Schmidt was formerly chief information security officer (CISO) at eBay and chief security officer at Microsoft and has worked with federal and local law enforcement and the Defense Department. As Ellen Nakashima reported in The Washington Post, the new cybersecurity coordinator also served as special adviser for cyberspace security from 2001 to 2003, where he shepherded the National Strategy to Secure Cyberspace, a plan that Nakashima writes “was largely ignored.” Schmidt was also the president and CEO of the Information Systems Security Association, an international nonprofit organization that focuses on risks and research in the cyberworld. The question now will be whether a man hailed as a good communicator can also ensure better cybersecurity across industry and government.
“Howard is a good match for this task,” said Vint Cerf, Google’s chief Internet evangelist, as quoted by The Atlantic Monthly’s Marc Ambinder. “I’ve been impressed by his consensus-building style. He’s thoughtful, knowledgeable and he knows Washington.”
Cerf, as quoted in the New York Times article on the cybersecurity coordinator, said that “I’ve come away with a strong sense that Vivek Kundra, chief information officer, and Aneesh Chopra, the chief technology officer, and participants at the N.S.C. are aligned on this effort.”
Filling the position at the National Security Council was overdue, given the time that has elapsed since Melissa Hathaway delivered a cybersecurity report that called for a cybersecurity coordinator to coordinate the nation’s efforts. As SearchSecurity.com Editorial Director Mike Mimoso reported, “Obama announced on May 29 he intended to personally select a cybersecurity coordinator who would coordinate cybersecurity policies across government agencies.”
In May, Threatpost Editor Dennis Fisher recorded a podcast with Schmidt. In the podcast, the incoming cybersecurity coordinator talks about the role, cybercrime and how to fix federal cybersecurity.
CSO Online Senior Editor Bill Brenner enjoyed excellent timing yesterday when he published an email interview with Schmidt. Schmidt made a number of predictions for 2010, including that he believed that cloud computing will be a security enabler. Schmidt wrote that “2010 will be the tipping point as to much wider adaption in all sectors. The overall net effect will give us a better chance to develop more security in the cloud using better vulnerability management/reduction, strong authentication, robust encryption and closer attention to legal jurisdictions.”
The timing of the White House appointment of a cyber coordinator is, as Ambinder wrote, something of an early Christmas gift, though perhaps not for Schmidt himself. As Ambinder observed, “It’ll be a thankless job: given the near-certainty that the government will experience some massive data breach or a major cyber terrorism attack, Schmidt will be both the point person — and the person seen as responsible, even though he lacks the statutory authority to prevent these catastrophes.”
In the security industry, reactions to the appointment have been generally positive. Like Ambinder, Dave Lewis, a Canada-based IT security practitioner and editor at Liquidmatrix Security Digest, also sees a tough challenge ahead for Schmidt. “I think that this is an extremely unenviable position for him to take,” he said. “There are numerous turf wars that he will be at risk of becoming collateral damage in the crossfire. I would like to see him succeed. There needs to be a central point of control for IT security.”
George Moraetes, an information security and enterprise architect, related a similar sentiment: “I really don’t know if congratulations or even condolences are in order.”
Moraetes supports the appointment of Schmidt, stating he “is the best advocate and most experienced individual to take on this incredibly difficult job that basically has no teeth or jurisdiction to preside over federal agencies. He is the only person capable of this job, having solid federal government and corporate experience at top levels, and knows the ropes.”
Patricia Titus, former CISO for the Transportation Security Administration and now CISO for Unisys Federal Systems, is similarly supportive. “He comes with exactly the type of credentials to rally the right people at the needed levels. His private- and public-sector background lends itself well to knowing who needs to sit at the table. There hasn’t been that level of IT credentials and security experience in a similar position before.”
Titus sees the position of the cybersecurity coordinator directly under the deputy NSA as “critical to the success of the position. The fact that John has publicly stated that Howard will have regular access to the president shows that cybersecurity is a national priority.” Schmidt will be charged with assessing and mitigating a complex mix of threats and authorities. ‘I think that all of us in cybersecurity look at the difference between compliance and verifiable security carefully. Are we spending too much time writing documents, versus in real-time monitoring of security controls? Howard’s role may be to address that from a policy standpoint, with regards to securing critical infrastructure, government websites and agencies.”
