Howard Schmidt has been the White House cybersecurity coordinator for nearly 18 months now, and in that time has helped develop and shape the Obama administration’s policies and thinking on cybercrime, online privacy and cybersecurity. In the second part of a recent interview with Threatpost editor Dennis Fisher, Schmidt discusses the national data breach bill, using offensive weapons online and the prospects of the National Strategy for Trusted Identities in Cyberspace.
Dennis Fisher: Where do things stand right now in terms of getting a national data breach bill passed? How do you feel about the prospects of that happening sometime soon?
Howard Schmidt: Well, we feel very positive about it. As you know, that was part of the proposed legislation in having this national data breach, and it does a couple things. One, it really sets an environment where people would have a better understanding exactly what their rights are under a national law as opposed to where the data was hosted and some of the things that they have to try to identify themself with the, I think, around 47 different data breach notification laws across the states who basically have done a great job in helping to protect consumers, but it still is somewhat confusing because of the very nature of the technology and the way it works. The second piece of it, when we start looking at companies that have to deal with this, they – companies have become a victim, which then ultimately becomes a requirement to have data breach notifications of the end users.
They then can better understand what their responsibilities are, and, therefore, the consumers that are involved get better service as well. So, we think this is important. We put it in there, and we feel very confident it’ll move forward.
Dennis Fisher: Has the feedback from lawmakers been positive on that? I mean, there’s been a few other attempts at this from various congressmen over the years, but nothing has ever gotten done. So, do you think that they’re receptive to it?
Howard Schmidt: Yeah, it’s – the feedback we’ve got thus far are that I know that that was one of the things that’s been discussed, as you mentioned, a number of times up on the Hill, and by having the administration propose that this is one of the things that can help deal with some of the problems, I think that’s been warmly received up there.
Dennis Fisher: Getting back to the cyberspace strategy, one of the things that got a lot of attention in there was the section on defense and some of the assertions in there saying in so many words if the U.S. feels like somebody is attacking us, whether it’s online or however it is, we reserve the right to respond in kind, whether that’s with kinetic weapons, whatever it happens to be, cyber weapons. How do you think that that’s going to play out in the real world?
Howard Schmidt: Well, I think when we look at the military’s role, No. 1, first, the military, like any other large entity, has a tremendous dependency on the Internet and technology just to do its basic mission, and so when they look at their 21st century security challenges and their role and their commitment to defend citizens, allies and interests, that even is more extensible than anything else when it comes to the Internet itself. Now, when you start looking at sort of the full breadth of government activities that might take place, whether it’s diplomatic, whether it’s military, whether it’s economic, whether it’s some other sort of incentive and stuff like that, this is part of an overall view, the way things that take place. So, Department of Defense’s role is only one of the many roles that we have across the government, and not only our government, but other governments as well.
Dennis Fisher: Okay, so it’s just one piece of a larger strategy, and it’s something that needs to be considered?
Howard Schmidt: That’s absolutely correct.
Dennis Fisher: I’m sure that you’ve been following, as closely as you can, a lot of the stuff with WikiLeaks and Anonymous and some of these sort of loosely organized groups. How does the emergence of these kind of chaotic actors affect the way that you guys have to think about defensive measures as well as things like privacy and national security?
Howard Schmidt: Well, I think first, and that goes back to the earlier conversation we had – or the early part of the conversation a few minutes ago and talked about the prevention piece. When you start looking at anybody that’s looking to be disruptive online, in effect legitimate freedom of speech capabilities for people, looking at things that impact the ability for someone to conduct business or somebody to run their website and stuff, oftentimes that immediately rises to a level of criminal activity, and the rule of law has to apply in this, and I think not only domestically, but internationally as well. The other piece of it, and that goes specifically about if indeed the vulnerabilities did not exist that allowed people to take over in bot systems as we see to once the bot has taken place to be able to go ahead and create more BOTs out of a certain communication channel that people have. Reduce that likelihood and those sort of issues become less problematic, and it goes back to my earlier comment once again, if you can reduce the noise out there with the people that are just sorta spontaneously creating disruption, then you can really focus on the bad actors out there.
Dennis Fisher: So it’s part of a larger problem, but maybe not the biggest piece?
Howard Schmidt: That’s absolutely correct. When you start looking at the full breadth of things that are taking place out there, you look at the disruption piece that takes through with either success for attempted DDoS attacks. You look at the theft of intellectual property. You look at identity theft, credit card fraud. You look at the full myriad of things that are taking place out there, and this is one of them and one that basically we have to take seriously and, once again, use the rule of law, but also have to make sure that the abilities for someone to be successful in those sort of actions has been significantly minimized.
Dennis Fisher: How do you think the government can play a role in terms of improving software security and making our products more secure before they actually go out the door to the people that are using them?
