Howard Schmidt has been involved in just about every aspect of the security industry during his career. After stints in the Air Force and at Microsoft, he served as a cybersecurity adviser to George W. Bush. Now, after heading back to the private sector for several years, he’s been appointed to serve as President Obama’s security adviser.
In this podcast interview, done before Schmidt was appointed to the Obama administration, Dennis Fisher talks with Schmidt about his career and what the priorities should be for the cybersecurity czar.
Dennis Fisher: My guest today is my friend, Howard Schmidt, who has had one of the more varied and interesting careers in the security industry over the last few decades. Howard spent some time at both the FBI and as a supervisory special agent in the Air Force’s Office of Special Investigations, where he helped create the government’s first computer forensics lab. He also served as a CSO at Microsoft, where he helped establish the company’s Trustworthy Computing group. But the most important roles for the purposes of what we’re gonna talk about today is Howard’s time as vice-chair and later, chair, of the President’s Critical Infrastructure Protection Board and his work with the Department of Homeland Security.
Sorry I couldn’t give you a better introduction than that, Howard. That’s all I had for you.
Howard Schmidt: Well, Dennis thanks. I appreciate that.
Dennis Fisher: I left out about half of what you’ve done, but we can point people to your bio later. I don’t have time to read it all.
Howard Schmidt: No problem at all.
Dennis Fisher: All right, so the timing of this is good, I think. I’ve been trying to get you on for about a month, but you travel about 99 percent of your life. We’re recording this the day before we’re supposed to hear from the president on whether there’s gonna be a new cybersecurity czar position created, get the details of the 60-day review of federal cybersecurity, and maybe even name somebody to the cybersecurity job. I’m not sure about that part.
You served in a similar position as we’re hearing what this is gonna be, during the Bush administration, so you’re the right guy to ask this question of. Do you think there is a definitive need for a single leader on this issue, whatever the job title turns out to be?
Howard Schmidt: Well, as far as having a single leader in this area, I think we need to have a single strategy. Now that’s not necessarily saying that responsibility lies with one person, but it’s like a football team. You’d have to have a quarterback, and in this case, someone who is going to coordinate the activities that are so multifaceted. I’m sure we’ll get to that in a few moments. Have someone sit there and make sure that things are progressing as they should is very beneficial.
Now whether that sits in the White House or one of the other departments is – people have pros and cons against all aspects of it, but I think the essence of having a leadership role that does coordination and ensures that things are being executed as planned, is something, I think, is long overdue.
Dennis Fisher: And does that role – you mentioned the White House or whether it’s in some other federal agency, it’s been at DHS for a long time now – does that role need to be operational or should it just be a supervisory role, like you said, to coordinate activities among the federal agencies?
Howard Schmidt: Well, clearly, it’s a White House position and the White House is not operational. The White House is about policy and the whole executive branch in that respect, so in that case, it would be more of a coordinating role and a policy establishment role. This is one of the things that really makes this challenging, because there are so many different aspects of this.
Clearly, when it comes to security of government systems, we’ve seen changes over FISMA the past few years. We’ve seen some really good moves by the Office of Management and Budget in the past, taking forward some things that really need to be done on secure desktop configurations and things that should help the government agencies, themselves, become more secure. But this whole issue about cybersecurity and critical infrastructure protection and the fact that, early on, the president declared that the information critical infrastructure is a critical national asset. That puts it in a different perspective than just keeping the government systems secure, which, obviously, this position has got to go beyond that.
Dennis Fisher: Right. Yeah, that elevates it to another level within the country’s infrastructure and it seems like that position needs to have some real authority behind it, whether it’s statutory authority or it’s just organizational authority, as in whoever it turns out to be is a member of the National Security Council and reports directly up the chain to the president. That was the case when you had the position; it was part of the White House. Do you think that’s the best spot for it in the government org chart right now?