“I’m cautiously pessimistic about anyone in that job, but I think Howard has a better shot than most,” said David Mortman, CSO-in-residence at Mason, Ohio-based security consultancy Echelon One. “Howard is a known quantity and knows how to play the game. Gives him a huge advantage, since it’s like he’s simultaneously an insider and an outsider. Hopefully the best of both worlds.”
Dan Kennedy, CISO of the Praetorian Security Group, also wrote in to share his take on the appointment of the new cybersecurity coordinator: “I am familiar with Howard, having watched him speak numerous times, being introduced to him a few times, having sat at a dinner round table across from him, and having been an ISSA member for years who reads his introductions every month. I think Howard Schmidt is both a smart guy and one who understands the issues of information security. I don’t always agree with what he has to say, but if you are quoted as much as Howard is that will happen. He doesn’t say completely crazy things, as a few senior security executives do now and then, and has a conservative approach to IS concerns. Howard is a competent choice, and clearly better than many alternatives having worked in the private sector and having been involved very closely and nearly exclusively in the infosec industry. This is much better than, say, a competent technologist, a lawyer who understands technology at a high level, or related choices taking on their first big information security job with this position.”
“That said, he is a safe choice, one who has had an opportunity already in what was a very similar position under the Bush administration. I, like many folks, wanted to be excited by the choice of cybersecurity czar, to see someone I thought would really shake things up. A safe choice doesn’t do that. I voted for Obama to make competent but also pushing the envelope decisions. I hoped for an appointment that would inject some discomfort into an established information security hierarchy in need of a change agent. Howard may be that; perhaps he wasn’t given enough of a chance or shackled by a lack of organizational power the last time around.”
“Don’t get me wrong: this appointment is a positive. There’s a more empowered position (especially now that the nonsense on reporting line is resolved) and a competent person in it helps information security. It was a long time coming. Howard is not afraid to speak uncomfortable truth to power, one of the hallmarks of a great CISO. I congratulate him and look to this appointment with optimism.”
In an interview with correspondent Steve Kroft, cybersecurity expert Jim Lewis calls a federal data breach in 2007 “our electronic Pearl Harbor.” In the transcript of the segment, available at CBSNews.com, Lewis said. “Some unknown foreign power, and honestly, we don’t know who it is, broke into the Department of Defense, to the Department of State, the Department of Commerce, probably the Department of Energy, probably NASA. They broke into all of the high-tech agencies, all of the military agencies, and downloaded terabytes of information.”
Lewis also spoke about the penetration of U.S. military networks, specifically the United States Central Command (CENTCOM). Lewis believes the data breach was accomplished by foreign spies leaving corrupted thumbnail drives in locations where U.S. military personnel would be likely to pick them up. When a drive was inserted into a CENTCOM computer, a malicious application on the drive opened a back door for hackers to access the system. According to Lewis, the Pentagon has now banned thumbnail drives. (David Mortman offered advice last year about whether enterprises should also ban USB drives.)
60 Minutes has also posted several short video interviews online that offer more time with Lewis, including “Hacking the ATMs,” “Hacking the DOD” and “The Holy Grail,” where Lewis talks about the security of the financial system. In “Online Jihad,” Shawn Henry, assistant director of the FBI’s Cyber Division, discusses potential cybersecurity threats from Islamic fundamentalism.
The report from 60 Minutes coincides with our own coverage. Growing cybersecurity threats to critical infrastructure and the electric grid have put a new focus on NERC regulations, as well as FISMA, warned NERC’s chief security officer, Michael Assante. Melissa Hathaway, former acting senior director for cyberspace for the National Security and Homeland Security councils, also spoke of the need for better public-private cooperation at the same cybersecurity panel in Washington that Assante spoke at last month. And Lewis says that new rules for cyberwar are being defined as the risks grow.
IT security pros and analysts alike know that intrusions, breaches and a growing cybersecurity threat aren’t anything new. Dave Lewis, a veteran security practitioner and blogger, commented that “the overwhelming FUD was troublesome.” Dan Kennedy, CISO at the Praetorian Group, wished that “the FBI would knock off the cloak-and-dagger routine when they’re asked a follow up question.”
Regardless of where you stand on the 60 Minutes report, one fact remains clear: The White House still hasn’t appointed a cybersecurity coordinator.
As Marc Ambinder observed at TheAtlantic.com, “last night’s 60 Minutes feature on cybersecurity may add a sense of political urgency to the debate” about a cybersecurity coordinator.
