Governance & Risk Management

Howard Schmidt: In His Own Words

Transcript of Schmidt's First Address as Cybersecurity Coordinator
Howard Schmidt: In His Own Words
Just one week on the job, Howard Schmidt outlined the challenges he expected to face as the president's top IT security adviser and shared some of the experiences he had during his short tenure as White House cybersecurity coordinator with attendees at the Advisory Committee to the Congressional Internet Caucus' State of the Net Conference in Washington on Jan. 27.

What follows is a slightly edited transcript of Schmidt's speech, as recorded by GovInfoSecurity.com.

* * *
Also read:

* * *

This is my first official outside function in the leap that I made to the White House. Literally, a week ago about this time, I was walking out of the administrative offices from picking up badges and filling out paperwork and got to Chris Painter (acting cybersecurity coordinator), who has done a wonderful, wonderful job in keeping things moving forward after the 60-day (Cyberspace Policy) Review was done, walked over to Chris and said, "What do we do now?" and it was just nonstop ever since.

I think I will probably start out with a question I get asked most often and that is: Do you have the authority? Do you have the ear of the president? And, is this taken seriously in the administration? When I talk about the administration, do you understand that extends to the legislative branch? And, the answer, very simply stated is, "Yes." The president has been very, very fair in designating me as his lead policy official in the area of cyberspace security for the federal government.

When we say the federal government, you know, of course, we look at the agencies encompassed there. But I would not for a moment lose sight of the fact that we have tremendous relationships with the private sector and when we start looking at the overall space that we are dealing with, while the federal government is sort of the realm that I have got to deal with, we have a very, very crucial role in making sure that the government agency that direct relationships with the private industry are being brought to the table as well.

As far as the authorities and stuff, I know there has been a little discussion about that and I while clearly I have the ability you can have ... have been able to do so far use all the various interagency processes and executive committees to interagency processes both National Security Council and the Homeland Security Council, so this is once again, not a singular type function we are doing.

National Security-Economy Link

Looking at ways to resolve cybersecurity issues across the government. I also might add they start looking across the spectrum in there as well, that one of the things I was particularly pleased, one of the things that made me feel very good as we were discussing this position as I was coming into it, that there is a direct linkage to National Security staff as well as the National Economic Council. I think that is crucial because one of the things that we look at when we start looking at this component, we say, "Well yeah, there is the intelligence, the defense, the law enforcement piece of it that sort of fall under the umbrella of the National Security Council, but clearly when you start looking at the economic impact on the global community, not just the United States, there is a key place for that."

Being dual-hatted, having a relationship is key with the National Economic Council leadership as well as the National Security Council, which is who I report to, it gives us a much broader perspective on this ... I think that is crucial. If anybody in this audience - and I recognize a lot of faces here, I've been around for a while doing this - you recognize that nobody who can look at absolutes in this space. Just like we don't look at absolutes in security, it is the same thing that applies to the economic challenges versus the intelligence and law enforcement challenges. As a consequence, it is important that we understand that we have a foot in both camps and utilize those two camps.

Collaborating with Federal CIO, CTO

The other thing, and I think this sort of falls into the part of how we like to say, "I've got a great job because I get to do 'this.'" And, the this for me is one of the men I'm working with, Aneesh Chopra, the federal CTO, and Vivek Kundra, the CIO to the federal government. Once again, as we were going through this process and meeting with them, hearing their ideas and being able sort of figure out where our roles and responsibilities lie, it was very important to us.

One of the things that I was tremendously impressed from the first time I met with both of them individually is that the discussion was not about security: "You guys are just a problem for us; we need to grow our technology at all costs." It was very deliberate, very sincere, in saying, "Yes, all three of us love the technology, but the technology needs to move forward being more secure, better technology in protecting our privacy." And that is how the three of us are going to work.

And, as one might imagine, in the past week with all the things that have been going on from an external perspective, those gentlemen both had a good time to say, "Listen we are going to sit down and start working out our agendas," and so we started doing that as well. ...

On a more functional level we met with the CIO Council, the group from the inspector general's Office, there was a wide array of government functions that are taking place that have key responsibilities in this space, And, the ability to work with them and be a part of their team I think is very important as well.

So, let me move on to what presumably might have been another question, and that is the cyberspace policy review, because there has been a lot of discussion about here we got another one, we have done security strategies before, and so what is different about this and sort of where do all of these things come into play?