Howard Schmidt: Well, I think a lot of it depends on the person as well, because when you start looking at placement of a position that is so broad – for example, a lot of people – I mentioned a few minutes ago that I’ve been doing a series of executive luncheon briefings around the world recently and the question that comes up often is, “What is a skill set?” Well, when you start breaking this down into what are the key areas, clearly, you’ve got a defense, from the Department of Defense role that people really have to understand and be able to work with.
There’s an intelligence role that goes from an economic espionage, all the way up to a state intelligence issue. You’ve got a private sector component in there, and particularly, with the economic world that we’re in today, we have to do more, but also not break the bank in doing it, because we do have some instability issues on the economic front and, basically, this plays a lot into everything from online ecommerce to expenditure funds for updating and creating new ICT systems.
Add on the top of that the cybercrime or the law enforcement perspective, not only the federal level, but state and local and international level and then one other layer on top of that, when you look at the international component of the ICT systems and all the interdependencies we’ve had with countries and, in many cases, are our friends and allies, but in other case, that also have access to the same resources that are not basically doing things in our best interest.
So when you start looking at the person, the ability to understand that broad swath of things, to be able to take input from different areas, analyze that input and make decisions that are gonna help facilitate the people that have the operational responsibility; that’s gonna be a really interesting skill set to try to pull out of this.
Dennis Fisher: Right, and that’s something I wanted to get to, too. You just described a very comprehensive set of skills that this person needs to have. It’s gonna be pretty tough to find one person with that broad range of skills. How do you prioritize if you can’t find the one person who has all of that? What do you really look for in terms – is it more important that that person have good relationships throughout the security community and government as well, or is it more important to have a technical background? How do you go about finding that?
Howard Schmidt: I think, like anything else, and it’s funny, because one of the things you always hear from a management versus a technology perspective is the technology folks often say, “You really have to understand the technology to be able to manage this.” And on the other hand, you have the management school folks who say, “Listen, a good manager can manage anything.”
I think in this case, it comes somewhere in between. I think you can find people with a balance of technical understanding of security, because one of the biggest fears that some of us have had, and I’ll give you a real live example – years and years in the past, we used to struggle to convince management that information security or cybersecurity, whatever you want to call it, was a priority and was a business imperative. So what happened is – and this happened to me personally – I finally convinced one of the other vice presidents that this was a big issue, and then three or four times a day, I would get an email that says, “Oh, there’s a new virus that came out today. What’s being done about this?”
So it got to the point where there was such a heightened level of sensitivity, there wasn’t any practical application of what’s really a risk and what’s not a risk. So it was a consequence, in this case, having some understanding of it, but also, in a measured way that you understand that not every new virus, not every web defacement is a crisis that’s gonna affect billions of dollars or people’s homes losing electricity or airplanes falling out of the sky, to really understand that this is important, but understand it in a measured manner, so it’s done is a risk practical perspective.
At the same token, having the organizational skills to go ahead and be somewhat of a diplomat, sit there with people with competing equities, people of organizations that have different priorities by nature of their mission that’s assigned to them or because of their personal understanding, to be able to sit there and get everybody pulling the same direction and doing so to the benefits, the government in the first case.
When you start looking at the prioritization, I think one of the things that’s important is understand about what it takes to secure a government systems first and foremost, because those are the ones that the government has direct control over.
The second thing is the ability to understand that international framework – what are the agreements that we have for using IP-based and net protocol-based technologies worldwide? What are the capabilities? There’s been a discussion in one of the recent bills about having the poison pill or the kill pill or a kill switch, whatever you want to call it that says to be able to shut people off. Well, you should be thinking about that without thinking all the unintended consequences of that, not only from a financial perspective, but also just from an international relationship perspective. So that’s got to be another one of the high priorities to look at. So I’d say if you’re looking to stack rank them, you look at the ability to understand securing government systems from a technology, as well as a policy perspective, as well as the international framework. Those are things that I think are pretty healthy.
