[Infowarrior] - An Interview With Howard Schmidt
Richard Forno
rforno at infowarrior.org
Tue Feb 23 15:32:43 UTC 2010
Home > Government Security > An Interview With Howard Schmidt
An Interview With Howard Schmidt
By Dennis Fisher
Created 02/22/2010 - 11:50am
http://threatpost.com/en_us/print/3375
In this podcast interview, done before Schmidt was appointed to the
Obama administration, Dennis Fisher talks with Schmidt about his
career and what the priorities should be for the cybersecurity czar.
Dennis Fisher: My guest today is my friend, Howard Schmidt, who has
had one of the more varied and interesting careers in the security
industry over the last few decades. Howard spent some time at both
the FBI and as a supervisory special agent in the Air Force’s Office
of Special Investigations, where he helped create the government’s
first computer forensics lab. He also served as a CSO at Microsoft,
where he helped establish the company’s Trustworthy Computing group.
But the most important roles for the purposes of what we’re gonna talk
about today is Howard’s time as vice-chair and later, chair, of the
President’s Critical Infrastructure Protection Board and his work with
the Department of Homeland Security.
Sorry I couldn’t give you a better introduction than that, Howard.
That’s all I had for you.
Howard Schmidt: Well, Dennis thanks. I appreciate that.
Dennis Fisher: I left out about half of what you’ve done, but we can
point people to your bio later. I don’t have time to read it all.
Howard Schmidt: No problem at all.
Dennis Fisher: All right, so the timing of this is good, I think.
I’ve been trying to get you on for about a month, but you travel about
99 percent of your life. We’re recording this the day before we’re
supposed to hear from the president on whether there’s gonna be a new
cybersecurity czar position created, get the details of the 60-day
review of federal cybersecurity, and maybe even name somebody to the
cybersecurity job. I’m not sure about that part.
You served in a similar position as we’re hearing what this is gonna
be, during the Bush administration, so you’re the right guy to ask
this question of. Do you think there is a definitive need for a
single leader on this issue, whatever the job title turns out to be?
Howard Schmidt: Well, as far as having a single leader in this area, I
think we need to have a single strategy. Now that’s not necessarily
saying that responsibility lies with one person, but it’s like a
football team. You’d have to have a quarterback, and in this case,
someone who is going to coordinate the activities that are so
multifaceted. I’m sure we’ll get to that in a few moments. Have
someone sit there and make sure that things are progressing as they
should is very beneficial.
Now whether that sits in the White House or one of the other
departments is – people have pros and cons against all aspects of it,
but I think the essence of having a leadership role that does
coordination and ensures that things are being executed as planned, is
something, I think, is long overdue.
Dennis Fisher: And does that role – you mentioned the White House or
whether it’s in some other federal agency, it’s been at DHS for a long
time now – does that role need to be operational or should it just be
a supervisory role, like you said, to coordinate activities among the
federal agencies?
Howard Schmidt: Well, clearly, it’s a White House position and the
White House is not operational. The White House is about policy and
the whole executive branch in that respect, so in that case, it would
be more of a coordinating role and a policy establishment role. This
is one of the things that really makes this challenging, because there
are so many different aspects of this.
Clearly, when it comes to security of government systems, we’ve seen
changes over FISMA the past few years. We’ve seen some really good
moves by the Office of Management and Budget in the past, taking
forward some things that really need to be done on secure desktop
configurations and things that should help the government agencies,
themselves, become more secure. But this whole issue about
cybersecurity and critical infrastructure protection and the fact
that, early on, the president declared that the information critical
infrastructure is a critical national asset. That puts it in a
different perspective than just keeping the government systems secure,
which, obviously, this position has got to go beyond that.
Dennis Fisher: Right. Yeah, that elevates it to another level within
the country’s infrastructure and it seems like that position needs to
have some real authority behind it, whether it’s statutory authority
or it’s just organizational authority, as in whoever it turns out to
be is a member of the National Security Council and reports directly
up the chain to the president. That was the case when you had the
position; it was part of the White House. Do you think that’s the
best spot for it in the government org chart right now?
