the International Strategy for Cyberspace, the National Cyber Incident Response Plan and the National Strategy for Trusted Identifies in Cyberspace, commonly known as NSTIC (pronounced en-stick).
NSTIC, Schmidt's pet project, envisions an Internet ecosystem in which people can choose from a marketplace of trusted credentials that prove their identities so they can transact business safely online (watch video Howard Schmidt Champions Online Trusted Identities). Yet Congress, so far, has balked at funding NSTIC beyond this fiscal year. An appropriations bill passed in May by the House of Representatives failed to include funding for NSTIC, resulting in a veto threat from Obama [see Obama Battles GOP over NSTIC Funding].
Was it Schmidt's fault that the House didn't include money for a program advanced by the White House? "I could probably argue it both ways," Hathaway says. Schmidt and the White House sought $24.5 million for NSTIC for fiscal 2013, signifying the importance of the initiative to the administration. "If he had not put any money at all in the budget, it would have shown that the administration was not serious about it. At least, they put money in," Hathaway says. "But you got to sell it, too, and give compelling advice to Congress."
The onus of getting NSTIC funding doesn't fall entirely on Schmidt, and the appropriations process for the next fiscal year isn't over, so the initiative still could receive money.
The failure to get House funding for NSTIC is endemic of the partisan divide between Democrats and Republicans in Washington. For years, Congress has debated, but failed to enact, significant cybersecurity reform legislation [see Partisan Showdown over Cybersecurity Bill]. Schmidt, working behind the scenes, helped craft legislation to strengthen cybersecurity efforts for the government and nation, but that bill has stalled in the Senate because of Republican opposition to the government's regulation of privately-owned critical IT infrastructure [watch video Schmidt Hopeful on Bill's Passage]. "The proposed legislation has become partisan and therefore political, unfortunately," (ISC)2's Tipton says. "I doubt anyone can make significant impact in the near future."
As Schmidt prepares to depart in mid-June, Michael Daniel is getting ready to take over as cybersecurity coordinator [see Who Is Michael Daniel], but the 11-year intelligence branch chief in the Office of Management and Budget faces the same situation as Schmidt as far as his position in the White House hierarchy. Daniel, however, comes to the position with a different set of skills and, perhaps, expectations than did Schmidt. That's an advantage. Expectations for future cybersecurity coordinators - at least how the job is now defined - won't be as stratospheric. But the importance of coordinating federal government cybersecurity initiatives is as important as ever.