RSA Highlight: Howard A. Schmidt

While RSA 2010 is in high-gear, I took some time out from meetings, speaking at our booth theater and catching up on threats, to listen to the recently-appointed  Cybersecurity Coordinator (Cyber-Czar) share his views on issues involving cybersecurity as well as his objectives and priorities. 

The interview started off with an introduction which revealed a background that, by comparison, would seem only possible if you lived two lifetimes. I knew of some of Schmidt's background, but the list of accomplishments was inspiring. By the way, this is a decent starting-point if you're interested in reading about Schmidt: http://en.wikipedia.org/wiki/Howard_Schmidt. 

Schmidt opened with a pointed remark to remind everyone that the cybersecurity challenge is not simply one the the U.S. must solve, it is a global one. He went on to remind us that there are significant gaps and vulnerabilities outside the U.S.

Below are several of the objectives and priorities that were outlined (Schmidt stated that it tracks with the Cybersecurity Policy Review):

• Resilience - "securing the federal government and enterprise"
• Securing the private sector - Schmidt specifically point out that "the government is not going to secure the private sector"
• Incident response - which starts with simply providing points of contact for organizations and individuals to know where to go when an incident occurs.

I'll quickly highlight a few other points that were touched or were parts of the Q&A session:

• Mentioned was the release of part of the Comprehensive National Cybersecurity Initiative (CNCI) - available at whitehouse.gov: (http://www.whitehouse.gov/sites/default/files/Cybersecurity.pdf)
• The government is increasingly looking at way to leverage "the cloud". There, of course, has to be coordination on how it uses cloud-based solutions as well as the myriad security challenges and risks involved.
• There was a question regarding the Hilary Equipment case, which Brian Krebs reported on in January (http://bit.ly/bBcBn4). Unfortunately Howard wasn't aware of this case, but the question was most-likely asked because the outcome of the case could have a severe impact on the future outcome of incidents such as this one.
• When asked about FISMA, Schmidt replied, "FISMA is not doing what it was designed to do". Schmidt went on to say that "changes are long overdue."
• Organizations are not legally "enticed" to develop secure software

I'm optimistic that Schmidt will be able to carry out most (if not all) of his plans. We need good, and experienced leadership at the helm of such a critical role -  especially at this critical juncture in the maturation of the Internet and the rate of growth of cybercrime and cyberattacks. 

Jeff Debrosse

Sr. Research Director