Howard Schmidt: Well, I think a lot of it depends on the person as
well, because when you start looking at placement of a position that
is so broad – for example, a lot of people – I mentioned a few minutes
ago that I’ve been doing a series of executive luncheon briefings
around the world recently and the question that comes up often is,
“What is a skill set?” Well, when you start breaking this down into
what are the key areas, clearly, you’ve got a defense, from the
Department of Defense role that people really have to understand and
be able to work with.
There’s an intelligence role that goes from an economic espionage, all
the way up to a state intelligence issue. You’ve got a private sector
component in there, and particularly, with the economic world that
we’re in today, we have to do more, but also not break the bank in
doing it, because we do have some instability issues on the economic
front and, basically, this plays a lot into everything from online
ecommerce to expenditure funds for updating and creating new ICT
systems.
Add on the top of that the cybercrime or the law enforcement
perspective, not only the federal level, but state and local and
international level and then one other layer on top of that, when you
look at the international component of the ICT systems and all the
interdependencies we’ve had with countries and, in many cases, are our
friends and allies, but in other case, that also have access to the
same resources that are not basically doing things in our best interest.
So when you start looking at the person, the ability to understand
that broad swath of things, to be able to take input from different
areas, analyze that input and make decisions that are gonna help
facilitate the people that have the operational responsibility; that’s
gonna be a really interesting skill set to try to pull out of this.
Dennis Fisher: Right, and that’s something I wanted to get to, too.
You just described a very comprehensive set of skills that this person
needs to have. It’s gonna be pretty tough to find one person with
that broad range of skills. How do you prioritize if you can’t find
the one person who has all of that? What do you really look for in
terms – is it more important that that person have good relationships
throughout the security community and government as well, or is it
more important to have a technical background? How do you go about
finding that?
Howard Schmidt: I think, like anything else, and it’s funny, because
one of the things you always hear from a management versus a
technology perspective is the technology folks often say, “You really
have to understand the technology to be able to manage this.” And on
the other hand, you have the management school folks who say, “Listen,
a good manager can manage anything.”
I think in this case, it comes somewhere in between. I think you can
find people with a balance of technical understanding of security,
because one of the biggest fears that some of us have had, and I’ll
give you a real live example – years and years in the past, we used to
struggle to convince management that information security or
cybersecurity, whatever you want to call it, was a priority and was a
business imperative. So what happened is – and this happened to me
personally – I finally convinced one of the other vice presidents that
this was a big issue, and then three or four times a day, I would get
an email that says, “Oh, there’s a new virus that came out today.
What’s being done about this?”
So it got to the point where there was such a heightened level of
sensitivity, there wasn’t any practical application of what’s really a
risk and what’s not a risk. So it was a consequence, in this case,
having some understanding of it, but also, in a measured way that you
understand that not every new virus, not every web defacement is a
crisis that’s gonna affect billions of dollars or people’s homes
losing electricity or airplanes falling out of the sky, to really
understand that this is important, but understand it in a measured
manner, so it’s done is a risk practical perspective.
At the same token, having the organizational skills to go ahead and be
somewhat of a diplomat, sit there with people with competing equities,
people of organizations that have different priorities by nature of
their mission that’s assigned to them or because of their personal
understanding, to be able to sit there and get everybody pulling the
same direction and doing so to the benefits, the government in the
first case.
When you start looking at the prioritization, I think one of the
things that’s important is understand about what it takes to secure a
government systems first and foremost, because those are the ones that
the government has direct control over.
The second thing is the ability to understand that international
framework – what are the agreements that we have for using IP-based
and net protocol-based technologies worldwide? What are the
capabilities? There’s been a discussion in one of the recent bills
about having the poison pill or the kill pill or a kill switch,
whatever you want to call it that says to be able to shut people off.
Well, you should be thinking about that without thinking all the
unintended consequences of that, not only from a financial
perspective, but also just from an international relationship
perspective. So that’s got to be another one of the high priorities
to look at. So I’d say if you’re looking to stack rank them, you look
at the ability to understand securing government systems from a
technology, as well as a policy perspective, as well as the
international framework. Those are things that I think are pretty
healthy.
