At first glance, the selection of Howard A. Schmidt as the White House Cybersecurity Coordinator looks like little more than a safe and easy choice designed to quiet the critics who for seven months have been howling for action from the Obama administration. But a closer look shows that Schmidt’s appointment may in fact be a milestone in the government’s handling of information security issues.
Schmidt is a member of the generation of security experts who had full and varied careers before they ever got involved in information security. He was in the Air Force, served in Vietnam and then went on to a career in law enforcement as a city police officer, and later as a member of the FBI’s national Drug Intelligence Center. He also helped start the Air Force’s computer forensics lab, kick-starting the federal government’s forensics program.
But Schmidt is best known for his roles at Microsoft and the White House during George W. Bush’s first term. He was Microsoft’s CSO in the late 1990s and early 2000s and was a key player in the establishment of the company’s Trustworthy Computing group, a program that has become a central part of the way Microsoft operates. And as vice chairman of the President’s Critical Infrastructure Protection Board he was intimately involved in the creation of the National Strategy to Secure Cyber Space, Bush’s first stab at creating an overarching policy on security. Many of the recommendations and policy guidelines in that plan are still valid today, but almost nothing in the strategy was ever implemented, thanks to a constantly changing set of priorities, chaos at the leadership level and an almost complete lack of interest in the issue from Washington in Bush’s last term.
So Schmidt certainly has the qualifications, the background and the knowledge to fill the role as Obama’s top adviser on information security issues. But that’s not really what’s important here. The real question is whether Obama or anyone else in Washington will listen to what Schmidt has to say.
Much has been made of the vagueness of the coordinator’s job description, the fact that the person would have dual masters in the National Security Council and the National Economic Council and would be a couple of layers removed from Obama himself. But a close reading of the White House announcement shows that Schmidt will be a member of the NSC but apparently won’t have to report to the NEC. That’s a major concession, and one that should allow him to focus his attention more narrowly.
The cynical view in the security community is that Schmidt was a fall-back, a recognizable name hired to create the illusion of action. But the reality is that outside of the insular information security and Beltway circles, few people have ever heard of Schmidt. The average home user doesn’t know his background and wouldn’t have cared if Obama had appointed Howard Zinn or Michael Howard or Juwan Howard. They’re simply interested in having someone fix the Internet.
And while it’s a little late for that, Schmidt has been down this road before. Having served as a member of Bush’s advisory staff, he knows all too well what the challenges, obstacles and pitfalls are. He knows he’ll have to work largely without a net, having no budgetary authority to use as a hammer. He knows he’ll have to get all of the infosec staffs in the federal government pointed in the same direction. He knows he’ll have to work with key players in the private sector and law enforcement to address the cybercrime epidemic. He’s spent much of his career in the public sector and knows how government works (and doesn’t work).
He knows all of this, and yet he still took the job.
It seems highly unlikely that he would have done so if he thought he was being set up to fail. Schmidt has had plenty of time to think about the position, what it entails, whether there’s a decent chance of succeeding and, if there is, what success would look like. If Obama defies all governmental tendencies and gives Schmidt the resources and authority to make some changes, he may actually stand a chance. Now we’ll have to wait and see whether he can deliver.