White House Cybersecurity Meeting Produces Cautious Optimism

The meeting convened Wednesday at the White House by the country’s top cybersecurity official, Howard Schmidt, which included more than 100 security experts from the private sector and various government agencies, didn’t end with Schmidt revealing any new programs or initiatives, but some of the key participants said they left feeling more optimistic about the direction the government’s security efforts are headed than at any other point in recent memory.

The meeting convened Wednesday at the White House by the country’s top cybersecurity official, Howard Schmidt, which included more than 100 security experts from the private sector and various government agencies, didn’t end with Schmidt revealing any new programs or initiatives, but some of the key participants said they left feeling more optimistic about the direction the government’s security efforts are headed than at any other point in recent memory.

“The government has made some interesting progress and I’m optimistic that Howard can do some things that other people in that job couldn’t. I know he’s not someone who will continue to just flail away if he’s not making a difference,” said Eugene Spafford, a professor of computer science at Purdue University and the head of the university’s CERIAS center, who attended the meeting. “I think there’s been more done in the last few months than there was in the previous eight years. The message we got is that they do take this problem seriously and are paying attention.”

Schmidt, the White House cybersecurity coordinator, was appointed by President Obama in December and took over a position that had been vacant for some time, a fact that had caused many in the government and the private sector to question the government’s commitment to addressing the cybersecurity problem. The White House meeting was a way for Schmidt to showcase the progress that the administration had made and emphasize his intention to make real changes to the way that information security is handled in Washington.

In addition to the private-sector experts such as Spafford, Gary McGraw of Cigital, Matt Blaze of the University of Pennsylvania, Ron Rivest of MIT and Ed Amoroso of AT&T, the meeting also included DHS Secretary Janet Napolitano and Gary Locke, the Secretary of Commerce.

President Obama made an unannounced appearance at the event as well, speaking for 15 or 20 minutes about the importance of the security problem and the milestones that his administration had met in the last few months. Obama talked about the development of a unified response plan in the case of a major cyber attack, the hardening of government networks and the focus that the administration has placed on securing both broadband networks and the electrical grid.

The meeting came one day before the deployment of the DNSSEC protocol in the Internet root servers, an important step in helping to make the identity and authenticity of those servers verifiable.

For her part, Napolitano said that the Department of Homeland Security had tripled the number of security professionals on staff and pointed out that 12 of the 19 federal government agencies are now covered by the Einstein 2 intrusion detection system and the other seven will be on board by the end of 2010.

“They’re trying to demonstrate that this is a priority for them and I think the clearest evidence of that is that Obama was there,” said Cigital’s McGraw. “I think they’ve made an awful lot of progress, but most of it has been on the operational front, like lowering the number of connection points to the Internet. I’d like to see some more rhetoric at least on software security, because the government agencies are falling behind and that’s a shame. I’d like to make sure that we don’t put all of the emphasis on shiny accomplishments and that we pay some attention to this.”

The meeting, which did not include lawmakers, also could be seen as a message to Congress that the administration is aware of the security problem and doesn’t necessarily need any new legislation to address it. There are several competing bills in the Senate alone that have various cybersecurity provisions and have been rattling around for some time without much progress.

[block:block=47]

“I think it was a clear message that we don’t need any extra authorization from Congress to get things done,” Spafford said. “I don’t think any of that legislation is going anywhere anyway. It’s not an attractive topic, especially in an election year. This meeting showed me that there’s a high-level awareness of the problem set, but it’s a huge problem and it’s been ignored for a long time and now there are special interests entrenched that are making life difficult. A lot of it requires getting resources that are hard to get. There are all these things that are just hugely expensive and messy.”

Photo courtesy of Gary McGraw.

Suggested articles

White House Releases VEP Disclosure Rules

The White House released a charter document on Wednesday outlining how the U.S. government will disclose cyber security flaws and when it will keep them secret.

Threatpost News Wrap, March 3, 2017

The news of the week is recapped, including the fallout around CloudBleed, the CloudPets breach, and a Slack token bug. The life of Howard Schmidt is also remembered.

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.