Dennis Fisher: Okay, and there are some good people within the
government who have been working on those issues, using the
government’s purchasing power to put some pressure on vendors, like
Microsoft and Oracle and others, to really come up with some more
secure applications, some more secure configurations for government
systems in the past few years. Do you see that being expanded in the
near future as the Obama administration really takes hold of this issue?
Howard Schmidt: I absolutely do, and I’m glad you brought up about the
good people out there, because right now, one of the limitations has
not been the quality of the people, but the support and the resources
they have available to them. As I look at people who have been doing
the job in the government, particularly since I left, or people that,
I think, as you’re aware, I’m still a computer crime investigator with
the Army Reserves at the Criminal Investigation Division at Fort
Belvoir. When I look at the folks there, they eat, live, breathe and
sleep this, everything from network investigations to vulnerability
assessments to forensics stuff.
These are hard-working, dedicated people that are working as hard as
they can, using every resource they’ve got available to them, but
unfortunately, the resources have not been there in the past. There’s
been this faulted idea that everything else is a – this is a priority,
but everything else is a bigger priority. I think we finally realized,
and I think there’s probably a good track to say, “Yeah, this is a
good opportunity to have multiple priorities across different things,
whether it’s physical security, whether it’s antiterrorism, all these
other things. We can do more than one thing at a time. So by giving
the dedicated people that are in government now the resources to do
it, we can go a long way to help, indeed, reduce the risk that we have
of having any dramatic effect from attacks on our systems.
Dennis Fisher: Okay. You mentioned cybercrime just there and a little
earlier. We’ve heard a lot from the administration about
cybersecurity, in general, which, I think; everybody takes to mean
locking down the critical infrastructure, defending the countries
networks, that sort of thing. We haven’t heard as much, at least
publicly, about better cybercrime laws, more cooperation with
international authorities, that sort of thing. What are you thoughts
on the state of things right now, in terms of cybercrime
investigations and prosecutions and where things should go?
Howard Schmidt: Well, that’s one of the, I think, good new stories
we’ve had. We’ve got a guy over at the FBI, at the deputy director
level, Shawn Henry, that has grown up in the ranks as a computer crime
investigator, a good manager, a good executive that’s leading that
effort over there. We’re starting to see a lot of the international
things, the G8 subcommittee on cybercrime. I was just back over with
the counselor of Europe on the Council of Europe’s Cybercrime Treaty.
We’re getting a lot more visibility in that.
As a matter of fact, that meeting over there a couple months ago, I
think was the fifth annual meeting and, clearly, there were hundreds
and hundreds of people there, ranging from Nigeria to Canada to the
U.K. So there was a tremendous amount of support from the
international perspective.
The challenge, though, we have in the law enforcement perspective is,
once again, there’s way too much of the criminal activity going on for
anybody to deal with. I try to translate that into my previous life,
working in gang investigations and drug cases and stuff, and it seemed
like there was never an end to this. But in our case, in particular,
in the cybercrime area, while there are way too many cases for law
enforcement, internationally, to be able to deal with, there is a
light at the end of the tunnel, and that’s us doing a better job
securing these systems for people not becoming a victim of credit card
fraud, identity theft, hacking, intellectual property theft – you name
the litany of things.
By using some good protection techniques, we can actually start to
reduce that. We’ve seen some pieces of that take place. I’ll talk
about that in a moment. But we can start reducing some of the criminal
activity and then once you start reducing that, then the limited
resources we have in law enforcement, which are better trained and
better equipped than they’ve ever been in the past, then they can
focus on the most egregious offenders, which really sends a message
through the criminal community that said, “Yeah, you’re not always
gonna get away with this,” like people seem to think they can now.
Dennis Fisher: Yeah, everybody does seem to have that impression that
this is a very low-risk criminal activity. It’s not breaking into cars
or even running drugs. It’s pretty low-risk when you look at the
number of prosecutions we see, especially in the U.S. compared to the
amount of crime that’s going on out there.
