The new U.S. cybersecurity coordinator has difficult challenges ahead, tough adversaries abroad and an immense federal bureaucracy to navigate at home. As he reenters public service, Howard Schmidt appears confident in his ability to bring government agencies and private industry to the table to improve the nation's cybersecurity. His first days in the role come at a time of heightened tension, as cyberespionage continues to make headlines around the globe after Google Inc.'s disclosure of a cyberattack.
Speaking at the 2010 State of the Net Conference in Washington, D.C., Schmidt laid out both priorities and ample cautions for the year ahead. He said he's been working with U.S. Chief Information Officer Vivek Kundra and U.S. Chief Technology Officer Aneesh Chopra to determine their respective roles and responsibilities. "We all love technology, but technology needs to move forward being more secure," Schmidt said. "We need better protection for our privacy," he added.
Better cybersecurity through risk management
Schmidt's first priority is implementing cybersecurity policy, including recommendations from the cyberspace policy review issued last year. Like Melissa Hathaway, whose work was integral to that report, Schmidt emphasized the scope and importance of international public and private partnerships for improving cybersecurity. "Packets don't stop at the border," he said.
"We need to make sure that small businesses don't have to fight the same battles as large enterprises or government do," Schmidt said. That includes an educational component, along with improvements to technology. Management needs to be "fully cognizant of the role IT plays in our businesses," he said.
The challenge, as Schmidt observed, is that the government itself has little control over threats, and that there is no shortage of cybercriminals working to penetrate critical infrastructure, penetrate financial institutions or steal intellectual property. He said he'll focus on supply chain security and moving the burden of security away from businesses wherever possible.
Open government, cybersecurity threat balance
This risk management focus should assess and mitigate existing vulnerabilities, weighing new cybersecurity threats as they emerge. "The very thing that makes us great on the Internet is our Achilles heel," Schmidt said. "We'll never have 100% security and still have an open society,"he said.
Government agencies are now complying with the Open Government Directive issued by the Obama administration by posting value data sets on .gov websites. This push to open government "must be balanced with things that can be used against us and with privacy," Schmidt said.
Watch video of Schmidt's keynote at the State of the Net Conference, courtest of the Center for Democracy and Technology:
Call for R&D supported by House legislation
Schmidt said he'll be working with legislators from a policy standpoint. As the focus for cybersecurity legislation turns from the House to the Senate, that guidance may prove useful. Action on the Rockefeller-Snowe bill or the U.S. ICE Act of 2009 has not moved forward in the months since their introduction, as healthcare reform has taken the wind out of the sails of other issues.
Whether or not the 111th U.S. Congress passes further cybersecurity legislation, the nation's cybersecurity coordinator will have difficult policy decisions to make, as what some observers have called a new Cold War develops online. Recent research from McAfee Labs indicated that a majority of IT security professionals have substantial concerns about cyberwarfare and cybercrime. Should such concerns be realized, and cyberattacks be directed at the nation's infrastructure, compliance with the Federal Information Security Management Act of 2002 or other standards may take a back seat to real-time situational awareness.