Risk Management

First, try looking at this from a risk management perspective, and I think that is one of the things that we looked at on the cybersecurity review, and how do we do an overall cyber risk reduction. And, as I have said before and I think you all recognize first hand, there are no absolutes. We will never have 100 percent security and still have an open society. We have to protect the privacy. We have to do the things that we need to do from a cybersecurity perspective, but basically the risks out there are the things that we need to face and we need to manage those spaces.

First, we start looking at the space and the risk and we have to recognize that there are threats out there that we face on a regular basis, we know there are vulnerabilities that we have to deal with and also the consequences. I just want to take a moment and address each one of those specific areas.

Threats

In the area of threats, that is something that we have very, very little control over. I think we all recognize that the threats come from a wide array of places from clever hobbyists professional hackers or from people who wake up one day and say, "Let me try this and see if I can break something" and were successful at it, all the way up to and including people who use the technology to do terrorism acts. I have received many, many cases and in the past not only were terrorists using the technology but also using the technology we were funding as well.

So as a consequence, we have no choice to the threat actors out there. We continue to try to identify them, to neutralize them in the legal ways that are possible, but clearly we just can't all of the sudden by edict say, "Okay, all the threats have to stop." We know that is not practical. ... We also have to recognize the tremendous capabilities that they have. At one time, you would have to have a nation state in order to launch a distribute denial of services attack against that systems, you would have to have some pretty healthy resources.

And now we have a corporation of botnetworks, which is one of the things that I am looking to figure out how can we wind up taking those things offline, once and for all, and prevent them from coming up again to reduce that threat out there. We now see the ability through people who control those systems have the same capabilities that 10 years ago was a nation-state capability. How do we neutralize that threat?

Reducing Vulnerabilities

One of the things that gives them some level of success across the board is the fact that our vulnerabilities exist. And I have said many, many times that the very things that make us great in the Internet, the technology that gives us the ability to do all of the great things that we can do, also in many cases has become our biggest vulnerability and our biggest Achilles heel. That is the business applications that we run from whether it is an entertainment to a financial system to just things that we use to survive day-to-day activities.

We can build a system - and it is not right that these people say I don't care about security, and from my past experience I never walked into a corporation, I never talked to an executive or a CEO and said, "Hey, I don't care about security; we are just going to do this." There are always business reasons why security may not be the best thing for them to do at that time. And we fully recognize now and I think many recognize, whether it is because of a governance issue, whether it is a management issue, whether it is a compliance issue, they now say security has got to part of our day-to-day business processes. That is the recognition that is out there now. But, in the meantime, we have got to live with the systems that have not been designed and architected to work in the high-threat environment we live in today.

One of the things we need to look at is how do we reduce those vulnerabilities? How do we move the battlefield away from the end users to the consumers? Anybody in this room that is involved in the technology world, you know how it is, you are the CIO for your family and friends; you're the one who gets the call when they have a suspicious e-mail or something doesn't work right or their printer, or there is a new operating system and they are not sure what to do with the driver, you're the ones who get the calls. And, that is fine in the sense of configuration and stuff, but we should not be looking to the end user, the consumers and our employees, to be sort of the policeman of the desktops, if you will or the military that is going to protect their systems. We need to move that battlefield back away from there, and the way to do that is to reduce the vulnerabilities that currently exist out there.

We start looking at some of the issues when we looked at the software abilities out there. We are doing a better job now. And, I get asked this question all the time now about are we more secure now than we were last year? Absolutely. We have got newer versions of software; the browser community and we have got many choices out there now that pay a lot of attention to the vulnerabilities and fix them quickly. That is not to suggest for a moment that we are sitting there with the most recent browser is indeed - doesn't have any flaws, we continue to make those stronger. But in reality when we identify it, we get a much quicker turnaround than when we're remediating some of those things. Every time we use some computer systems, we know there are vulnerabilities, we know they exist. So the second part of that is how do we wind up doing that risk management to reduce those vulnerabilities?

The Consequences

And lastly, the consequences.

It is interesting, last year or so I was at a dinner in the U.K. and there were some of the people there from European Union talking about as we become more dependent on ICT (information and communications technology) systems, as IT and technology become more a part of our day to day lives. They were talking about that sort of in a futuristic tense, and I [made a comment] I sure wish in the United States had the ability to wait until we got to that point. We are tremendously dependent on it now. Even the comment that the congressman made talking about our mobile devices. You know, we know have the same power here in our purses, our pockets, wearing on our hips and on our suit jackets that we had just a few years ago on a desktop; that same thing can go handheld now. As a consequence, we look upon what are sort of the consequences of what we are doing. You know, we no longer say, "Well, I'll check my e-mail tomorrow or the next day." We have tremendous dependency on it. As a consequence, as the dependency grows the impact that it has on our day-to-day lives is affected as well. So when we start looking at the consequences, one of the things we are looking to do for our offices - while we can't stop fleeing the threat players out there, while we can do so much to reduce vulnerabilities - we can take some steps to make sure that we have the steps in place to recover quickly from some of the things that we may have to taste someday.

