America's cyber czar speaks

America's cyber czar speaks

Summary: Howard Schmidt, the man in charge of modernizing and guarding the nation's cyberspace, talks shop at Bloomberg's 2012 Cybersecurity Conference.

SHARE:

Howard Schmidt, special assistant to U.S. president Barack Obama and White House cybersecurity coordinator, appeared this morning before a group of executives gathered at Bloomberg's New York headquarters to discuss his goals, challenges and hopes for American cybersecurity.

Schmidt is the man charged with modernizing and guarding the nation's cyberspace. Before his current role, he worked in the FBI's National Drug Intelligence Center, served as a U.S. Armed Forces special agent and led security strategy for both Microsoft and eBay. (His first cybercrime case was in 1986.) He also served as a cybersecurity adviser for the administration of president George W. Bush.

Editor's note: Schmidt's presentation was more conversational than prepared, and he spoke quickly. What appears below is his remarks as I scribbled them down, edited and condensed for clarity. --AJN

I want to start off with a quote from my boss; from Barack Obama [in 2008].

He said:

"Every American depends -- directly or indirectly -- on our system of information networks. They are increasingly the backbone of our economy and our infrastructure; our national security and our personal well-being. But it's no secret that terrorists could use our computer networks to deal us a crippling blow. We know that cyber-espionage and common crime is already on the rise. And yet while countries like China have been quick to recognize this change, for the last eight years we have been dragging our feet."

Rarely in history can you point to one thing that encompasses national security and personal well-being -- from terrorism to using FaceTime with my family. Just imagine: what if we weren't able to do that?

There is $8 trillion [in financial transactions] exchanged each year. If that gets disrupted, that's a tremendous number to deal with. The economic impact is difficult to fathom. At the same time, it's difficult to put a dollar amount on things we see on a day-to-day basis, particularly for intellectual property.

We hear an awful lot about the tension that goes on between government agencies, organizations.

There are three principles we live by:

First: we don't have to agree on everything to do something. When we look at the value of other countries we're dealing with, to sit there and say even our closest allies and friends…that's not going to happen. Identify common things.

Second: Since 9/11, we will never ever, ever again have aircraft built that don't have secure cockpits. The same goes for cyberspace. We will never be 100 percent secure, but we can manage that risk down a bit.

Third: While technology is a big piece of it, we also have to recognize there's a governance piece and a business piece that has to be applied. Give us the ability to be much more secure in everything we do.

I want to touch on cyberlegislation, since that's been in the news lately.

In late 2010, we made an agreement with the Senate to get things done from the legislative branch. The things that we put forth to Congress are things we can't do ourselves.

Actors will acquire ability to be much more disruptive than they have been so far. We've seen escalations, particularly with critical infrastructure. In 2011, there were 200 or so attempts to compromise critical infrastructure. That's about five times more than the previous year.

We need the authority to be actually be able to do some of the things we've been talking about for awhile.

To interfere with critical infrastructure? That's got to be a pretty severe penalty.

I want to run through a few things.

RICO. When that was first created, computer crime was not a part of it.

The Department of Homeland Security. We need to secure .gov [websites] like .mil. Dot-mil is indeed a large enterprise; we need to do the same thing in a .gov environment. There is tremendous talent working on this. We need to look at .gov as a single enterprise.

Information sharing. Give each government agency a specific sector responsibility -- Treasury for finance, the Department of Energy for energy. We never really achieved that true level of public-private partnerships that we really need, the kind that brings each side's unique abilities to the table. There's got to be that exchange of information: government to the private sector, private companies to each other, the private sector back to government. When we do that, we strip personal information from the data, to protect privacy and freedom of expression. This has been a core tenet of the legislation we're looking at.

We need an ability for DHS to work with the private sector -- not everybody, just what we call the "core critical parts" -- to work on things that would have an effect on large populations. When you get down to it -- and this is the part I think people are missing -- coordination on cybersecurity is not only about protecting critical infrastructure, it's also about cost effectiveness. State and local governments can't always defend themselves, but it's the community that pays the price. You need some level of assurance.

None of us would buy an automobile with the premise that says, yeah, it may or may not work and sorry about that. There's got to be a role for the federal agencies to do this. Why would we want to get services from someplace that's not going to be there when we need them?"

Two more points. First, the smart grid. How can we get a level playing field for everybody? We're working with Department of Energy and the DHS on that.

Second, our botnet initiative. Parts of government have said, how can we work with the private sector to reduce the likelihood that botnets proliferate? We've talked about it for a long time. Now this group is getting together to act on it. We need a national strategy for trusted identities to reduce the likelihood of infection.

Each of us can do our part to secure our part of cyberspace to make sure each of us is more secure.

People will look back on our legislators and ask, "What did you really do?" I remain optimistic. We continue a full-court press. We continue to engage Congress and tell them, "We need this."

Photo: Lawrence Jackson/White House

Topics: Government US, Government, Security

Andrew Nusca

About Andrew Nusca

Andrew Nusca is a former writer-editor for ZDNet and contributor to CNET. During his tenure, he was the editor of SmartPlanet, ZDNet's sister site about innovation.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

4 comments
Log in or register to join the discussion
  • I'm here from the government and I am here to help.....

    How many CIOs or "Cyber Czars" have we had in this country now ? Seems to be a round robin position. Yet another Obama-bot.

    Just another excuse for more government intrusion....they need to protect us from ourselves. This guy can't tell the difference between a video card and a processor much less tell us how to run security on our networks.

