Howard Schmidt, special assistant to U.S. president Barack Obama and White House cybersecurity coordinator, appeared this morning before a group of executives gathered at Bloomberg's New York headquarters to discuss his goals, challenges and hopes for American cybersecurity.
Schmidt is the man charged with modernizing and guarding the nation's cyberspace. Before his current role, he worked in the FBI's National Drug Intelligence Center, served as a U.S. Armed Forces special agent and led security strategy for both Microsoft and eBay. (His first cybercrime case was in 1986.) He also served as a cybersecurity adviser for the administration of president George W. Bush.
Editor's note: Schmidt's presentation was more conversational than prepared, and he spoke quickly. What appears below is his remarks as I scribbled them down, edited and condensed for clarity. --AJN
I want to start off with a quote from my boss; from Barack Obama [in 2008].
"Every American depends -- directly or indirectly -- on our system of information networks. They are increasingly the backbone of our economy and our infrastructure; our national security and our personal well-being. But it's no secret that terrorists could use our computer networks to deal us a crippling blow. We know that cyber-espionage and common crime is already on the rise. And yet while countries like China have been quick to recognize this change, for the last eight years we have been dragging our feet."
Rarely in history can you point to one thing that encompasses national security and personal well-being -- from terrorism to using FaceTime with my family. Just imagine: what if we weren't able to do that?
There is $8 trillion [in financial transactions] exchanged each year. If that gets disrupted, that's a tremendous number to deal with. The economic impact is difficult to fathom. At the same time, it's difficult to put a dollar amount on things we see on a day-to-day basis, particularly for intellectual property.
We hear an awful lot about the tension that goes on between government agencies, organizations.
There are three principles we live by:
First: we don't have to agree on everything to do something. When we look at the value of other countries we're dealing with, to sit there and say even our closest allies and friends…that's not going to happen. Identify common things.
Second: Since 9/11, we will never ever, ever again have aircraft built that don't have secure cockpits. The same goes for cyberspace. We will never be 100 percent secure, but we can manage that risk down a bit.
Third: While technology is a big piece of it, we also have to recognize there's a governance piece and a business piece that has to be applied. Give us the ability to be much more secure in everything we do.
I want to touch on cyberlegislation, since that's been in the news lately.
In late 2010, we made an agreement with the Senate to get things done from the legislative branch. The things that we put forth to Congress are things we can't do ourselves.
Actors will acquire ability to be much more disruptive than they have been so far. We've seen escalations, particularly with critical infrastructure. In 2011, there were 200 or so attempts to compromise critical infrastructure. That's about five times more than the previous year.
We need the authority to be actually be able to do some of the things we've been talking about for awhile.
To interfere with critical infrastructure? That's got to be a pretty severe penalty.
I want to run through a few things.
RICO. When that was first created, computer crime was not a part of it.
The Department of Homeland Security. We need to secure .gov [websites] like .mil. Dot-mil is indeed a large enterprise; we need to do the same thing in a .gov environment. There is tremendous talent working on this. We need to look at .gov as a single enterprise.
Information sharing. Give each government agency a specific sector responsibility -- Treasury for finance, the Department of Energy for energy. We never really achieved that true level of public-private partnerships that we really need, the kind that brings each side's unique abilities to the table. There's got to be that exchange of information: government to the private sector, private companies to each other, the private sector back to government. When we do that, we strip personal information from the data, to protect privacy and freedom of expression. This has been a core tenet of the legislation we're looking at.
We need an ability for DHS to work with the private sector -- not everybody, just what we call the "core critical parts" -- to work on things that would have an effect on large populations. When you get down to it -- and this is the part I think people are missing -- coordination on cybersecurity is not only about protecting critical infrastructure, it's also about cost effectiveness. State and local governments can't always defend themselves, but it's the community that pays the price. You need some level of assurance.
None of us would buy an automobile with the premise that says, yeah, it may or may not work and sorry about that. There's got to be a role for the federal agencies to do this. Why would we want to get services from someplace that's not going to be there when we need them?"
Two more points. First, the smart grid. How can we get a level playing field for everybody? We're working with Department of Energy and the DHS on that.
Second, our botnet initiative. Parts of government have said, how can we work with the private sector to reduce the likelihood that botnets proliferate? We've talked about it for a long time. Now this group is getting together to act on it. We need a national strategy for trusted identities to reduce the likelihood of infection.
Each of us can do our part to secure our part of cyberspace to make sure each of us is more secure.
People will look back on our legislators and ask, "What did you really do?" I remain optimistic. We continue a full-court press. We continue to engage Congress and tell them, "We need this."