CRN Interview: Howard Schmidt, EBay
The former cybersecurity adviser to President Bush, who is now vice president and chief information security officer at eBay, spoke last month at a user and partner conference held by Qualys, a supplier of vulnerability management services. Schmidt, also former Chief Security Officer at Microsoft, recently joined Qualys' board. Schmidt spoke with West Coast Bureau Chief Marcia Savage about federal cybersecurity efforts and corporate IT security issues. He Declined to discuss his work at Ebay, citing his short time there so far.
CRN: Why did you leave your federal post in April?
Schmidt: The biggest reason was the job was done. ... With the Homeland Security Department being established and an operation [the National Cyber Security Division] in that department to look after cybersecurity, it was a good time for me to retire after 31 years of working for the government. ...
CRN: Do you think the federal government is moving in the right direction for addressing cybersecurity?
Schmidt: The formation of the National Cyber Security Division clearly is a step in the right direction. They recognize they are one portion of the cyber-security; there are roles for the departments of Justice, Energy and Treasury. By putting those resources together in Homeland Security, they can become the center of gravity, working with the other government agencies and [continuing to implement the National Strategy to Secure Cyberspace] put out by the White House in February.
CRN: There was criticism when the strategy came out that it didn't have enough teeth, that there needed to be some legislation.
Schmidt: Clearly, I would never count on legislators doing the right thing. ... How do you write a law about technology? Do you write a law that says you must use common sense; do you write a law that says you must turn on your firewall? It's just not practical, and our clear message was that 80 [percent] to 85 percent of the critical infrastructure is owned and operated by the private sector. So there's an inherent interest in doing this right to keep your business up and running. The challenge we have, which comes back to Qualys, is that security needs to be managed like any other piece of the business. That security component needs to be a service that can be managed, that you don't have to detract from your core competency to do.
CRN: What are the biggest cybersecurity issues facing U.S. corporations?
Schmidt: They fall into four major issues. First and foremost is the configuration: What does it take to install a computer system,servers, clients and e-mail,and have them turned on securely? Most of the vendors now ship products in a more locked-down condition than they were a few years ago. ... The second piece is the vulnerabilities. ... This is not new; back in the '70s we were finding these things [flaws] in computer systems. As the Internet became more mainstream, those vulnerabilities became very pronounced to the point where we constantly are applying patches. The third piece is training. %85 We don't do a good job teaching people about cybersecurity. ... The fourth is authentication. If you look at some of the hack attacks we've seen over the past few years, many of those have occurred because we have static IDs, a name and password instead of using smart cards or some sort of secure ID, two-factor authentication.
CRN: Are vendors doing enough to address security?
Schmidt: This got real serious when I was at Microsoft, and I know %85 Oracle, Sun, IBM and Cisco were all dealing with the same issue. ... Microsoft's spent hundreds of millions of dollars training [its] developers on how to write code securely. All the companies are taking it very seriously,they're putting security over feature set.