    More over-bearing regulations are coming....costly ones that the consumers will have to bourne. Don't let a crisis go to waste or create one ! When in doubt a Democrat will tax, spend, and regulate !

    This will be their excuse to crush our privacy. Pretty soon it will be hard to breathe without a government regulator telling you how to do it. I'm sure they wouldn't mind it if they controlled freedom of speech. They don't like it when we say negative things about them on the Internet....
    pizzaman7
  • "Czar" should be upsetting enough!

    Commies used to be America's enemies. Gotta be another of those pro-democratic things. Huh?
    partman1969@...
  • We really can't allow this to happen. Why?

    We really can't allow this to happen. Why? If only for the children.
    With the demands for identification he proposes, you will not be able to log on and have every site visited logged - it is already of course - but at least you can show a fake IP address!

    The government is very capable of finding you anyway - don't think they can't! But if a perv likes your kid in a chat room, he simply needs to capture enough data packets to positively identify your by IP address - and then your identity is available. And no doubt your location is also available by even more ways than it is today.

    It is 100% about complete control of the people. My words will come back to haunt you! Fight to get your bill of rights returned, too! Kids being taught for replacing our constitution and bill of rights because "it is no longer needed in today's world!" And the lies motivating a 'sustainable future' - where the 3 toed African tree toad has more rights than people! (Name made up) Research it yourself - while you have the access.
    bubbasbear
  • As long as whistle blowers have their lives destroyed we will never be safe

    After 9/11 when the FBI asked for the public???s help I made the mistake of responding. I told the FBI about three threats to America. Following is a summary of the letter:

    1. The fact that nuclear power plant control systems have no security and they were being connected to the internet. The FBI found that 80% of control systems were connected to the internet and the Chinese had installed back doors on many of the systems.

    2. The inventory system used by many organizations to control access to hazardous materials was installed by the vendor with well known passwords documented in many places on the internet. Many of the systems also had easily available dial-up phone numbers. At the site I did consulting at I could have easily had Ebola (or something a lot worse) moved into the trash behind the building. The FBI found many cases of missing hazardous materials.

    3. A CPA firm was sending sensitive computer security information from almost every corporate system in America to South Africa for analysis. This information could allow anyone who received it to access many corporate computer systems in America. I reviewed a system that was analyzed by the CPA firm in South Africa. I found vendor supplied passwords, no logging, inadequate resource protections, shared userids, ??? The CPA firms analysis indicated that there were only minor issues on the system. (It should be noted that I believe the system I reviewed was being used for money laundering and the company was fined 31.6 million dollars for money laundering. I experienced significant life threatening retaliation including being shot at because of the issues I raised and the CPA firm ignored. )

    Because of the letter transcribed onto an FBI form I was blacklisted and have lost everything.

    I was so stupid that I did not learn my lesson and wrote an email to the US GAO regarding the following two issues:

    1. A targeting system being installed in many military vehicles (Autos, tanks, planes, ships, etc.) used a default privileged password that many non-American consultants knew. With the default privileged password and some communications gear anyone could use American weapons to kill American soldiers. The people who described this situation to me were afraid to say anything about it because they believed they would lose their government contracts.

    2. A telephone system installed for the military also had a default privileged password that could be used to shut down military communications. Many consultants all over the world know the password. I verified this with three people. All three people were afraid to say anything about the shared password for fear of being black listed.

    Obviously people who look the other way and keep their mouth shut about threats to America or the businesses they work at are a lot smarter than I am. They keep their jobs and homes while whistle blowers lose everything.

    Thirty years ago the same money launders that were laundering money at the company fined 31.6 million dollars in the FBI letter item 3 above were laundering money at another bank that experienced significant financial issues because of the money launderers. Rifkin was able to steal 10 million dollars because of the lack of security on the wires system. I started working for the company after the Rifkin theft. Programmers told me about the lack of security and were reprimanded, fired and blacklisted. I experienced significant life threatening retaliation for reporting issues to management. Another auditor had his car bombed. I reported issues such as shared userids, inadequate logging, unrestricted dialup and network access, inadequate resource protections, ??? and experienced significant life threatening retaliation. The money launderers were the reason why the 414 group was able to break into the wires system and then Los Alamos Nuclear Research Facility and down load top secret documents. Because of the publicity regarding the break-in the company lost billions of dollars in stock value. People who looked the other way or cooperated with the money launderers kept their jobs and received raises and bonuses. Those of us that did our job and reported issues to management got screwed.

    I have seen these same money launderers use the same tactics at three different companies over the last 30 years. I believe they are still laundering money for drug lords and will always be able to launder money for drug lords because everyone knows whistle blowers will have their lives destroyed.

    Organized crime targets organizations with money. Over the past 20 years I have tried to get the IRS and California Franchise Tax Board (CA FTB) to correct errors and omissions on their forms and instructions. Big mistake. The special interest groups that control the IRS and CA FTB do not want the public to know how their taxes are calculated so that frauds against the American public can continue undetected. I always claim zero exemptions and have extra money taken from each paycheck to ensure I pay my fair share and do not owe taxes yet the IRS and CA FTB accuse me of not paying taxes and then send me refunds of over payments. The IRS and CA FTB refuse to fix their forms and instructions with obvious errors and omissions because the special interest groups that design the forms and instruction do not want them fixed. I have asked to be audited numerous times and the auditor usually says ???You are paying your taxes, I don???t understand what is going on.??? Every time I am audited by a government agency I get a refund.

    America is doomed because criminals can destroy anyone???s life. Most people are too smart to report threats to America.
    WeAreDoomed