And the other thing is, as far as our connectivity goes, and you know I talk about things in sort of a personal sense, when we start loosing our critical infrastructure and the things that are now being connected to places that never in the past we would ever see an IP address ,now are connected to things that we have access to. So when we start looking at it, as we continue to leave more of those systems online - and I jokingly and probably not so jokingly anymore joke about an IP-enabled pacemaker. Fortunately I don't need one - at least not yet - but give me another six months and we'll see what happens (laughter). But in the meantime, if I did need one, and anybody who has one, a wireless IP-enabled pacemaker that has a little popup on it on a physician's window that says, "Oh, by the way, something is not quite right here," and the doctor can sit there and tell it to give an extra half volt here and sort of refresh the heartbeat there. I would love to see that capability exist. But on the same token, I would hate to see someone going, "Okay, let's see how we can make this person really move faster." (Chuckling.)

And while right now in front of you look at interconnectivity, look at the future, those sorts of capabilities are coming very close to being rolled out ... now.

Weak Link in the Chain

Now, the next thing that sort of comes up oftentimes and is one of the discussions that the congressman and I were going to have is sort of about the weak link in the chain. And, I think all of us fully recognize that basically we do have a lot of weak links in the chain. That while we can be very secure, and I am the first to admit, we are doing a very good job in making sure the machine runs flawlessly in many, many avenues.

I liken it to the morning traffic report. We hear about the accidents out on 95, 395 and the blockage is here and the bridge is that, but no one ever talks about 1.7 million people successfully made it to work today. And the same things take place to the cybersecurity role. We hear about that. We hear about the hacks. We hear about all of the things that we deal with, but what we don't see on the headlines are we had $375 trillion worth of transactions successfully go through the financial systems in the past year. We don't hear about those things.

As a consequence we start looking at shoring up these systems and what are the risks, what are sort of the weak links in the chain; clearly they exist, when we have to look and fix them, and one of the things specifically that we are looking at is a whole supply chain component. Because one point in the supply chain, in the connectivity supply chain is relatively small, but that has changed dramatically and now not only do we have to have direct connectivity with our supply chain partners, the use of their IT systems effectively re do things, and not only that but they are not just connected to us in one business, I mean this is like a spider web; if you can draw us a picture of the Internet, you can sell us supply chain partners.

Helping Small-, Midsize Businesses

We need to make sure that the small- and medium-sized businesses, the backbone of our workforce in America today, that they basically have the resources so that they don't have to go out there and fight the same battles that we do in the larger enterprises, like the government on a day-to-day basis.

When we start looking at this, part of that is the education piece. And I have met with local business groups over my career and it is really interesting because seeing somebody entrepreneurs out there and struggling just to get their product out the door and to be successful in it and we know how many - you know there are all kinds of statistics out there about how small business fail within a certain timeframe; and that's just sort of the cycle of entrepreneurship and businesses. But we should not be in a position when they fail because of cybersecurity issues. They should not have to spend half of their development budget just trying to secure things; it should be something that is built in from the very beginning.

They should not have to be worried about it. And I have seen this first hand, there is a local office that sells eyeglasses and those things, you get a letter from them saying, "I'm sorry, we don't know what happened, somebody broke into our system and stole your credit card number, and your eye prescription" - who wants that by the way - and all of the other things that we have to deal with from a privacy perspective just because they didn't know how to do it, or because it cost them something they couldn't afford to do.

By providing them the tools and acknowledging the awareness that they can better protect their systems, obviously makes all of us better, all the way through the supply chain as well as us as consumers and end users.

And I don't want to forget management. I think back over my career as a young person, and of course, I think many of recognize that at one point we might have something less than very happy to say about a manager that we have worked with, just seems to be an experience that I have had. But they have to be fully recognizant of the role of technology and IT in the way we do our businesses. Once management starts to understand it, senior leadership understands it, and then we have a fully 360-degree understanding of the things we are dealing with from a risk management to the supply chain partners.

