News Stay informed about the latest enterprise technology news and product updates.

Schmidt: Apply risk management to the nation's cybersecurity threats

The U.S. cybersecurity coordinator looks to risk management to reduce vulnerabilities. His call for cybersecurity research and development was matched by passage of legislation in Congress.

The new U.S. cybersecurity coordinator has difficult challenges ahead, tough adversaries abroad and an immense federal bureaucracy to navigate at home. As he reenters public service, Howard Schmidt appears confident in his ability to bring government agencies and private industry to the table to improve the nation's cybersecurity. His first days in the role come at a time of heightened tension, as cyberespionage continues to make headlines around the globe after Google Inc.'s disclosure of a cyberattack.

Speaking at the 2010 State of the Net Conference in Washington, D.C., Schmidt laid out both priorities and ample cautions for the year ahead. He said he's been working with U.S. Chief Information Officer Vivek Kundra and U.S. Chief Technology Officer Aneesh Chopra to determine their respective roles and responsibilities. "We all love technology, but technology needs to move forward being more secure," Schmidt said. "We need better protection for our privacy," he added.

Better cybersecurity through risk management

Schmidt's first priority is implementing cybersecurity policy, including recommendations from the cyberspace policy review issued last year. Like Melissa Hathaway, whose work was integral to that report, Schmidt emphasized the scope and importance of international public and private partnerships for improving cybersecurity. "Packets don't stop at the border," he said.

More about U.S. cybersecurity challenges
White House introduces Howard Schmidt as new cybersecurity coordinator
Melissa Hathaway on managing cybersecurity, FISMA compliance reforms

NERC CSO warns of cybersecurity threats, risk to electric grid
Schmidt will make those policy decisions using a risk management perspective familiar to other chief information security officers, one that focuses on reducing vulnerabilities and improving the disaster recovery and business continuity abilities of business and government agencies.

"We need to make sure that small businesses don't have to fight the same battles as large enterprises or government do," Schmidt said. That includes an educational component, along with improvements to technology. Management needs to be "fully cognizant of the role IT plays in our businesses," he said.

The challenge, as Schmidt observed, is that the government itself has little control over threats, and that there is no shortage of cybercriminals working to penetrate critical infrastructure, penetrate financial institutions or steal intellectual property. He said he'll focus on supply chain security and moving the burden of security away from businesses wherever possible.

Open government, cybersecurity threat balance

This risk management focus should assess and mitigate existing vulnerabilities, weighing new cybersecurity threats as they emerge. "The very thing that makes us great on the Internet is our Achilles heel," Schmidt said. "We'll never have 100% security and still have an open society,"he said.

Government agencies are now complying with the Open Government Directive issued by the Obama administration by posting value data sets on .gov websites. This push to open government "must be balanced with things that can be used against us and with privacy," Schmidt said.

Watch video of Schmidt's keynote at the State of the Net Conference, courtest of the Center for Democracy and Technology:

Call for R&D supported by House legislation

We'll never have 100% security and still have an open society.
Howard Schmidt
U.S. Cybersecurity Coordinator
Schmidt also raised the importance of increasing cybersecurity research and development. His call for more investment was supported by action in the U.S. House of Representatives this week, where a bill passed 422 to 5 that provided increased funding for cybersecurity R&D programs, workforce, education and standards. The Cybersecurity Enhancement Act of 2009 (H.R. 4061), introduced by Rep. Daniel Lipinski (D-Ill.), would require the Obama administration to assess the cybersecurity workforce needs of the government.

Schmidt said he'll be working with legislators from a policy standpoint. As the focus for cybersecurity legislation turns from the House to the Senate, that guidance may prove useful. Action on the Rockefeller-Snowe bill or the U.S. ICE Act of 2009 has not moved forward in the months since their introduction, as healthcare reform has taken the wind out of the sails of other issues.

Whether or not the 111th U.S. Congress passes further cybersecurity legislation, the nation's cybersecurity coordinator will have difficult policy decisions to make, as what some observers have called a new Cold War develops online. Recent research from McAfee Labs indicated that a majority of IT security professionals have substantial concerns about cyberwarfare and cybercrime. Should such concerns be realized, and cyberattacks be directed at the nation's infrastructure, compliance with the Federal Information Security Management Act of 2002 or other standards may take a back seat to real-time situational awareness.

Let us know what you think about the story; email Alexander B. Howard, Associate Site Editor or @reply to @digiphile on Twitter. Follow @ITCompliance for compliance news throughout the week.

Dig Deeper on Risk management and compliance

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.