Howard Schmidt, former cybersecurity advisor to President George W. Bush and now vice president and chief information security officer at eBay, spoke last week at a user and partner conference held here by Qualys, a supplier of vulnerability management services. Qualys, Redwood Shores, Calif., announced Monday that Schmidt joined the company's board of directors. In an interview with CRN West Coast Bureau Chief Marcia Savage, Schmidt talked freely about federal cybersecurity efforts, corporate IT security issues and the security work of Microsoft, where he formerly was chief security officer. He declined to discuss his work at eBay, citing his short time there so far.
CRN: Why did you leave your federal post in April?
Schmidt: The biggest reason was the job was done... With the Homeland Security Department being established and an operation [the National Cyber Security Division] in that department to look after cybersecurity - which was just announced - it was a good time for me to retire after 31 years of working for the government. It was time for me to come back to the real world, as I call it.
CRN: Do you think the federal government is moving in the right direction for addressing cybersecurity?
Schmidt: With the formation of the national cyber security division, within the Department of Homeland Security clearly is a step in the right direction. Clearly they recognize they are one portion of the cybersecurity; there are roles for the Department of Justice, Department of Energy, and the Department of Treasury. By putting those resources together in homeland security, they can become the center of gravity, working with the other government agencies and continue implementing the strategy [the National Strategy to Secure Cyberspace] we put out of the White House in February.
CRN: There was criticism when the national strategy came out that it didn't have enough teeth, that there needed to be some legislation.
Schmidt: Clearly I would never count on legislators doing the right thing. They're good at a lot of things but when it comes to writing laws about technology--how do you write a law about technology? Do you write a law that says you must use common sense; do you write a law that says you must turn on your firewall? It's just not practical and our clear message was that 80 to 85 percent of the critical infrastructure is owned and operated by the private sector. So there's an inherent interest in doing this right in order to keep your business up and running. The challenge we have, which comes back to Qualys, is that security needs to be managed like any other piece of the business. That security component needs to be a service that can be managed that you don't have to detract from your core competency to do this. That's why I'm enthusiastic about things like this [Qualys] because it takes a load off of people already overburdened with work. It gives them the ability to get a good report and insight into where their vulnerabilities lie so they can fix them quickly.
CRN: What are the biggest cybersecurity issues facing U.S. corporations?
Schmidt: I think they fall into four major issues. First and foremost is the configuration, what does it take to install a computer system--servers, clients and e-mail--and have them turned on securely. One thing we've seen evolve in past few years is most of the vendors now ship products in a more locked down condition than they were a few years ago. For example, after the Code Red [worm], I talked to CIOs [and] they said the reason they were affected by it was because they didn't know these things were turned on when they installed those computers systems.
The second piece is the vulnerabilities. In the history of computer programs, we still write computer programs that have inherent flaws. Buffer overruns is one that we all talk about. This is not new; back in the '70s we were finding these things in computer systems. As the Internet became more mainstream those vulnerabilities became very pronounced to the point where we constantly are applying patches, we're constantly trying to keep systems updated.
The third piece is training. We teach people how to drive, but we don't' do a good job teaching people about cybersecurity. Cable modems, DSLs - wonderful technology but we're just beginning to see the service providers, when they install, give you a pamphlet that says, here's learning about personal firewall, here's antivirus links.
The fourth is authentication. That's very important. If you look at some of the hack attacks we've seen over the past few years, many of those have occurred because we have static IDs, a name and password instead of using smart cards or some sort of secure ID, two-factor authentication.
CRN: Do you think vendors are doing enough to address security?
Schmidt: This got real serious when I was at Microsoft and I know my counterparts at Oracle, Sun, IBM and Cisco were all dealing with the same issue. And if you looked at the explosive growth over IT and IT development -- it's an interesting phenomenon, some people never took a college course in computer programming because it is relatively simple compared to the way it used to be in the old days. Secondly, some of the universities weren't focusing on writing secure code. Many are now; we have probably close to 50 universities that are identified as centers of academic excellence in information security, which are recognized by the government as centers that are focused not only on security implementations but also writing secure code. So we have seen a sea change overall. As you know, Microsoft's spent hundreds of millions of dollars training all their developers on how to write code securely. All the companies are taking it very seriously; they're putting security over feature set, which is the right way to do it.
CRN: Can you elaborate on your thoughts about what Microsoft is doing lately, such as its move into antivirus?
Schmidt: The antivirus move, I don't know more than anyone else. But I think specifically the management team they have in place, my replacement%85they've got a wonderful infrastructure to make the change. It's just like [Oracle chief security officer] Mary Ann Davidson said: One of the key issues at an IT company is to make sure as you're doing development, you not only do development for your customers [but yourself]. If it's good enough for them, it better be good enough for you. This is where you have the ability to have internal IT operations direct the direction that the software development goes in security.
CRN: How real is the threat of cyberterrorism?
Schmidt: I don't use the term cyberterrorism. In fact there have been people who have used it and I've asked them not to because I think it devalues the real word terrorism as it affects people's lives. But I think there is a real threat in cybersecurity. The sophistication of those who hack IT systems is less and less. The tools are much easier to use, to the point where you don't have to be an expert in computer systems to be able to launch attacks. There is indeed a valid threat. What makes the threat of some concern is the fact that we depend increasingly on computers for our day to day lives - to run our electricity, our power generating station, our oil refineries, our pipelines, and water treatment plants. As we have a greater dependency, we have to do more to protect them. It's not as if I worry tomorrow that the entire Internet is going to go down. None of those things will happen, but we should not be susceptible to even short interruptions because of things that are within our capacity to fix. The processes are there, the technology is there, the understanding is there, we just have to implement it.
CRN: Any thoughts on this recent rash of Internet worms, such as Bugbear?
Schmidt: Once again, using the example of Bugbear - all that was tweaking the original Bugbear. That goes again to the idea that you don't have to be very sophisticated to do this. All those things can be prevented by doing the right thing, practicing good cyber security hygiene... When we did the national strategy, we asked, whose responsibility is this? It's the home users that are doing cable modems and DSL connections, the small medium enterprises, international corporations, energy companies, it's the government. Each of us has our own responsibility to not let us become a victim and use as a platform to attack someone else.