Cybersecurity and Homeland Defense
Guest: Howard Schmidt, vice-chairman of the President's Critical Infrastructure Protection Board
Thursday, May 2, 2002
Even prior to the Sept. 11 terrorist attacks, the Bush administration was moving forward with plans to place added emphasis on protecting America's critical technology infrastructure. As the war on terrorism heated up last fall, the president appointed Richard Clarke and Howard Schmidt to lead the Critical Infrastructure Protection Board, a cyberspace security team reporting to National Security Adviser Condoleezza Rice and Gov. Tom Ridge, Director of Homeland Security.
Cybersecurity adviser Howard Schmidt took questions from Washtech.com readers during a one-hour online discussion on Thursday, May 2. The discussion was moderated by Washtech.com tech policy reporter Brian Krebs.
Prior to his appointment by President Bush last year, Schmidt was the Chief Security Officer for Microsoft Corporation. Before joining Microsoft, he worked on cybercrime and security issues for the U.S. Air Force and the FBI's National Drug Intelligence Center.
Editor's Note: Washingtonpost.com moderators retain editorial control
over Live Online discussions and choose the most relevant questions for
guests and hosts; guests and hosts can decline to answer questions.
To read the most recent
responses, click "Get New Text"
or select "Automatically Update
Welcome, Howard, and thank you for joining us. This promises to be a lively discussion,
as we've already got quite a few questions in cue. For all those who are joining us online today, please keep those questions coming. But before we jump into the fray, can you give us a little background on Critical Infrastructure
Protection Board, it's mission, and your role in that capacity?
Howard Schmidt: The board was created on Oct. 16th 2001 by President Bush to harness the capabilities of government, industry and academia in a voluntary and cooperative effort to build a national information infrastructure resistant to significant degradation and resilient when attacked. My role is that of the Vice-Chair of the board, which I co-chair with the President's Cyberspace Security Advisor, Richard Clarke. Working together we oversee the operations of the board and the standing committees identified in the Executive Order.
Congressional testimony suggests that the U.S. is not spending nearly enough on technology research and education. What needs to be done to assure we have enough qualified information security professionals in the years to come.
Howard Schmidt: We have addressed this on a couple of different fronts. First, the "cyber corps program, where, through NSF, the Government funds scholarships and for each year the person provides a year back into government service. This is good for enhancing the capabilities of the government since the government is in "competition" with the private sectors for the best talent. If after the service period is over the person decides to stay on public service that would be great but if they go to the private sector we still win as the private sectors are the owners and operators of the critical IT infrastructure.
Also we are working with the education folks from K-12 to prepare kids for the IT world we all benefit from.
A great deal of the work you do relies on accurate and timely reporting of network and software-related vulnerabilities by the private sector - the very companies that now manage the infrastructure you're trying to protect. Yet, time and again, many companies report security problems only when they're forced to do so,either by threat of disclosure or by way of damage control. What obstacles stand in the way of a more open line of communication between the government and the private sector?
Howard Schmidt: I agree timing reporting is the key to successful response to attacks. One of the concerns I have voiced by the private sector is they are worried that information shared would become too widely known and reflect the wrong message. There are a couple of bills on the hill now to provide for some narrowly crafted protections around the freedom of information act. We always encourage reporting to the law enforcement authorities IF a crime has occurred.
Many experts say that most IT security threats come from within an organization. How do the events on 9-11 effect how we protect our information systems from within?
Howard Schmidt: For years many have cited the concern of the "insider" threat and that still exists today. What we have seen is a rise in "external" threats while a decrease in internal. One way to better to protect is by using strong authentication, getting away from static user IDs and passwords and develop a data classification schema that restricts information to authorized people only.
What role, if any, does the average Internet user have in protecting the nation from cyberattack?
Howard Schmidt: Each of us has a role as we are all a part of the internet community. When we go on vacation we lock our homes, stop the paper and mail and insure we reduce the risk of someone doing harm to our house. The same mind set needs to take place in the online world. Use Anti-virus software, keep it updated, use a personal firewall, move to some smartcard (2 factor) login methods. For up to date information you can go to http://www.staysafeonline.info for great information.
The head of your office, Richard Clarke, has remarked that many corporations spend more money on coffee than they do on cybersecurity. Assuming for a moment that statement is true, what will it take for companies to begin dedicating more resources and attention to network and computer security?
Howard Schmidt: In some sectors the companies are in financial difficulty making even harder to spend the extra money on security but it needs to be done. Some of the efforts of the Board is working with the companies at the CEO level getting the word out how important this is. We already have seen a number of CEOs make very strong policy decisions to make security the top priority. Forums like this also help to spread the word how important this is to National/Homeland Security, Law Enforcement/Public safety and Economic Prosperity. This is now a CEO issue and will continue to be.