Howard Schmidt: That’s correct, and the interesting piece about it is
it doesn’t necessarily have to be off the scale. In other words,
there is a question that I’ll ask some audiences that I speak to once
in a while. At the most recent one, there were 150-200 people in the
audience, and I asked how many of them would report it to the police
if someone stole $1.00 from them or $5.00 or $10.00. People didn’t
start raising their hand until you got to $50.00 or $100.00. That’s
what the criminals depend on. So instead of stealing $10,000.00 from
someone, they’ll steal $1.00 from 10,000 people, with the concept that
they still get the end result. The criminals still get $10,000.00,
but nobody is going to go crying to about it. And that’s how a lot of
them will fundamentally work.
Dennis Fisher: Right and its working pretty well for them.
Howard Schmidt: Correct.
Dennis Fisher: At least up until now, yeah. Okay, let me get your
thoughts on this. I wrote a column yesterday making the case that the
first priority for the new cybersecurity czar, whatever the job turns
out to be, should be building a strong relationship with the key
people and organizations in the private sector to bring that bond
back. Why has that been such a difficult task in the past for the
people who have had that job?
Howard Schmidt: Well, I don’t think it’s been a difficult task unto
itself, but what happens, people keep moving the deck chairs around
all the time. Once you have a relationship established with someone,
it takes a while to build up trust, whether it’s government to
private, private to government, government to government or private to
private. It takes time to build up those relationships.
Then when you have people moving out every year or two, then you’re
rearranging things, which is one of the things that I think when you
start looking at that heavily overused term of “private/public
partnerships,” when you start looking at this sort of a thing, I think
a lot in the private sector said, “Listen, we’re not gonna sit around
waiting for government to do something. We’ve got to do things on our
own.” That’s why you see a lot of the activity going on, Microsoft
with their End to End Trust program, Oracle, with some of the security
programs they’ve got. You see a lot of private industry critical
infrastructure owners and operators saying, “Well, we get the
message. We understand that we’ve got to do things differently.
We’re gonna put a higher priority on security.”
Some of it’s based on just pure overarching governance requirements.
Others are then looking at issues about, “Okay, well, now I’ve got to
be compliant, whether it’s PCI, whether I’ve got to do some of these
other things, but there is a tremendous amount of effort within
private industry, just to become more secure and on top of it,
customers are demanding it. So as a consequence, when you start
looking at that public/private relationship that’s been going on, I
think there’s less of a dependency on private sector looking to the
government for leadership, than I think there ever has been in the
past, because I think private industry gets it and, like I said, with
the changing people, not knowing who to talk to from one day to the
next, industry says, “Well, we’re gonna go and make things happen on
our own.”
Dennis Fisher: Yeah, and they’ve been doing that to a large degree,
but it still seems to me that the vast majority – not vast majority,
but the large portion of the expertise in cybersecurity lies in the
private sector. So doesn’t it benefit both sides if there’s a strong
relationship there and they can communicate openly about, “Okay, we’re
seeing this threat inside government networks. Have you guys seen
this before? What have you done about it? How should we go about
defending against it?”
Howard Schmidt: Yeah, and I think to some level, you’re correct that
there’s a greater level of expertise in private industry, but that’s
at a different level. I’ll give you an example. Within the
government now and one of the really great programs that has been
established is the Scholarship for Service Program. Another one,
Cybercore, is one of the terms, a joint effort between NSA and
National Science Foundation and Homeland Security to make sure that we
have the next generation of information security or cybersecurity
experts going through the universities now in dedicated courses in
information security and information insurance.
I forget, I work close, if not over 100 universities participate in
that. When their students graduate, they go into the government right
away. Now some of the universities that I teach at, such as Georgia
Tech and Idaho State University, our Scholarship for Service programs,
as soon as they get done, they’re going in government, fairly high-
level positions as security experts.
So the expertise is there on a technical level and, once again, as
their careers move on, you’ll start seeing some balance in there of
those that have, in private sector, which not only have the technical
confidence, but also have the management and leadership competencies.
You’ll start to see that in government as these scholarships for
students are working their way through the government ranks.
Dennis Fisher: Yeah, I love that idea. I think it’s terrific. It’s a
great program. But how long do you expect or how many of those
graduates do you expect to stay in government service for the long term?
