Confront the IT Security Challenge - Interview with Cybersecurity Sage Howard Schmidt
"The two key things that we need to worry about here is one, first and foremost, and that is the fact that this is a presidential imperative and the president recognizes that we have to do this right and we just can't go out and sort of fill this for the sake of meeting some particular deadline," Schmidt says, in an interview with GovInfoSecurity.com (transcript below).
Seeing the fundamentals in a situation is a strong characteristic that has placed Schmidt on nearly every list of a prospective White House cybersecurity czar. In the field of IT security, Schmidt has done it all.
He spent more than 30 years in public service, including a stint as a White House special adviser on cyberspace security and as chief strategist for the US-CERT Partners Program at Homeland Security. He serves on an IT privacy board that advises the National Institute of Standards and Technology, the Commerce Department and White House.
In the private sector, Schmidt has held top IT security posts at Microsoft and eBay. An author of two IT security books, Schmidt has academic affiliations with Georgia Institute of Technology, Carnegie Mellon and Idaho State University.
Schmidt is the first and current president of the Information Security Forum, an independent, not-for-profit association aimed harnessing the brainpower of public and private-sector experts in IT security and risk management.
In an interview with GovInfoSecurity.com's Eric Chabrow, Schmidt discusses the:
Eric Chabrow, GovInfoSecurity.com managing editor, interviewed Schmidt.
ERIC CHABROW: What are the greatest challenges the federal government faces in developing an IT security culture?
HOWARD SCHMIDT: There are a few things. One, we have come to take the IT systems that we use almost for granted in the fact that they are always going to be there, that there is always somebody else looking after not only maintaining them, but more importantly for our topic, the security of them. And, as we have seen over the years as personal computers become even more of a computer, it is a shared responsibility between those that are providing the services and those of us who are using the service to make sure that not only are we using it to its fullest capabilities, which is just absolutely wonderful, but also to make sure that they are secure.
As we have gone through the years, we focused more on the rich and robustness and the great technology it brings us and sort of not put as much forward as we needed to the risks that are out there and more importantly how one could really do things themselves to mitigate those risks.
CHABROW: What should the government do to get the people who use these systems to do what should be done?
SCHMIDT: There are a few things. It is just like any other organization, whether it is government or private sector; it has got to be part of the culture of the organization. It has got to come from all levels of the organizations.
For too many years, we have heard the security people talking about we need to do this better, we need to do more security, we need to use antivirus, we need to use anti-spyware, and sort of the litany of technologies that one would use to help protect a system but not necessarily protect the overall environment.
What we have seen over the past few years is where you have the highest levels of an organization say not only do we get tremendous benefit from these IT systems that we are using, but we also see tremendous risk out there and as a consequence as a part of the corporate culture, as part of the way we do business, we have to look after the issues around risk management, about security, about the technology security, about the information we put on these systems, how we handle those systems, what we do with the data, which is also important, and it comes from the top down. What happens is it becomes part of something that people recognize as part of the things that they need to worry about as well and also can receive the benefits from.
We probably have seen that most recently with the announcement by President Obama back in May talking about how recognizing the IT infrastructure is part of a critical national asset and how that there are not only people out there looking to do harm against our IT systems because of culture and because of our way of life that we treasure so much, but also that there is a tremendous opportunity here for people to become more involved to do more to secure the things.
We have seen the same sort of discussions in the United Kingdom, with Prime Minister Brown recently talking about a cybersecurity culture for the country and everything else so we are starting to see that and I think that really, really sends the right message and it sets the right tone that this is not something that is just a technology piece, it is a national identity.
CHABROW: President Obama announced two months ago, as you pointed out, that he was going to have a cybersecurity coordinator and one hasn't been picked yet. There are some people who are concerned over two things: first, why it is taking so long and, second, where that person should be within the administration. A lot of people who support the President on his cybersecurity initiative are somewhat critical of him because they don't feel that person will be high enough in his administration, as he calls it a "coordinator." What is your view on that?
SCHMIDT: Every organization has to decide what works best for them. This has been a long-term debate that we have seen once again in corporate environments where, where is your security person? Is it better in the IT organization, is it better in the strategies organization, is it better in the finance organization? There are arguments to be made all over the place. I think the two key things that we need to worry about here is one, first and foremost, and that is the fact that this is a presidential imperative and the president recognizes that we have to do this right and we just can't go out and sort of fill this for the sake of meeting some particular deadline.
On the same token, we have to make sure that the power of the office of the Executive Office of the President is behind it. So whether it is reporting to the national security adviser, national economic adviser or it is someplace else, as long as it has the ability to do what needs to be done to coordinate across the government agencies. If you look now what we have seen across the Department of Homeland Security and Energy and Defense and the FBI, we see a new cadre of highly professional people who are working these issues and have a new mandate, a new lease on life if you would, working it. ... These folks are in place doing what they need to do to make the environment more secure, not only for the government systems, which is rightly important, but also in working with their private sector partnerships.
When you talk about a coordinator, that is just take the good work that is being done to make sure that it is being prioritized across the various agencies to make sure that the resources that are necessary to help facilitate these things. Quite honestly, I have little concern about the timeframe or the position, just the fact that it has got the right people doing the right things and for the right reason.