Howard Schmidt: Yeah, I think there’s a few things. One, of course, and it’s one that’s been discussed longer than anything else, and that’s the power of procurement and helping set requirements of saying, okay, if we’re gonna buy software that gives us the ability to do word processing or a Web server or something like that, that we basically set the requirements with the supplier that says in addition to have all the really rich and robust features that we have out there, you also have to do things like source code analysis. You also have to do sort of threat scenarios built into it and the ability to go back and say in a normal, closed environment, this may be the greatest thing in the world, but we don’t live in a closed environment. We live in an environment where accessibility is key to success, whether it’s a business or a government, so we have to take into account that people will try to do things like buffer overruns. People will scan for cross-site scripting, so setting your requirements and making sure that they understand, build to a better secure specification while keeping the same capabilities is gonna be key to it.
The second piece is I think the businesses fully understand that while richness and robustness of the products and stuff is also part of a business, and part of a business in today’s environment is to be able to provide that, so they have the business processes in place where they can go to a customer, be it a government or private sector, and say, “Not only here’s the capabilities we give you, but we, indeed, have done those things whether it’s based on requirements from a customer or whether it’s the fact that here’s the best practices that we now see,” and we see this all over the place. When you see major companies and even small/medium-size companies using a more disciplined process in development of applications and source code protection, the ability of the testing and the robustness they have in there. And so, that’s sort of the second piece. The third piece is sorta the combination of the two. Even after there’s a deployment, even after something’s built, there still had to be that constant monitoring, the constant testing that we have. And for the government, of course, with FISMA, the Federal Information Security Management Act, and having the idea of constant monitoring, we’re able to see things.
We’re able to report back to the vendors. We’re able to share that information, and that has the end result of, once again, every generation we become better at software, better at hardware and better protecting the systems.
Dennis Fisher: What role do you think the government, if any, should play in things like, just for example, the RSA breach from a couple of months ago? Do you think the government should have any sort of role in influencing the way that these breached companies communicate what happened, maybe sharing some of the details about this so that they can help other companies that are maybe in that position down the road?
Howard Schmidt: Yeah, I think, once again, as we see these things occur more often, and not necessarily because somebody is getting more sophisticated, but we have just – there’s more targets out there. We have better visibility of what’s going on, but I think the first key government role is look at the investigative piece, notification of federal law enforcement, any of the cases like the FBI, who then brings in the other pieces of the government, the technical experts on how do we do – identify what motivation is. What are we looking at how they accomplish that? Is it just a spearfishing e-mail that we may be able to protect with things such as when we rolled out the NSTIC, The National Strategy for Trusted Identities in Cyberspace?
But, there’s also this information on what happened takes place. The investigative will take place, but at the same time, Department of Homeland Security working with the broader sectors to be able to say, “Here’s the MO,” if you would. Here’s what – without giving attribution to a company or cause any additional embarrassment be able to take that information and push it out to other sectors to reduce the likelihood they become a victim, or if they already have, so they can go about cleaning it up and participating in the investigation. When it comes to the company’s actions itself, clearly there is a strong commitment that companies have to have to their customers, and I think back, and, of course, you were in previous part of your career, you were reporting a lot of these things where it was almost like this was the not very public when something would happen. You’d see a little blurb on it, and companies weren’t willing to talk about it.
Well, first and foremost, I think there’s gotta be a clear recognition that the companies, irrespective of how this happened, they’re still a victim of a crime, and they also then have recognized that they have a responsibility to their customers to give their customers the facts that are necessary so the customers can do a risk assessment of the impact would be them. If there’s something that the company can’t do – excuse me, the customer can’t do, the company can help them with work-arounds, remediations, updates, all the things that need to be done. And, once again, that’s the whole system has to work together to make this successful.
Dennis Fisher: I did want to ask you about the trusted identity thing. How has the feedback been on that, and where do things stand in terms of getting some of those measures implemented right now?
Howard Schmidt: Well, it’s interesting. After we – of course, we’ve been working this for awhile, and we see a number of companies now proactively going out and start developing some multifactor authentications just for their normal services that I think many of us have taken for granted over the years. We’re starting to see the – a lot of these companies working with other companies to make sure we’re looking at the full breadth of things, not only the one-time password that may be on your mobile device, but also what can we do to make sure that somebody doesn’t wind up hijacking that through some other sort of mechanism? So, overall, I think there’s a full recognition of the challenges we have moving forward. The people that I’ve talked to in the national program office I’ve talked with recognize that the status quo doesn’t apply here, that we can take a lot from the experiences we’ve had in the past and the next generation of trusted identities or strong authentication or in-person proofing, we can much improve over where we’ve been to date, so very, very positive.
This is the second part of a two-part interview with Schmidt. The first part ran yesterday.