Dennis Fisher: Okay, and there are some good people within the government who have been working on those issues, using the government’s purchasing power to put some pressure on vendors, like Microsoft and Oracle and others, to really come up with some more secure applications, some more secure configurations for government systems in the past few years. Do you see that being expanded in the near future as the Obama administration really takes hold of this issue?
Howard Schmidt: I absolutely do, and I’m glad you brought up about the good people out there, because right now, one of the limitations has not been the quality of the people, but the support and the resources they have available to them. As I look at people who have been doing the job in the government, particularly since I left, or people that, I think, as you’re aware, I’m still a computer crime investigator with the Army Reserves at the Criminal Investigation Division at Fort Belvoir. When I look at the folks there, they eat, live, breathe and sleep this, everything from network investigations to vulnerability assessments to forensics stuff.
These are hard-working, dedicated people that are working as hard as they can, using every resource they’ve got available to them, but unfortunately, the resources have not been there in the past. There’s been this faulted idea that everything else is a – this is a priority, but everything else is a bigger priority. I think we finally realized, and I think there’s probably a good track to say, “Yeah, this is a good opportunity to have multiple priorities across different things, whether it’s physical security, whether it’s antiterrorism, all these other things. We can do more than one thing at a time. So by giving the dedicated people that are in government now the resources to do it, we can go a long way to help, indeed, reduce the risk that we have of having any dramatic effect from attacks on our systems.
Dennis Fisher: Okay. You mentioned cybercrime just there and a little earlier. We’ve heard a lot from the administration about cybersecurity, in general, which, I think; everybody takes to mean locking down the critical infrastructure, defending the countries networks, that sort of thing. We haven’t heard as much, at least publicly, about better cybercrime laws, more cooperation with international authorities, that sort of thing. What are you thoughts on the state of things right now, in terms of cybercrime investigations and prosecutions and where things should go?
Howard Schmidt: Well, that’s one of the, I think, good new stories we’ve had. We’ve got a guy over at the FBI, at the deputy director level, Shawn Henry, that has grown up in the ranks as a computer crime investigator, a good manager, a good executive that’s leading that effort over there. We’re starting to see a lot of the international things, the G8 subcommittee on cybercrime. I was just back over with the counselor of Europe on the Council of Europe’s Cybercrime Treaty. We’re getting a lot more visibility in that.
As a matter of fact, that meeting over there a couple months ago, I think was the fifth annual meeting and, clearly, there were hundreds and hundreds of people there, ranging from Nigeria to Canada to the U.K. So there was a tremendous amount of support from the international perspective.
The challenge, though, we have in the law enforcement perspective is, once again, there’s way too much of the criminal activity going on for anybody to deal with. I try to translate that into my previous life, working in gang investigations and drug cases and stuff, and it seemed like there was never an end to this. But in our case, in particular, in the cybercrime area, while there are way too many cases for law enforcement, internationally, to be able to deal with, there is a light at the end of the tunnel, and that’s us doing a better job securing these systems for people not becoming a victim of credit card fraud, identity theft, hacking, intellectual property theft – you name the litany of things.
By using some good protection techniques, we can actually start to reduce that. We’ve seen some pieces of that take place. I’ll talk about that in a moment. But we can start reducing some of the criminal activity and then once you start reducing that, then the limited resources we have in law enforcement, which are better trained and better equipped than they’ve ever been in the past, then they can focus on the most egregious offenders, which really sends a message through the criminal community that said, “Yeah, you’re not always gonna get away with this,” like people seem to think they can now.
Dennis Fisher: Yeah, everybody does seem to have that impression that this is a very low-risk criminal activity. It’s not breaking into cars or even running drugs. It’s pretty low-risk when you look at the number of prosecutions we see, especially in the U.S. compared to the amount of crime that’s going on out there.