Howard Schmidt: It’s an excellent question. I remember a few years
ago, I was testifying up on the hill and one of the congressmen asked
me that very question, “We get these people to come in. They spend
some period of time in the government, but obviously, the money’s
better in the outside. The work elements, oftentimes, were better, so
as a consequence, how do you retain these people?”
My response, basically, to you as it was to him at that point. I don’t
think it’s necessarily bad for them to come in and spend two years,
four years or six years. There are gonna be some people atha are just
civil service oriented, if you would, that like public service and
will stay there through their entire career, which is good for the
longevity of those in that business, but on the same token, we start
looking at the interdependencies between the private critical
infrastructure and the government’s systems.
I really like the concept that somebody spend a few years working for
the Department of the Defense or working for the FBI or working for
Homeland Security, gets the understanding of the criticality of this
and then come back and transfer that into the private sector. I think
that makes both the private industry and public service or public
sector much stronger. So I think it’s a good thing to have that cross-
fertilization and having been a participant myself most of my career,
I find that to be particularly rewarding, because it gives you a lot
of different perspectives that you wouldn’t have staying in one sector
or another.
Dennis Fisher: Yeah, that’s a great point. And the other thing I would
guess is that if you’re one of these kids who goes and spends four or
five years in government service and then goes to work in the
industry, all of a sudden, you’ve got this big network of contacts
inside the government who you can talk to when you have a problem or
they can call you when they have something that they need to talk to
you about.
Howard Schmidt: You’re absolutely correct, and that’s one of the
things that when you start looking at where the rubber meets the road
and where things really get done. We can have all the greatest
policies in the world and all the committees and all these other
things, but when you have an individual in either government or
private sector, pick up the phone and call someone that they went to
university with, that they’ve worked with in government or private
sectors, and says, “Hey, I’m seeing this really anonymous activity on
this particular port. Are you guys seeing that?” “Yeah, we are.”
Well, that solves problems and that’s what this is all about.
Dennis Fisher: Yeah, and you would know this having spent a lot of
time in law enforcement. That’s how things get done in the law
enforcement community.
Howard Schmidt: Absolutely correct.
Dennis Fisher: There’s some guy that you worked with once at the FBI
and you know you can call him and say, “Listen, we have this problem.
Can you help?”
Howard Schmidt: Absolutely correct. And those are lifelong
relationships, too. They aren’t something that just because this
person is no longer in this particular job, you no longer have access
to them. By the way, one of the things, and just changing the topic
just a little bit, when you start looking at some of the social
networking tools that are out there today, people oftentimes think
about, “Oh, yeah, these are college students doing this,” or “My
granddaughter is doing these things.” Well, those same resources are
available to all of us, from security, private sector, public sector,
law enforcement, and we use them all the time. There’s not a week
that goes by that there’s not a former colleague either in private
sector or government or law enforcement that doesn’t pop and say,
“Hey, I saw your profile here. I want to make sure we’re connected.’
And the next thing you know, I may get a call, “By the way, I’m
working this case. What do you know about this?” Those things make
it even better as far as the longevity and the ability to stay in
contact.
Dennis Fisher: Yeah, I completely agree. Let me ask you about the
ISACs, because you were involved in the beginning of the IT-ISACs.
How active are the ISACs, in general, right now, and do you think that
there is a need to maybe not replace them, but reinvigorate them at
this point.
Howard Schmidt: It’s a really good point, because the ISACs, in the
very beginning, were born, I think, born, in a lot of cases, and I can
speak for the IT-ISAC, when we founded that, it was based on
recommendation that government people or private sector organizing
amongst ourselves, not necessarily share information with the
government, which was desirable, but to share information with each
other. That, once again, established some longtime formal bonds
between, often, many cases, competitors in this space, to bring this
to the table, to share information and do that.
So I think for the most part, and we have some ups and downs in any
organization you might imagine, but for the most part, that has become
institutionalized, that no longer will you see something new hit the
horizon that takes everyone by surprise, except for one company,
because people are inclined to share with each other.