CHABROW: As you know, your name has come up for that job. Would that be something that you would be interested in doing?
SCHMIDT: Well, you know, public service, I think is any thing that any American would like to do. I see it pop up once in a while and it is one of the things that I think is important to recognize. If ever an opportunity comes to serve our country in some fashion, I sit on some government boards now as an advisor, but I think it is important.
CHABROW: Have you talked to the Whitehouse about this cybersecurity position?
SCHMIDT: A lot of people's names come up and I think there is ... obviously they have got a very important decision to make.
CHABROW: Understood.
Going on to a different topic, we are in the midst of a recession and government, especially at the state and local levels, where we have seen budgets shrink. How much is cybersecurity dependent upon funding and how much from innovative thinking?
SCHMIDT: One of the things that we have seen in the past few years in particular is that when we start looking at vending for security specifically, we have long moved beyond where you had to fight for budgets to intrusion detection systems and antivirus and those are things that are just being recognized as part of an IT system now.
Clearly, there is always a risk when you start losing personnel and you start having to make tough decisions for priorities on law enforcement resources or you wind up putting in a new distributed denial of service attack system. As a consequence, there is always that risk and one of the good things that we have seen is much of the work that needs to be done has been identified is in progress.
There are some things that can be done, as far as patching systems and installation of systems and configuration of systems, identity management that don't cost a lot of money. This basically involve doing things in a smarter way, or developing some processes off of, for example, the ISF, the standards of good practices. The ISO standards are out there, that are available, that people can use to help make their systems more secure without spending money on them. Clearly at some point, we need to continue to move forward and do some expenditures.
People need to be trained constantly, and that is one of the things that probably that I look after quite a bit. How are we training and what are we doing to train the next generation of security professionals to deal with the newest technologies that are out there? How do we identify the newer risks? When we look across the board, there is a risk, it is not as great as it could have been a few years ago.
The other thing, which I think is really reinforcing particularly for state and local governments, we have had the multi-state ISAC in place for about seven years now; this is the Information Sharing Analysis Center, which all 50 states and their security people meet regularly on teleconferences and they share information, they help each other on dealing with specific technical problems and things, and so as a consequence, they are in much better shape now because they have got a really well-developed comprehensive program across all 50 states working with each other. Like anything else, it helps keep the burden off of one of them when they have the ability to work across the other state lines and look to what has someone else done to secure a system that my state can do that is not going to cost me a lot of money.
CHABROW: We discussed the states. Now, let's talk internationally, that you're involved in. How important is international collaboration in protecting individual governments' IT systems and each of their nation's critical IT infrastructure?
SCHMIDT: It is vitally important. As we have seen over the past few years, of course in the United States here, we have long had tremendous dependencies on our IT system, just for so many things. It has moved beyond just entertainment in the early days, it is the way we pay our taxes, it is the way we book travel, the way we do our banking, the way we do commerce; there are a lot of things that are just engrained in the day-to-day life that we live.
But when you look at the international basis, as the developed countries like us become more dependent, obviously they have to do things to secure their government systems because they wind up having very similar e-government initiatives, as we have had here in this country, and you see this from Southeast Asia to across the continent of Europe where governments and citizens are interacting online through the Internet or Internet-based technologies on a regular basis.
When that happens, the dependency become greater, and when that dependency becomes greater, the expectation is it is going to work, it is going to work most of the time if not all of the time, and we ought to have security and things built into it, which is why when we see on an international basis, many countries are developing their own national strategy to secure cyberspace, while we are also seeing many companies working with the governments in the public/private partnership to make sure that everyone is using the best practices, the best technologies, the best methodologies.
We are looking across international spectrum, for example, we have in the European Union, we have the European Network Information Security Agency, or ENISA as it is known, which basically looks after that. Across the Asia-Pacific region, we have the AP-CERT, which is the Computer Emergency Response Team, so there is a lot of activity going on and I think every country, small and big, whether it is say very highly developed economic nation, or whether it is a developing nation, recognizes that a secret to a lot of the things that are going on are going to surround our ability to not only deploy but also secure our IT systems.
CHABROW: I guess you saw the New York Times article about cyber warfare and the Bush administration not going ahead with an attack against with Iraq's financial interests. That seems to suggest that there is a certain interconnectivity among all nations that it is hard to differentiate friend from foe. What is that impact on cybersecurity?
SCHMIDT: The strength of the Internet and Internet technologies is the fact that we are so connected. We have the ability, not only to do e-commerce but also to do harm, and we need to make sure very carefully how that is utilized. When someone attacks someone else's system, (we must be aware of) what the unintended consequences might be, and that doesn't make any difference whether it is a government needing to make that decision or it is a group of criminals who are looking to attack a system.
It is just not like a precision way of taking out a specific piece of equipment. Oftentimes, there are other repercussions across the Internet and these things need to be very well thought out; they need to have very, very clear adoption about. It is very important to make sure that as we move forward all things are taken into consideration on this. While governments may be operating in less than friendly or a hostile manner, the people still have to get on with their lives and that is one of the things that I think our government is particularly sensitive to and that is the fact that there has got to be disruption of the bad things without disrupting the good things that go along with it. And of course, on the Internet we have both appearing oftentimes simultaneously.