Howard Schmidt: That’s correct, and the interesting piece about it is it doesn’t necessarily have to be off the scale. In other words, there is a question that I’ll ask some audiences that I speak to once in a while. At the most recent one, there were 150-200 people in the audience, and I asked how many of them would report it to the police if someone stole $1.00 from them or $5.00 or $10.00. People didn’t start raising their hand until you got to $50.00 or $100.00. That’s what the criminals depend on. So instead of stealing $10,000.00 from someone, they’ll steal $1.00 from 10,000 people, with the concept that they still get the end result. The criminals still get $10,000.00, but nobody is going to go crying to about it. And that’s how a lot of them will fundamentally work.
Dennis Fisher: Right and its working pretty well for them.
Howard Schmidt: Correct.
Dennis Fisher: At least up until now, yeah. Okay, let me get your thoughts on this. I wrote a column yesterday making the case that the first priority for the new cybersecurity czar, whatever the job turns out to be, should be building a strong relationship with the key people and organizations in the private sector to bring that bond back. Why has that been such a difficult task in the past for the people who have had that job?
Howard Schmidt: Well, I don’t think it’s been a difficult task unto itself, but what happens, people keep moving the deck chairs around all the time. Once you have a relationship established with someone, it takes a while to build up trust, whether it’s government to private, private to government, government to government or private to private. It takes time to build up those relationships.
Then when you have people moving out every year or two, then you’re rearranging things, which is one of the things that I think when you start looking at that heavily overused term of “private/public partnerships,” when you start looking at this sort of a thing, I think a lot in the private sector said, “Listen, we’re not gonna sit around waiting for government to do something. We’ve got to do things on our own.” That’s why you see a lot of the activity going on, Microsoft with their End to End Trust program, Oracle, with some of the security programs they’ve got. You see a lot of private industry critical infrastructure owners and operators saying, “Well, we get the message. We understand that we’ve got to do things differently. We’re gonna put a higher priority on security.”
Some of it’s based on just pure overarching governance requirements. Others are then looking at issues about, “Okay, well, now I’ve got to be compliant, whether it’s PCI, whether I’ve got to do some of these other things, but there is a tremendous amount of effort within private industry, just to become more secure and on top of it, customers are demanding it. So as a consequence, when you start looking at that public/private relationship that’s been going on, I think there’s less of a dependency on private sector looking to the government for leadership, than I think there ever has been in the past, because I think private industry gets it and, like I said, with the changing people, not knowing who to talk to from one day to the next, industry says, “Well, we’re gonna go and make things happen on our own.”
Dennis Fisher: Yeah, and they’ve been doing that to a large degree, but it still seems to me that the vast majority – not vast majority, but the large portion of the expertise in cybersecurity lies in the private sector. So doesn’t it benefit both sides if there’s a strong relationship there and they can communicate openly about, “Okay, we’re seeing this threat inside government networks. Have you guys seen this before? What have you done about it? How should we go about defending against it?”
Howard Schmidt: Yeah, and I think to some level, you’re correct that there’s a greater level of expertise in private industry, but that’s at a different level. I’ll give you an example. Within the government now and one of the really great programs that has been established is the Scholarship for Service Program. Another one, Cybercore, is one of the terms, a joint effort between NSA and National Science Foundation and Homeland Security to make sure that we have the next generation of information security or cybersecurity experts going through the universities now in dedicated courses in information security and information insurance.
I forget, I work close, if not over 100 universities participate in that. When their students graduate, they go into the government right away. Now some of the universities that I teach at, such as Georgia Tech and Idaho State University, our Scholarship for Service programs, as soon as they get done, they’re going in government, fairly high-level positions as security experts.
So the expertise is there on a technical level and, once again, as their careers move on, you’ll start seeing some balance in there of those that have, in private sector, which not only have the technical confidence, but also have the management and leadership competencies. You’ll start to see that in government as these scholarships for students are working their way through the government ranks.
Dennis Fisher: Yeah, I love that idea. I think it’s terrific. It’s a great program. But how long do you expect or how many of those graduates do you expect to stay in government service for the long term?