What do you believe is the most effective way the Office of Homeland Security can assure cyber protection on the state and local level? Thank you.
Howard Schmidt: We have entered into discussions with many of the leaders of State and local leaders looking for a way to get them the information they need to improve and/or maintain a high level of security. One of the most effective ways is to listen and work with them to work out a plan as they know their needs and capabilities much better then any of us do. One thing we have to remember, each of us goes home every day and rely on the local governments for public safety so we ALL have to insure they have to most current information to provide for us as citizens.
What specific recommendations or actions would you like to see come from the telecommunications industry to ensure security of our telecom infrastructure? How can they best develop such plans?
Howard Schmidt: As the owners and operators of the critical infrastrucures, the telecoms are in a unique position to affect much of what we do. There is a body in the Defense Department, known as the National Communications Center, which has a number of the telecoms co-located with them to not only develop the plans you mention but to make them work. Their ability to come back up in such a rapid manner is a testament to how well their plans worked. The working groups are meeting frequently to refine and expand these plans.
After a great deal of input from industry, the Bush administration has tentatively decided to move ahead with "GovNet," a plan to create a government-wide Intranet that would theoretically insulate critical federal systems from cyberattack. What is the next step in the construction of this system, and how long will this process take?
Howard Schmidt: I would like to clarify this question, there has not been a decision to move ahead with GovNet, what we have determined to date was that it is TECHNICALLY feasible. There are still many questions that need to be answered regarding, costs, managing and insuring that there is not some other way using existing infrastructure. The next phase of the review is ongoing.
It's easy to point the finger at the private sector, but federal agencies have repeatedly been found to be lacking even the most basic computer and Internet security practices. How can the government's admonitions to the private sector be taken seriously in light of its own rather dismal record?
Howard Schmidt: We have said over and over that we (.GOV/.MIL) need to get our own house in order. This is not an issue of finger pointing or placing blame but fixing the problems. This has been, is,and will continue to be a partnership. We used to act based on threats, now we need to close the vulnerabilities where ever they exist. Many of the problems we have seen have occurred because adequate patch management processes were not in place. GSA recently announced a contract to provide patch management services to the government.
We're a little more than halfway through our chat, and from the volume and nature of the great questions received so far it looks like this is an issue that deeply concerns many of our readers. Please keep the questions coming, and we'll try to get to as many of them as we can!
There has been a lot of talk about Smart Cards as a means of authenticating individual members of the public to all sorts of things. How soon do you see smart cards or similar technologies replacing the traditional username and password authentication systems that are currently so common in corporations and the government?
Do you think smart card technology is effective?
Howard Schmidt: The use of smart cards is long overdue, the basic premise of 2 factor authentication is using something you have (smartcard, fingerprint, something physical) and something you know (PIN number, Passphrase). The Department of Defense had been a leader in this area for the government and have been deploying smartcards. Many private sectors companies are now doing the same. This will be very effective as many of the break ins are as a result of poor passwords .
Richard Mogull, research director for GartnerG2 said, "Nearly every major attack to hit the headlines involved the exploitation of known security flaws for which a patch or defense was widely known." How does the administration plan to encourage dissemination and adoption of security fixes?
Howard Schmidt: Richard is correct, MG Dave Bryans reports that 97+% of intrusions into systems are as a result of patching machines. This is a major driver behind GSA's patch management program I mentioned in an earlier response.
Could you please comment on the USA Patriot Act. Do you believe the cybersecurity provisions in the bill are sufficient, or have they over stepped their bounds and encroached to far into privacy and personal rights?
Howard Schmidt: The balance of security and privacy in a post 911 world is something many of us spend time thinking about. In the USA Patriot Act, the cybersecurity provisions did not change the thresholds to use electronic means, just removed the jurisdictional limitations that prevent investigators from moving at "internet" speed as the bad actors do.
U.S. national security agencies spend massive amounts for several "physically separate" IT networks, e.g., "unclassified" and "classified" networks, including a separate, large scale and very costly classified USG-only "internet" called SIPRNET. As far as I know, no private companies are going to the extreme of large scale "physically separate networks" for IT security reasons, but are instead relying one integrated network protected by a range of security, e.g., firewalls and encryption. Is the USG doing it right and everyone else has it wrong?
Howard Schmidt: There is a vast difference in the requirements and responsibilities that the government has in national security and what the private sector might need for protection of company data. There are many companies that do maintain separate networks for Mission Critical functions. Some companies provide for "virtual" separation, IPSEc, VPNS etc, but that is a business decision for them. For the requirements we both have there is not a right or wrong answer, just a different level of need for protections.
Are administrative sanctions under consideration for those agency personnel who avoid or ignore security basics (for example, a risk assessment on a new device)?