What are some of the things now when we start talking about all of the things that have gone on in the past and sort of where we are today? Where the president has been very clear that he has not seen any one of the things that I was very excited about when we did the announcement of my rollout in the White House, we did it the right way. We did it on the web, we did it on the fly and we did it on the White House website. I think that was very appropriate because of the use of technology and recognition of that.

The Obama Agenda

As I said in that video, if you have not seen it, basically the president had asked me to focus on some specific prime areas; one - update our strategy to secure America's networks. And, sort of my perspective saying, okay updating the strategy also includes making sure that we translate this strategy from the high level points that we see in any strategy, how do we execute that? How do we translate a vision and a strategic direction into something that we can find as actual? And I think a I met with some of the government agencies that are probably in here today for the past week or so, there is tremendous motivation out there to move form strategic direction to how do we execute. How do we get these things done? How do we become more secure? How do we become better deterrents? How do we get better at identity management and what are the steps that we need to get there? And many of them have got plans in place that now they are moving forward on.

And to that one point also I want to reiterate a comment I made earlier about Chris [Painter] and the folks in my office, and not only that but the people out in the agencies, there has sort of been this perspective that we are filling this position here and things just aren't being done and that couldn't be farther from the truth. There has been tremendous progress and you will see some reports coming out before too long from some of the agencies on the progress that they have made on their various responsibilities. I have gotten briefings for the last couple of days about that; I was not surprised to see that progress has continued as I thought it was. ... They're doing an awful lot. Unfortunately, once again, it is like the traffic wrap, it doesn't show up on the front page, of here is all the good stuff that has taken place, here is the work that we are doing in the privacy realm, here is the work we are doing in the technology development world, here is the stuff we are doing in research. It is one of my hopes to be able to make that more visible to people to true recognition of the work that is being done from the Hill to the folks in the government agencies out there. So developing that strategy is one of the things.

Also, looking at an organized unified response to attacks on our systems. And that is not to suggest for a moment that there is not a plan out that, that people don't have it, but we want to make sure it is unified. We want to make sure that we are leveraging the skills and capabilities of every U.S. government agency and our private sector partners. And we have seen in many, many cases that the government is not just side that has the visibility in some of these things. We have seen the private sector answer to this; we are seeing this activity, we are seeing it or we get hit by this and let's start marshalling our forces together so we can make sure that the private sector is working with the government and vice versa. So the president's desire is to have a unified response to future cybersecurity incidents involving both the government and the private sector is one of the other things that is happening.

Global Partnerships

And the we start looking at the public/private partnerships and, of course, it is easy for us in this room to discuss that because many of us have been a part of it. But we also want to make sure that we include to the highest level of international partners because we know hackers don't stop at our borders, and say, "I'm sorry you need a visa to go any further to deliver this packet or e-mail or something." Clearly this is an international spectrum and we have tremendous international support, not only for what we are doing, but for some of the things they are doing as well that is going to strengthen the global security from the Internet.

We also need to look at the R&D components of this. As I mentioned a few minutes ago, we start looking at the great work that has been done until now, we need to start looking out a number of years into the future. As we are doing more rollouts ... through defense and a lot of government agencies, where are we going to be 10 years from now? What are the technologies? What are the management tools we are going to need? What are the identity tools that we are going to be using? Investing in research and development is seen as one of the other things we have been asked to take a look at.

And, then of course, the last thing, and probably something that if there is anything that we ask for your support on, and that is in creating a national campaign to promote cybersecurity awareness and education. That is a key issue for us and there are a lot of things we can do all the way from, once again, from the chief executive level down to and including the end users in there.

Privacy

I want to touch on one thing that I think should never be lost in all your discussions and that is the discussion about privacy. And one of the things as my involvement over the years, not only is security side but the privacy side as well, I have said for a long time, privacy and security are two sides of the same coin. Very clearly, without security we have no privacy. Data protection is key to the things that we are going to do. And, as I was going through and discussing with leadership coming into this position, I always made sure we had a discussion about privacy. I am tremendously excited about the fact that everyone knew about privacy and cared about privacy ... there was a direct desire, including a privacy person in our office to look at the privacy aspects of cybersecurity.

I want to leave on that high note that there is a lot of moving parts on this, none of us have the answers. There are no silver bullets but I think we fully recognize, and one of the things I am particularly excited about, is what is different now than any other time before. We have got tremendous support form the Hill, we have got tremendous support form the government agencies, the private sector, the citizens, and I think we are now in a position finally to make significant, long-term changes in our ability to be better at security, protect privacy better and be resilient in the overall.


About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.