Howard Schmidt: It’s an excellent question. I remember a few years ago, I was testifying up on the hill and one of the congressmen asked me that very question, “We get these people to come in. They spend some period of time in the government, but obviously, the money’s better in the outside. The work elements, oftentimes, were better, so as a consequence, how do you retain these people?”
My response, basically, to you as it was to him at that point. I don’t think it’s necessarily bad for them to come in and spend two years, four years or six years. There are gonna be some people atha are just civil service oriented, if you would, that like public service and will stay there through their entire career, which is good for the longevity of those in that business, but on the same token, we start looking at the interdependencies between the private critical infrastructure and the government’s systems.
I really like the concept that somebody spend a few years working for the Department of the Defense or working for the FBI or working for Homeland Security, gets the understanding of the criticality of this and then come back and transfer that into the private sector. I think that makes both the private industry and public service or public sector much stronger. So I think it’s a good thing to have that cross-fertilization and having been a participant myself most of my career, I find that to be particularly rewarding, because it gives you a lot of different perspectives that you wouldn’t have staying in one sector or another.
Dennis Fisher: Yeah, that’s a great point. And the other thing I would guess is that if you’re one of these kids who goes and spends four or five years in government service and then goes to work in the industry, all of a sudden, you’ve got this big network of contacts inside the government who you can talk to when you have a problem or they can call you when they have something that they need to talk to you about.
Howard Schmidt: You’re absolutely correct, and that’s one of the things that when you start looking at where the rubber meets the road and where things really get done. We can have all the greatest policies in the world and all the committees and all these other things, but when you have an individual in either government or private sector, pick up the phone and call someone that they went to university with, that they’ve worked with in government or private sectors, and says, “Hey, I’m seeing this really anonymous activity on this particular port. Are you guys seeing that?” “Yeah, we are.” Well, that solves problems and that’s what this is all about.
Dennis Fisher: Yeah, and you would know this having spent a lot of time in law enforcement. That’s how things get done in the law enforcement community.
Howard Schmidt: Absolutely correct.
Dennis Fisher: There’s some guy that you worked with once at the FBI and you know you can call him and say, “Listen, we have this problem. Can you help?”
Howard Schmidt: Absolutely correct. And those are lifelong relationships, too. They aren’t something that just because this person is no longer in this particular job, you no longer have access to them. By the way, one of the things, and just changing the topic just a little bit, when you start looking at some of the social networking tools that are out there today, people oftentimes think about, “Oh, yeah, these are college students doing this,” or “My granddaughter is doing these things.” Well, those same resources are available to all of us, from security, private sector, public sector, law enforcement, and we use them all the time. There’s not a week that goes by that there’s not a former colleague either in private sector or government or law enforcement that doesn’t pop and say, “Hey, I saw your profile here. I want to make sure we’re connected.’ And the next thing you know, I may get a call, “By the way, I’m working this case. What do you know about this?” Those things make it even better as far as the longevity and the ability to stay in contact.
Dennis Fisher: Yeah, I completely agree. Let me ask you about the ISACs, because you were involved in the beginning of the IT-ISACs. How active are the ISACs, in general, right now, and do you think that there is a need to maybe not replace them, but reinvigorate them at this point.
Howard Schmidt: It’s a really good point, because the ISACs, in the very beginning, were born, I think, born, in a lot of cases, and I can speak for the IT-ISAC, when we founded that, it was based on recommendation that government people or private sector organizing amongst ourselves, not necessarily share information with the government, which was desirable, but to share information with each other. That, once again, established some longtime formal bonds between, often, many cases, competitors in this space, to bring this to the table, to share information and do that.
So I think for the most part, and we have some ups and downs in any organization you might imagine, but for the most part, that has become institutionalized, that no longer will you see something new hit the horizon that takes everyone by surprise, except for one company, because people are inclined to share with each other.