By the same token, I think what has happened now is there are so many
people that are paying attention to cybersecurity, critical
infrastructure protection, that there is this underlying feeling that,
“I know how to do this already. I don’t need to be a part of a bigger
organization.” So when you talk about trying to bring up the example
of ISACs, that’s one of the things to show, that there is much, much
greater strength in numbers than people going it alone. I think
that’s one of the things that could be helped to be emphasized.
The other thing is making sure that the information is relevant.
That’s one of the things that I think many of use would challenge
today and for lack of a better word, I’ll call it “information
overload.” New vulnerability pops up. A new question about
something pops up. I’m getting an email from 10 or 12 different
sources in one day, whether it’s serv, whether it’s some sort of a
listserv that I’m on, whether it’s through an ISAC publication,
InfoGuard. There are a lot of sources of information out there now
that are circulating, which we didn’t have back in the days when we
used to perform the ISACs. We didn’t have that public communication
that was out there, so as a consequence, trying to consolidate that
through the ISACs would be very helpful to make it relevant and timely.
Once again, I was recently talking with somebody and we were lamenting
the fact that some of the recent things you hear or you get a piece of
correspondence from some – in this case, we were talking about a
particular government agency – that we got the communication from the
government agency three days after CNN had fully covered it. So these
are the sort of things, keeping it active and vibrant. It’s got to be
timely and relevant to what people’s needs are.
Dennis Fisher: Right. Yeah, that’s a great point. Getting back to the
critical infrastructure piece of this for a minute, we always hear
that the majority of the critical infrastructure is owned by the
private sector in various forms. How much of a role do you think the
government should have in helping to secure that part of the
infrastructure, whether it’s through just help in providing resources
and expertise or through regulation and mandates?
Howard Schmidt: I think for the first and probably the most important
part is that government has got to help assess what really is
important and what’s not important. An example I like to use – I live
on a remote mountain about 30 miles east of Seattle. Because of the
nature of the west coast and the weather and stuff, we wind up losing
power up here at least a half a dozen or so times through the course
of the winter.
So to me, critical infrastructure means a generator and enough gas to
last me for a day or two. But then you start going into the city down
here, which is less than 30,000 population, you start looking at that,
well, that takes a whole different picture when power is out for a few
days, because people can’t go grocery shopping. They can’t get fuel.
As recent as a couple years ago, in order to get a mobile phone
signal, you had to drive for an hour north of here, because the towers
were out, because the power outage was out. They took up all the fuel
with their backup generators, so we started to lose that aspect of it.
So it takes a different component, but I think the government’s key
role is to assess what the risks are. Once the risks have been
identified, what are the capabilities that private sector has to
respond to these things? What I’ve seen, particularly during my time
at the White House, you look in the aftermath of September 11th, with
a telecom company, their ability to go out there and recreate an
infrastructure, get the stock market back up and running in a
relatively short period of time, to have telecommunications available
for mobile phones and stuff. That was just phenomenal. So it’s clear
that some sectors are quite prepared and probably more so than the
government, in some cases, to be able to deal with these sort of things.
But there should be an assessment and a baseline expectation that
during whatever the incident may be, here’s what we have the ability
to respond to. Now once that determination is met, where that is,
then it’s up to the government to decide, “Is that sufficient for us
to do public safety and the protection of people and property?” Now
if that delta is above what the private sector capabilities are, then
the government has to make a couple of decisions. One, how do we get
it to the level we need it to get. Will it, indeed, create some sort
of incentive by we give private sector or provide some funding to
private sector to develop the extra capabilities or is it the type of
thing where we encourage private sector to do it as part of a business
plan where as they increase resources out to a certain segment of the
population, something they would do automatically.
And then the other aspect of that, once we move forward, what role
should government start to look at regulation if, indeed, the market
can’t do what it needs to do.
Dennis Fisher: Do you find that the industries, think about, maybe,
utilities, power companies, water companies; do they resent the
government getting involved in what they’re trying to do in terms of
securing their own networks?
Howard Schmidt: I don’t know that I’d say, “resent.” I think there’s
concern. More than one person has told me, “How can the government
tell me what to do when they can’t even secure their own stuff?” Then
you start getting into – and many people don’t realize that there is
not the one power company that looks after the entire country.
