This is the first part of a two-part Threatpost interview with Howard Schmidt, White House cybersecurity coordinator, about the challenges of
international cooperation, the proliferation of cybercrime and what can
be done to address those issues. Look for part two tomorrow.
The Obama administration has been making quite a few moves of late in regard to information security and working with other nations to help reduce the level of online crime and develop some norms for online behavior and rights. The release of the International Strategy for Cyberspace and a security legislation package form the framework of what the U.S. is hoping to accomplish. Threatpost editor Dennis Fisher spoke recently with Howard Schmidt, the White House cybersecurity coordinator, about the challenges of international cooperation, the proliferation of cybercrime and what can be done to address those issues.
Dennis Fisher: I was reading through the International Strategy for Cyberspace and the legislation package that you guys sent to Congress, and there’s a ton of really good stuff in there that was very interesting. And the thing that really caught my eye probably right up front was the whole notion of this cooperation among nations and how much that’s emphasized in the strategy and how much the U.S. is hoping to partner with other nations on all of these priorities. What kind of indications do you have and the administration have that the other nations in the world are interested in working with you on this?
Howard Schmidt: Yeah, well, we get tremendous indications. Matter of fact, when we had the rollout event here at the White House, we had ambassadors from a large number of countries that are based here in D.C. specifically, and the feedback that we had prior to that event, during the event and subsequent to the event that basically that they very truly believe that in order for us to have an environment for cyberspace where prosperity is sort of the big goal out there, but also maintaining security and openness is something that they all aspire to, irrespective of where they are on sort of the continuum of rolling out of technology and the dependency they have on that. At the same token, as you might imagine, this is not a new discussion that we’ve had on an international basis, but I think this, for the first time, sort of lays this out, tying all these together within that full range of cyberspace activities that gives our international colleagues out there that say, “Yeah, this fits this portion of our government. This fits another part. This fits the private sector.” So, it’s very, very much appreciated by others to have sort of this roadmap to where collectively so we can all benefit from it.
Dennis Fisher: And do you get the sense that other nations sort of look to the U.S. to take the lead on a lot of these things?
Howard Schmidt: Well, I don’t know that – I mean, some do because of the relationship and the fact that we’ve been not only been using the technology, but we probably become more dependent on the technology than others have, but a lot of the other countries out there have tremendous capabilities. They’ve been thinking about this for a long time, but like us, there were small pieces. There was the security component of the government. There was the technology and innovation. There was a financial piece of it, and so we fully recognize it’ll be a bilateral learning environment for not only those of us been doing it for a long time, but those that have sort of emerged as great technology companies – or countries, excuse me, that recognize the tremendous capability cyberspace gives them, and we could even learn stuff from them.
Dennis Fisher: In that strategy for cyberspace, what do you think, you personally, are the two or three most important things that the U.S. can focus on right now and really make some progress with?
Howard Schmidt: I think the first one is looking at the issue about creating of norms in cyberspace when we look – once again, it’s sort of the key thing that I mentioned a moment ago about the prosperity, security and openness, that looking at the norms that we can all sort of get the benefit from this and minimize the downside that we’ve seen over time, the cybercriminals, the DDoS attacks, these sort of things, not only what countries should be doing, but also what they should be looking at when they – people are operating from within their borders, whether it’s a business or whether it’s people that are not meaning anybody any good, what actions can they take. Part of that is the Budapest convention, the The Council of Europe Cybercrime convention sort of harmonizing the laws. That would be a big plus as we’ve seen with the U.K. moving forward even last week.
Dennis Fisher: I know some of this stuff has been in discussions between the U.S. and other countries for a long time in terms of trying to weed out some of the criminal elements in these countries, trying to get some prosecutions done, some cooperation. How do things stand right now in terms of getting prosecutorial cooperation from other countries as well as investigative help when it comes to cybercrime?
Howard Schmidt: I think there’s a couple things, one, that the infrastructure has to be in place in the countries for them to be able to be a part of this, making sure that the laws that they have in various countries are consistent, as I mentioned with the Budapest convention, so that’s sort of hurdle No. 1. Then, they have to have the technical ability within their law enforcement community to be able to deal with those sort of things. And there’s been a lot of training going on over the years, particularly on the broad issue of cybercrime, but as we very well know, that any type of crime today has some sort of a technical component to it, so making sure that they have the training necessary to do it. And then, the infrastructure there through the prosecution, the judicial system, the collection of forensic evidence and things is one of the things that we’re working with international partners.
And once again, that varies from country to country. The other piece is the part when we start looking at when it comes to the international perspectives are some of the treaties we have for things such as extradition and then the prioritization of some of the things that are going place. As we well know, there’s – any law enforcement agency has to deal with a number of different priorities, not only things related to cybercrime, and so how do you take limited resources and make sure that you’ve got the focus on the things that you can make a difference on? The other piece on this, and this is sort of where the big thing is working with our international partners, is to do more in what we refer to as cybercrime prevention. When you start looking at the number of people that can become victims in a number of resources, whether it’s cybercrime, whether it’s burglaries, whether it’s auto theft, there has gotta be a situation where we can help people reduce the likelihood they become a victim, whether that’s an individual, whether it’s a small, medium-sized business or even large enterprises.
And that, again, is a role that the law enforcement, the international community can help, and that’s helped propagate some of the best practices, so less likely somebody becomes a victim. Then, that gives you the ability with the limited resources to really focus on the bad actors out there.
Dennis Fisher: And how much of that trying to reduce – prevent cybercrime before it happens, how much of that will you be relying on the private sector and some of your partners inside the U.S. to help with?
Howard Schmidt: Yeah, well, the private sector in the prevention of crime is very key, and, once again, look at a continuum. The products that are created, whether it’s software or hardware, become more resistant to some of the things that we see out there, whether it’s fishing/spearfishing, whether it’s vulnerabilities in software and hardware where private sector has a lead role in being able to reduce that from taking place. The other piece, as when we look at some of the things like the National Cyber Security Alliance here in the U.S., we look at some of the other partnerships that take place in Australia, Canada, U.K. and how they work with the private sector, just even some of the messaging thing about how to protect your identity online. ENISA, the European Network Information Security Agency has done a lot of really good work in what they call the AR Group, the Awareness Raising Group that puts together some best practices for consumers and businesses and everything.
So, working with the private sector is really key, because they can not only help build the technology that reduces the likelihood of becoming a victim, but they can also help spread the message with their customers.
This is the first part of a two-part interview with Schmidt. Look for part two tomorrow.