Cybersecurity Czar: Remember, End Users Are No Security Experts

The agenda can't just be about the technology, he said. It has to account for the digital transactions necessary for everything from online banking to electronic health records and include the online experience for users, who don't want to be forced off comfortable work habits because of security risks.

"There is always a necessity to do awareness and education of the end user. But you're not trying to teach the end user how to be a security expert," said Howard Schmidt, special assistant to the president and cybersecurity coordinator, Executive Office of the President, in an opening keynote at the Symantec Government Symposium 2010 in Washington. "We can't expect the end users who are not in this business to accumulate the intellectual capital that you have to be more secure."

Schmidt, former president and CEO of the Information Security Forum and chief security officer of Microsoft, was named to the cyberczar post in December 2009. In that post, he is responsible for coordinating cybersecurity policy across the federal government, meaning everything from civilian agencies to the military, and do so with the help of government security bodies such as the Pentagon's cybercommand unit and the Department of Homeland Security.

Cybersecurity strategy, Schmidt urged, "cannot exist in isolation." It'll take a commitment to making it part of daily life and culture.

"We do it in other things," he said. "We live with it in airports. I don't like the lines, either. But I like that they're there."

Failure to advance that strategy, he noted, will stifle online innovation.

"Sitting there in a room with entrepreneurs and developers asking, 'What do you want to do next?' -- we can't have that discussion without someone talking about how it can be compromised," Schmidt said. "The net effect is that it slows down what we're trying to do."

Schmidt named security, resiliency and interoperability among guiding principles for that strategy. Cybersecurity measures, he said, must also be privacy-enhancing, voluntary and cost-effective, and citizens must still be able to protect their personal data.

"The more complex it is, the less people use it," he added.

Designing, building and managing it will be for naught, Schmidt said, if users are still relying on outdated security measures.

"With the 17 or so passwords I currently have and the ones I have to change every 60 days, it's not getting easier to remember them," he said.

Schmidt confirmed that later this week, the White House will release the latest draft of the National Strategy for Trusted Identities in Cyberspace (NSTIC), which recommends changes to privacy laws and addresses online identity provider liability and which government offices will manage the new policies.

This version of the draft, revised from an NSTIC draft from earlier this month, will be available for public comment, and Schmidt said the goal is still to have it approved by the president by this fall.

"We want every viewpoint possible in pulling this together," he said.

Before introducing Schmidt to the stage, Symantec President and CEO Enrique Salem said cybersecurity measures have to take into account the "three i's": invisible, invincible and inexpensive. Most security solutions available today don't do all three, and most don't account for the users themselves, he suggested.

"I've been a big proponent of DRM [digital rights management]. Why hasn't it taken off? Because it requires users to change how they work," Salem said.

It's not often the cost of acquiring security software that vexes businesses so much as the ongoing expense of administering that software.

"The cure can't be worse than the problem," Salem said.

As businesses move to "as-a-service" models of technology delivery -- including cloud computing and cloud-based infrastructure -- security measures will become that much more important. Pay attention to people and data, Salem urged, not devices themselves.

"The device is not important. The device will change," he said. "Who are the people and what is the information we need to protect?"