In choosing Howard Schmidt as cyber czar President Obama has gotten someone who has held a similar job in a previous administration, has varied experience at high-level corporate jobs, was a frequent panelist at security conferences and who has even written a book on defending the Internet.
Schmidt served under President George W. Bush for three years, ultimately resigning after producing the “National Strategy to Secure Cyberspace.”
Because of his high profile past as CSO of Microsoft and CISO of eBay, during which he spoke often at public forums, there is a broad record of his thoughts on network security, from smartphone threats to equating cyber security to physical security.
He thinks Internet security is greatly improved since the mid-1990s when he ranked the impact of a foreign cyberattack in the United States at five or six on a scale of one to 10, with 10 meaning attacks would have no effect. That has improved to eight or nine because the number of attack vectors has been reduced. “We have the ability to turn back attacks. We also could shut down systems that might be under attack and bring them internal,” he says.
Getting cybersecurity considered as important as physical security — such as protecting planes and ports — was a hurdle that is being overcome. Schmidt says he realizes the country can’t have two No. 1 priorities, but it needs to boost the effort put behind cybersecurity. “The government has recognized that work has to be done. We’re getting much closer to having them on equal footing,” he says.
In past interviews he has said smartphones and other such mobile devices generate the most concern. “What they’ve been attacking on the desktop, they’ll starting attacking in our mobile devices as they become more like PCs in our pockets. We can’t wait five years to do something about it. We have to do something now,” he said
He has a subtle view of exactly what terrorists are likely to attack and what they are likely to preserve as potential tools for propaganda. For instance, they might leave cell phone networks and the Internet infrastructure in general intact rather than try to take them down. “Terrorists now can push Bin Laden videos to mobile phones,” he says. “They’re doing podcasts and Webcasts. To attack the Internet is not in their best interests because they’d suffer like everyone else.”
Instead, terrorists are likely to attack financial institutions to cause damage to the economy, but that is a tough task, Schmidt says. “I think it would be the most likely target, but also the most difficult to penetrate because of all the work financial services has done,” he says.
Looking ahead in a CSO story about security predictions for 2010, Schmidt says layoffs from the bad economy will prompt theft of corporate data or damage, aided by the vulnerability of network peripheral devices such as printers. “Using unsecured printers and network-connected security cameras that can be manipulated, employees are able to cover their tracks when accessing restricted areas,” he says.
He breaks privacy into two parts: protecting the data from outsiders and establishing and enforcing rules about who gets authorized to access it. “We basically need a bill of rights over privacy of information,” he says.
His thoughts on:
* Social networking: “Vendors and purveyors of social media sites need to take a more active role in educating their users about threats like Bredolab in 2010.”
* Passports with RFID chips: “I don’t think it’s a bad idea, but I don’t think security was as high a consideration as it should have been.”
* Background checks for IT workers: “I think it’s not a bad idea…If people are involved in IT, they need some scrutiny to make sure they’re not at potential for doing bad things to the company or even to national security.”
* Popularity of cloud computing: “The overall net effect will give us a better chance to develop more security in the cloud using better vulnerability management/reduction, strong authentication, robust encryption and closer attention to legal jurisdictions.”
* Two-factor authentication: “With federation of the many various types of two-factor authentication that are around today we will finally see strong authentication become the rule NOT the exception”.