Shane Harris, also writing about the broadcast of the segment on cybersecurity, also put the 60 Minutes report in perspective. “Although the piece didn’t make much news, it was news to most Americans. Full disclosure, I know the producer, Graham Messick, and while I don’t have any special insights into how he approached the subject, I think it’s fair to say that his work will change the cyber security debate in some fundamental ways.”
Harris wonders if the report could have an effect on legislation and subsequent regulatory compliance, like FISMA reform associated with further iterations of the ICE Act. “There are a number of bills pending in Congress that threaten to set requirements on companies to disclose the holes in their networks,” he wrote. “Those bills just got a major push last night. All in all, while 60 Minutes didn’t exactly blow the lid off anything last night, they have elevated the attention of this issue to new heights. That alters the political dynamics significantly.”
UPDATE: Wired Magazine has reported that the blackouts in Brazil in 2007 were “actually the result of a utility company’s negligent maintenance of high voltage-insulators on two transmission lines,” not computer hackers. 60 Minutes relied upon “unnamed sources” in claiming that the two-day outage described by Kroft in the Atlantic state of Espirito Santo “was triggered by hackers targeting a utility company’s control systems.”
Now, Wired reports the following:
The utility company involved, Furnas Centrais Elétricas, told Threat Level on Monday, it “has no knowledge of hackers acting in Furnas’ power transmission system.”
Brazilian government officials disputed the report over the weekend, and Raphael Mandarino Jr., director of the Homeland Security Information and Communication Directorate, told the newspaper Folha de S. Paulo that he’s investigated the claims and found no evidence of hacker attacks, adding that Brazil’s electric control systems are not directly connected to the internet.
Hathaway was part of a panel at the International Spy Museum in Washington, D.C., held to draw attention to the growing dangers online as National Cybersecurity Month drew to a close.
“Thank god for Akamai, who redirected a lot of the bandwidth and kept the Department of Transportation and NYSE up and running,” she said, referring to the DDoS attacks on the U.S. government earlier this year. Hathaway highlighted the importance of moving forward on enacting the 25 recommendations included in the cybersecurity report she delivered to the White House.
Her remarks followed the same theme as the speech on cybersecurity threats she delivered to the ArcSight Conference earlier this month.
Hathaway was proud of the attention that the Obama administration has paid to the issue, observing that when President Obama spoke, it was “the first time the leader of any country spoke about cyberspace or cybersecurity for any length of time.” Obama’s speech on cybersecurity is embedded below.
[kml_flashembed movie="http://www.youtube.com/v/wjfzyj4eyQM" width="425" height="350" wmode="transparent" /]
Hathaway noted that cybersecurity threats are a personal issue to the president, referring to attacks against his BlackBerry, and to his staff, given “their data breaches, and policy documents that he lost.”
“Many people don’t realize their computer is already infected by a botnet” she said, emphasizing the importance of raising awareness of the risks. “How many people realize that when they buy a thumb drive that it comes with extra executables for marketing purposes to send data home?”
Hathaway called endemic data breaches in the business world “one of the biggest secrets that no one is talking about publicly” and drew attention to a rising tide of electronic fraud worldwide. “In Bulgaria,” she said, “one of our colleagues said you can’t withdraw cash at an ATM unless you have your cellphone and it geolocates you.” How many people now have to put ZIP codes in for gas? “That’s because POS terminals have been hijacked.”
Cybersecurity threats extend beyond fraud, identity theft and data breaches. “There is generally a lack of agreement about what is a crime in cyberspace, much less what is an act of war,” Hathaway said. “In the event of a digital disaster, who is going to restore the infrastructure?” Also key: Who will pay? “It’s not going to be the government,” she said, at least not under current Federal Emergency Management Agency frameworks. “There’s no equivalent of a national disaster in cyberspace yet.”
Obama directed Hathaway to conduct a comprehensive 60-day Cyberspace Policy Review, which was released on May 29. Obama is expected to name a permanent “cybersecurity czar” to implement the report’s recommendations.
The White House quelled turf speculation over the reporting structure for the impending U.S. cybersecurity position by quietly “merging” the HSC into the NSC on May 26, just three days before releasing the cybersecurity policy review.
The CSIS cyberspace review group, which was commissioned in August 2007 during the Bush presidency, delayed publication of the review until immediately after the 2008 presidential election. As readers of the document know, it contains significant criticism of the Bush-era DHS.
Hathaway’s report had been critical of the Homeland Security Council, again echoing the December 2008 CSIS report, which, among many others, was critical of the DHS. The HSC, with a staff of 250 mirroring NSA’s “twin” staff of about 250, produced almost identical “directives,” and seemed to many a duplicative and redundant Bush-era institution.