There’s not the one water treatment facility. We’re talking about
literally thousands and thousands of these organizations of all
different levels.
Some local water cooperative here where I’m at may be just a few
hundred homes in a subdivision and its run by a water cooperative
there. So all these things are not made the same. Also, not only are
they not made the same, but various government entities have
regulatory controls over them at the very local public utilities
commission, within a particular town, village, city or county. So
when you start looking at how do we deal with this, how do wind end up
dealing – and competitive, because some of these things, of course,
are for-profit organizations? How do we wind up getting the
information needed by government to identify if resources are enough
without impacting the proprietary and, oftentimes, competitive things
that these companies need to do?
I wouldn’t say they resent it. What they oftentimes don’t care for is
what they feel might be intrusive in their ability to run their
business the way they need to run it, to do the same job the
government wants them to do anyway and that’s provide the critical
infrastructure that people need.
Dennis Fisher: Yeah, that’s true. You mentioned that there’s literally
a network of thousands of these cooperatives and small companies all
over North America, really, running the utilities. One small mistake
or one small incident at one of these could have a cascading effect,
as we saw with that blackout in the Northeast about three or four
years ago now that affected New York.
Howard Schmidt: And therein lies the key issue when you start looking
at the assessment by the government, and I don’t know that we’ve done
this good yet. We’ve talked about it from the days I was in the
government, and that’s sort of identifying what are the critical
independencies that one would have? A classic example is, and I’ll use
this region up here in the Pacific Northwest, where we have Mt.
Rainer, which the experts say that’s still an active volcano, that at
some point, that could go like Mount St. Helens did 20-some odd years
ago. It’s also been discovered that we are pretty much sitting on two
different, if not more, earthquake faults in the region. Being we’re
on the west coast, we’re subject to tsunamis. We have tsunami routes
put all over the place, and notwithstanding, just the normal battering
of storms coming in off the Alaska gulf affecting this region.
So as a consequence, when you start looking at that whole piece of
aspect, you look at local businesses that sit there and say, “Okay,
part of my business continuity plan or my disaster recovery plan for
my data centers,” which are populated all over the Puget Sound area,
here in the Pacific Northwest, if we should have an earthquake and our
data center becomes a smoking hole in the ground and we’re critical,
how do we end up recovering from that?
Well, oftentimes, the resources they have contracted are the ones that
the business down the highway also contracted with, so it gets to a
matter when you need a thousand servers and there’s only 500
available, and there are 20 people asking for those thousand, how do
you prioritize that? That’s one of the things that government can
help, if you would, negotiate, if you would, to make sure that those
things that are necessary for public safety and health and safety are
being dealt with first and then also, not ripping out the
underpinnings of our economic infrastructure, because somebody has a
higher priority. It’s a tough balance to do.
Dennis Fisher: Yeah, it’s got to be. Sure. All right, so you were
involved in the original national strategy to secure cyberspace, which
is several years old now. You’re also involved in the recent CSIS
report on cybersecurity for the Obama administration. There are a lot
of similarities between the two documents, both in terms of the
recommendations, as well as the people involved, honestly. Why do you
think that so many of the original recommendations in that national
strategy, which everybody seems to think are very valid
recommendations, still, sort of fell by the wayside and didn’t gain
traction the way everybody hoped they would?
Howard Schmidt: Once again, I think it’s a loss of focus. It’s one of
the things I’ve asked. There’s also another undertaking, a really
good effort by GAO, looking at this issue and a bunch of us, and once
again, probably the same people went and talked with them. My
question, and it continues to be, if you take the original national
strategies to secure cyberspace from February 14th, of 2003, and look
at that and look at the components of that, every one of those are
still valid; education and training, vulnerability reduction,
situation awareness and response capabilities. All those things are
there, but what happened is we never focused on executing on all those
things and going through and saying, “Yes, this is done. This is in
progress,” and therein lies us into another position where we are with
the recent report and many, many other reports that basically reaffirm
the same thing we said back in 2002-2003, but we’ve not done is build
the mechanism and provide the resources to actually execute on getting
those things done.