By the same token, I think what has happened now is there are so many people that are paying attention to cybersecurity, critical infrastructure protection, that there is this underlying feeling that, “I know how to do this already. I don’t need to be a part of a bigger organization.” So when you talk about trying to bring up the example of ISACs, that’s one of the things to show, that there is much, much greater strength in numbers than people going it alone. I think that’s one of the things that could be helped to be emphasized.
The other thing is making sure that the information is relevant. That’s one of the things that I think many of use would challenge today and for lack of a better word, I’ll call it “information overload.” New vulnerability pops up. A new question about something pops up. I’m getting an email from 10 or 12 different sources in one day, whether it’s serv, whether it’s some sort of a listserv that I’m on, whether it’s through an ISAC publication, InfoGuard. There are a lot of sources of information out there now that are circulating, which we didn’t have back in the days when we used to perform the ISACs. We didn’t have that public communication that was out there, so as a consequence, trying to consolidate that through the ISACs would be very helpful to make it relevant and timely.
Once again, I was recently talking with somebody and we were lamenting the fact that some of the recent things you hear or you get a piece of correspondence from some – in this case, we were talking about a particular government agency – that we got the communication from the government agency three days after CNN had fully covered it. So these are the sort of things, keeping it active and vibrant. It’s got to be timely and relevant to what people’s needs are.
Dennis Fisher: Right. Yeah, that’s a great point. Getting back to the critical infrastructure piece of this for a minute, we always hear that the majority of the critical infrastructure is owned by the private sector in various forms. How much of a role do you think the government should have in helping to secure that part of the infrastructure, whether it’s through just help in providing resources and expertise or through regulation and mandates?
Howard Schmidt: I think for the first and probably the most important part is that government has got to help assess what really is important and what’s not important. An example I like to use – I live on a remote mountain about 30 miles east of Seattle. Because of the nature of the west coast and the weather and stuff, we wind up losing power up here at least a half a dozen or so times through the course of the winter.
So to me, critical infrastructure means a generator and enough gas to last me for a day or two. But then you start going into the city down here, which is less than 30,000 population, you start looking at that, well, that takes a whole different picture when power is out for a few days, because people can’t go grocery shopping. They can’t get fuel. As recent as a couple years ago, in order to get a mobile phone signal, you had to drive for an hour north of here, because the towers were out, because the power outage was out. They took up all the fuel with their backup generators, so we started to lose that aspect of it.
So it takes a different component, but I think the government’s key role is to assess what the risks are. Once the risks have been identified, what are the capabilities that private sector has to respond to these things? What I’ve seen, particularly during my time at the White House, you look in the aftermath of September 11th, with a telecom company, their ability to go out there and recreate an infrastructure, get the stock market back up and running in a relatively short period of time, to have telecommunications available for mobile phones and stuff. That was just phenomenal. So it’s clear that some sectors are quite prepared and probably more so than the government, in some cases, to be able to deal with these sort of things.
But there should be an assessment and a baseline expectation that during whatever the incident may be, here’s what we have the ability to respond to. Now once that determination is met, where that is, then it’s up to the government to decide, “Is that sufficient for us to do public safety and the protection of people and property?” Now if that delta is above what the private sector capabilities are, then the government has to make a couple of decisions. One, how do we get it to the level we need it to get. Will it, indeed, create some sort of incentive by we give private sector or provide some funding to private sector to develop the extra capabilities or is it the type of thing where we encourage private sector to do it as part of a business plan where as they increase resources out to a certain segment of the population, something they would do automatically.
And then the other aspect of that, once we move forward, what role should government start to look at regulation if, indeed, the market can’t do what it needs to do.
Dennis Fisher: Do you find that the industries, think about, maybe, utilities, power companies, water companies; do they resent the government getting involved in what they’re trying to do in terms of securing their own networks?
Howard Schmidt: I don’t know that I’d say, “resent.” I think there’s concern. More than one person has told me, “How can the government tell me what to do when they can’t even secure their own stuff?” Then you start getting into – and many people don’t realize that there is not the one power company that looks after the entire country. There’s not the one water treatment facility. We’re talking about literally thousands and thousands of these organizations of all different levels.