In her remarks, Hathaway raised several key issues with the audience, including:
Hathaway, a top contender for the permanent White House post, confirmed that she is currently “in the interview process” for that position, which, she stated in an interview Tuesday, she hopes “will conclude in the next few weeks … and be resolved favorably.”
The daylong symposium consisted of 20 separate breakout sessions instructed by over 100 panelists, a veritable “who’s who” of highly influential cybersecurity-related officeholders in the current administration or Congress, plus a few luminaries in the world of IT security.
As a measure of industry optimism regarding future government spending on cybersecurity, Enrique Salem, CEO of Symantec’s $5 billion business, was among the symposium speakers, who also included:
Other panels included key contributors to the highly influential December 2008 CSIS report on securing cyberspace. Hathaway’s White House Cyberspace Policy Review footnotes the CSIS report eight times, more than any other source listed among the document’s 67 total footnotes. On June 1, CSIS released a comparison of its 25 original recommendations with Hathaway’s report, noting that 17 of the 25 were adopted by the White House report.
When questioned Tuesday at the Symantec symposium, former CSIS commission members smiled knowingly and declined to name any of the other individuals currently under consideration for the permanent White House post besides Hathaway.
These panelists, cited in the CSIS report as contributors, included:
[kml_flashembed movie="http://www.youtube.com/v/hoqY_oWRQ0A" width="425" height="350" wmode="transparent" /]
Melissa Hathaway, cybersecurity chief at the National Security Council, wrote the following “Securing Our Digital Future” entry on the White House blog:
“The globally-interconnected digital information and communications infrastructure known as cyberspace underpins almost every facet of modern society and provides critical support for the U.S. economy, civil infrastructure, public safety and national security. The United States is one of the global leaders on embedding technology into our daily lives and this technology adoption has transformed the global economy and connected people in ways never imagined. My boys are 8 and 9 and use the Internet daily to do homework, blog with their friends and teacher, and email their mom; it is second nature to them. My mom and dad can read the newspapers about their daughter on-line and can reach me anywhere in the world from their cell phone to mine. And people all over the world can post and watch videos and read our blogs within minutes of completion. I can’t imagine my world without this connectivity and I would bet that you cannot either. Now consider that the same networks that provide this connectively also increasingly help control our critical infrastructure. These networks deliver power and water to our households and businesses, they enable us to access our bank accounts from almost any city in the world, and they are transforming the way our doctors provide healthcare. For all of these reasons, we need a safe Internet with a strong network infrastructure and we as a nation need to take prompt action to protect cyberspace for what we use it for today and will need in the future. Protecting cyberspace requires strong vision and leadership and will require changes in policy, technology, education, and perhaps law.
The 60-day cyberspace policy review summarizes our conclusions and outlines the beginning of a way forward in building a reliable, resilient, trustworthy digital infrastructure for the future. There are opportunities for everyone — individuals, academia, industry, and governments — to contribute toward this vision. During the review we engaged in more than 40 meetings and received and read more than 100 papers that informed our recommendations.”
We’ll have more perspective and commentary next week on what this report will mean for compliance and security professionals. In the meantime, you can read the Cyberspace Policy Review for yourself.
[If you followed @ITCompliance on Twitter, by the way, you already knew all that.-Ed.]
– Melissa Hathaway
Melissa Hathaway’s keynote at RSA kicked off with the Mission Impossible theme. The acting director of cyberspace security will need it to summon all of Ethan Hunt’s ingenuity to master the task before her. You can watch the archived livestream of Hathaway’s keynote to the RSA Conference on uStream.com.(Disclaimer: Video is from the side and sound is suboptimal.) Alternately, watch a high-quality version of Hathaway’s keynote from RSA itself.
Notable quotes from Hathaway’s speech:
“The president identified cybersecurity as one of the top priorities for his administration.”
“Our global infrastructure is not secure enough nor resilient enough to support our current and future needs.”
“Humor aside, the U.S. is at a crossroads. Cyberspace underpins almost every part of our nation’s critical infrastructure.”
“The public and private sector interests are intertwined when it comes to cybersecurity.”
As she finished her cybersecurity address, Hathaway cited Edgar Allen Poe, Ralph Waldo Emerson and Wallace Stegner’s Angle of Repose. Those references added an unusually literate tone to this highly technical conference.