Howard Schmidt: There have always been consequences for employees/contractors that do not follow prescribed policies. In some cases it has resulted in termination and in others loss of promotions/bonuses. On an agency basis IF security is not considered funding is at risk for IT projects.
Falls Church, Va.:
Since Sept. 11, your office has been inundated with thousands of private-sector proposals offering new technologies to help fight terrorism and cyberattacks. Is your office prepared to handle the volume of these proposals, and can you talk about what - if any - of the new technologies and initiatives the board is considering?
We've had a number of questions on this topic. I've tried to combine
and summarize them here.
Howard Schmidt: That has been one of the tougher challenges that we deal with is trying to look at all of the great ideas that the innovative minds of the American public has come up with. There is no way we can get to review them all so we encourage people to go to the respective government agencies the technology is designed for.
With all the money being dumped into computer security devices how would you rate the importance of enterprise security management vs. human security analysts?
Howard Schmidt: There are 3 very important components to the security world. People, Processes (policies) and Technology. They all have to have the same weight to make things work.
Silver Spring, Md.: I'm concerned about reports I've heard that much of the government's advice on computer security is coming from Microsoft (or through Microsoft-backed groups or lobbyists). Considering Microsoft's less-than-stellar security record and the fact that their recommendations usually involve buying lots of Microsoft software that doesn't always play well with other systems, what is the government doing to make sure that it gets lots of independent opinions on what systems, security measures, etc. it should use?
Howard Schmidt: There are many avenues out there to which we get security information and no one group provides more then others. We work with other government experts, telecoms, academia, researchers, national labs, consultants and vendors. We have to ALL work together to improve the quality of products as well as make then easier to use and secure
Your office is drafting a "national plan" to prevent and respond to potential cyberattacks on the country's most vital computer systems. What is the status of that plan? What other priorities are you pursuing?
Howard Schmidt: The President has asked us to draft a National (NOT FEDERAL) strategy for defending cyberspace. We plan on having ready in late summer. The questions we are addressing (and looking for feedback on) can be found at http://www.gcn.com/cybersecurity. We are also working on education and awareness, and early reporting system, security in the next generation of IT and doing more to secure the main infrastructures (DNS/BGP)
If your team identifies specific security risks that you believe must be addressed by private industry, how do you get your goals accomplished? In other words, what powers and authority does the board have to take action?
Howard Schmidt: The risks are often identified by the private sector owners and operators, in those cases where it is identified via some other method we make sure the most senior leaders of the companies are made aware of the risks. The response thus far has been very encouraging.
The FBI is thinking about dismantling its National Infrastructure Protection Center, a division that gathers security and vulnerability information from the companies running the nation's telecom and financial networks and essential utilities. The FBI wants to transfer most NIPC's operations to a new Cybercrime Division, but critics of that plan say NIPC has worked hard to build the trust within the private-sector, and that moving the agency to a crime-fighting division could scare companies away from reporting security problems. What is your understanding about what's going to happen with NIPC, and do you think this would be a positive step?
Howard Schmidt: The NIPC has indeed become a true national sharing center and Ron Dick and his staff have done a great job in developing trust and information sharing with the private sector. I know of no plans to change the way they work and have confidence in the FBI leadership to continue the work that NIPC has done.
I've worked in IT Security over thirty years including public sector, federal government, DOD, and IC. The biggest roadblock to comprehensive, timely, and effective security has been the inability, mostly on the part of the federal government, to coordinate and articulate (even within its own departments) a coherent security program (Policies, procedures, standards, etc.). How will the new initiative address these issues in a realistic time frame (remembering a 'generation' is less than a two years in most technologies these days).
Howard Schmidt: First, thanks for sticking with IT Security, we need people with experience and as you well know it has not been an easy task to make changes. One of the standing committees of the President's Critical Infrastructure Protection Board (PCIPB) is to coordinate improving security around government systems OMB leads this effort and is working on the development of a coordinate program. Many of the CIOs that I have met with in the past couple of months are really paying attention to security and things are moving along quicker. We MUST move a Internet speed to fix the security issues
Prior to the Y2K rollover, the Securities and Exchange Commission established risk disclosure rules for network security that forced corporate executives to make the issue a top priority. Would similar rules be helpful today in ensuring that corporations take their roles in this effort more seriously?
Howard Schmidt: We are looking to use market forces to improve security and not regulation. There is a need to provide a means for companies to share with each other AND the government. The proposed FOIA reform by Kyl/Bennett and Davis/Moran would help facilitate the information sharing. In the meantime most companies have heeded the call for improved security and are working hard to improve it.
It looks like we've run out of time. To everyone who joined us today, thank you for your interest and questions: it's been a tremendous discussion. Howard, thank you tackling our questions so candidly and for graciously agreeing to stay online with us for a few extra minutes!