Some local water cooperative here where I’m at may be just a few hundred homes in a subdivision and its run by a water cooperative there. So all these things are not made the same. Also, not only are they not made the same, but various government entities have regulatory controls over them at the very local public utilities commission, within a particular town, village, city or county. So when you start looking at how do we deal with this, how do wind end up dealing – and competitive, because some of these things, of course, are for-profit organizations? How do we wind up getting the information needed by government to identify if resources are enough without impacting the proprietary and, oftentimes, competitive things that these companies need to do?
I wouldn’t say they resent it. What they oftentimes don’t care for is what they feel might be intrusive in their ability to run their business the way they need to run it, to do the same job the government wants them to do anyway and that’s provide the critical infrastructure that people need.
Dennis Fisher: Yeah, that’s true. You mentioned that there’s literally a network of thousands of these cooperatives and small companies all over North America, really, running the utilities. One small mistake or one small incident at one of these could have a cascading effect, as we saw with that blackout in the Northeast about three or four years ago now that affected New York.
Howard Schmidt: And therein lies the key issue when you start looking at the assessment by the government, and I don’t know that we’ve done this good yet. We’ve talked about it from the days I was in the government, and that’s sort of identifying what are the critical independencies that one would have? A classic example is, and I’ll use this region up here in the Pacific Northwest, where we have Mt. Rainer, which the experts say that’s still an active volcano, that at some point, that could go like Mount St. Helens did 20-some odd years ago. It’s also been discovered that we are pretty much sitting on two different, if not more, earthquake faults in the region. Being we’re on the west coast, we’re subject to tsunamis. We have tsunami routes put all over the place, and notwithstanding, just the normal battering of storms coming in off the Alaska gulf affecting this region.
So as a consequence, when you start looking at that whole piece of aspect, you look at local businesses that sit there and say, “Okay, part of my business continuity plan or my disaster recovery plan for my data centers,” which are populated all over the Puget Sound area, here in the Pacific Northwest, if we should have an earthquake and our data center becomes a smoking hole in the ground and we’re critical, how do we end up recovering from that?
Well, oftentimes, the resources they have contracted are the ones that the business down the highway also contracted with, so it gets to a matter when you need a thousand servers and there’s only 500 available, and there are 20 people asking for those thousand, how do you prioritize that? That’s one of the things that government can help, if you would, negotiate, if you would, to make sure that those things that are necessary for public safety and health and safety are being dealt with first and then also, not ripping out the underpinnings of our economic infrastructure, because somebody has a higher priority. It’s a tough balance to do.
Dennis Fisher: Yeah, it’s got to be. Sure. All right, so you were involved in the original national strategy to secure cyberspace, which is several years old now. You’re also involved in the recent CSIS report on cybersecurity for the Obama administration. There are a lot of similarities between the two documents, both in terms of the recommendations, as well as the people involved, honestly. Why do you think that so many of the original recommendations in that national strategy, which everybody seems to think are very valid recommendations, still, sort of fell by the wayside and didn’t gain traction the way everybody hoped they would?
Howard Schmidt: Once again, I think it’s a loss of focus. It’s one of the things I’ve asked. There’s also another undertaking, a really good effort by GAO, looking at this issue and a bunch of us, and once again, probably the same people went and talked with them. My question, and it continues to be, if you take the original national strategies to secure cyberspace from February 14th, of 2003, and look at that and look at the components of that, every one of those are still valid; education and training, vulnerability reduction, situation awareness and response capabilities. All those things are there, but what happened is we never focused on executing on all those things and going through and saying, “Yes, this is done. This is in progress,” and therein lies us into another position where we are with the recent report and many, many other reports that basically reaffirm the same thing we said back in 2002-2003, but we’ve not done is build the mechanism and provide the resources to actually execute on getting those things done.