Dennis Fisher: Not to turn this into a political discussion, but how
much of that do you think has to do with the fact that a lot of the
same resources at DHS and the Department of Defense that might have
been involved in that kind of effort, have been dedicated to
supporting the two wars that we’ve had going on, essentially since
that report came out just about the same time?
Howard Schmidt: Clearly, when you start looking at an issue of
prioritization, when people start looking at bombs going off in
someone’s backyard as opposed to they can’t connect to the internet, I
think there’s a clear decision on which way people are gonna go on
that. But once again, that goes back to my earlier comment that I
truly believe that we have the capacity and we have the resources to
multitask in this vein to say, yes, we can put the resource we need to
put into protecting people against kinetic things, such as bombs and
biochem hazards and things of this nature, while at that same time, we
can put the resources necessary to fixing some of the cybersecurity
issues.
Once again, many of us held and still continue to hold that it doesn’t
require ripping out an infrastructure and rebuilding things. It
requires a few things from a current perspective, like just doing what
needs to be done, making sure you’re doing vulnerability and
management, making sure that your users are not clicking on things
that they shouldn’t be, things that are just basically 101 security
for those of us in the business. We still have not institutionalized
the process to keep those things happen.
On the same token, you mentioned earlier about the vulnerabilities and
things, we should be building an infrastructure that, at some point,
we’re not gonna be running a piece of computer software on anything
that has not totally had a 360 degree vulnerability assessment, doing
source code analysis on the front end, doing black box and white box
testing on implementation, doing constant implementation and testing
once it’s integrated into the enterprise, but we’ve not done that
either; we’ve just sort of continued to move on with, “Okay, we’ll fix
this one, then we’ll move on to fix the next thing,” as opposed to
looking at this from a very proactive perspective as, “We don’t want
to let these bad things happen.”
Dennis Fisher: All right, so to wrap all this up, if we get together
and do this again, say, a year from now, what would you hope that the
cybersecurity advisor, assuming we have one sometime soon, will have
accomplished in that time? Are there two or three top priorities that
you’d really like to see checked off the list?
Howard Schmidt: Clearly, I think there is one on the government side
that the government systems, indeed, there is a definite
implementation of better security procedures across the government.
It goes from two-factor authentication to vulnerability assessment and
management and risk management, clearly, across the breadth of the
government, from the defense side, all the way down to some of the
civilian agencies to make sure that that is fully implemented and that
we can have trust and reliance on the government systems, not only
that they’re operational, but they’re also free from being affected by
new nation states or any other rogue country that’s looking to do us
harm.
The second thing is to have a clear assessment of where private
industry is on its capability to prevent and, if necessary, recover
from any sort of an incident that we may have, whether it’s a
widespread distributed denial-of-service attack or it’s some sort of a
zero-day vulnerability that we might have to recover from.
The third thing is clearly having a forward path to make sure that we
don’t relive the sins of the past the way we roll out infrastructure,
“Let’s build it, let’s get it out there and we’ll fix it later on.”
That’s not the right way to do things. We have to have a clear path
going forward to make sure that we’re implementing all the solutions,
both of hardware and software, where, once again, we’re not putting
things out there with vulnerabilities, that we’re making an investment
in the professionals that are running and operating these systems,
that we’re investing in the training of those that are actually
designing, engineering and building these systems and then we have an
operational path to make sure that once we come up with a secure
system that we wind up being able to maintain it that way. And all
those things we do, while still preserving privacy, while still
preserving all the rich capabilities that technology gives us today,
that’s what I’d like to see done.
Dennis Fisher: That’s a pretty good list. Honestly, I’d probably be
happy with one of those in the next year, but if we could get all of
them, that would be fantastic.
Howard Schmidt: Yeah, I think we can, because I think those are things
that would be done in parallel with each other and I think getting
this done right, I think we can do it.
Dennis Fisher: All right. Howard thanks so much for your time. I
really appreciate it and I’d love to have you on again in a few months
down the road when maybe we have a little better perspective of what’s
going on in D.C.
Howard Schmidt: Always good to talk with you. It’s my pleasure.
More information about the Infowarrior
mailing list