Dennis Fisher: Not to turn this into a political discussion, but how much of that do you think has to do with the fact that a lot of the same resources at DHS and the Department of Defense that might have been involved in that kind of effort, have been dedicated to supporting the two wars that we’ve had going on, essentially since that report came out just about the same time?
Howard Schmidt: Clearly, when you start looking at an issue of prioritization, when people start looking at bombs going off in someone’s backyard as opposed to they can’t connect to the internet, I think there’s a clear decision on which way people are gonna go on that. But once again, that goes back to my earlier comment that I truly believe that we have the capacity and we have the resources to multitask in this vein to say, yes, we can put the resource we need to put into protecting people against kinetic things, such as bombs and biochem hazards and things of this nature, while at that same time, we can put the resources necessary to fixing some of the cybersecurity issues.
Once again, many of us held and still continue to hold that it doesn’t require ripping out an infrastructure and rebuilding things. It requires a few things from a current perspective, like just doing what needs to be done, making sure you’re doing vulnerability and management, making sure that your users are not clicking on things that they shouldn’t be, things that are just basically 101 security for those of us in the business. We still have not institutionalized the process to keep those things happen.
On the same token, you mentioned earlier about the vulnerabilities and things, we should be building an infrastructure that, at some point, we’re not gonna be running a piece of computer software on anything that has not totally had a 360 degree vulnerability assessment, doing source code analysis on the front end, doing black box and white box testing on implementation, doing constant implementation and testing once it’s integrated into the enterprise, but we’ve not done that either; we’ve just sort of continued to move on with, “Okay, we’ll fix this one, then we’ll move on to fix the next thing,” as opposed to looking at this from a very proactive perspective as, “We don’t want to let these bad things happen.”
Dennis Fisher: All right, so to wrap all this up, if we get together and do this again, say, a year from now, what would you hope that the cybersecurity advisor, assuming we have one sometime soon, will have accomplished in that time? Are there two or three top priorities that you’d really like to see checked off the list?
Howard Schmidt: Clearly, I think there is one on the government side that the government systems, indeed, there is a definite implementation of better security procedures across the government. It goes from two-factor authentication to vulnerability assessment and management and risk management, clearly, across the breadth of the government, from the defense side, all the way down to some of the civilian agencies to make sure that that is fully implemented and that we can have trust and reliance on the government systems, not only that they’re operational, but they’re also free from being affected by new nation states or any other rogue country that’s looking to do us harm.
The second thing is to have a clear assessment of where private industry is on its capability to prevent and, if necessary, recover from any sort of an incident that we may have, whether it’s a widespread distributed denial-of-service attack or it’s some sort of a zero-day vulnerability that we might have to recover from.
The third thing is clearly having a forward path to make sure that we don’t relive the sins of the past the way we roll out infrastructure, “Let’s build it, let’s get it out there and we’ll fix it later on.” That’s not the right way to do things. We have to have a clear path going forward to make sure that we’re implementing all the solutions, both of hardware and software, where, once again, we’re not putting things out there with vulnerabilities, that we’re making an investment in the professionals that are running and operating these systems, that we’re investing in the training of those that are actually designing, engineering and building these systems and then we have an operational path to make sure that once we come up with a secure system that we wind up being able to maintain it that way. And all those things we do, while still preserving privacy, while still preserving all the rich capabilities that technology gives us today, that’s what I’d like to see done.
Dennis Fisher: That’s a pretty good list. Honestly, I’d probably be happy with one of those in the next year, but if we could get all of them, that would be fantastic.
Howard Schmidt: Yeah, I think we can, because I think those are things that would be done in parallel with each other and I think getting this done right, I think we can do it.
Dennis Fisher: All right. Howard thanks so much for your time. I really appreciate it and I’d love to have you on again in a few months down the road when maybe we have a little better perspective of what’s going on in D.C.
Howard Schmidt: Always good to talk with you. It’s my pleasure.
This is an edited transcript of a podcast with Howard Schmidt.