{"id":10129,"date":"2003-05-20T00:00:00","date_gmt":"2003-05-20T04:00:00","guid":{"rendered":"http:\/\/localhost\/thenewatlantis.com\/publications\/is-cyberspace-secure"},"modified":"2021-06-29T10:24:06","modified_gmt":"2021-06-29T14:24:06","slug":"is-cyberspace-secure","status":"publish","type":"article","link":"https:\/\/www.thenewatlantis.com\/publications\/is-cyberspace-secure","title":{"rendered":"Is Cyberspace Secure?"},"content":{"rendered":"\n

Howard A. Schmidt has spent his career on the cutting edge of computer security. A specialist in computer forensics, he has worked for the FBI and the Air Force, where he established the federal government\u2019s first dedicated computer forensics laboratory. Microsoft hired him in 1997, and he served as the company\u2019s Chief Security Officer during the period when cybersecurity became a broadly recognized priority for both government and private industry.<\/em><\/p>

Shortly after the September 11 attacks, Mr. Schmidt returned to government service as vice chairman of the White House\u2019s Critical Infrastructure Protection Board, an organization formed to coordinate the work of government agencies on aspects of critical infrastructure \u2014 especially information systems. When the board\u2019s chairman, Richard Clarke, resigned in early 2003, Mr. Schmidt replaced him as the government\u2019s \u201ccybersecurity czar.\u201d<\/em><\/p>

The board\u2019s first (and only) major publication \u2014 the \u201cNational Strategy to Secure Cyberspace\u201d<\/a> \u2014 was released in February 2003. The report lays out a general cybersecurity plan, making broad policy recommendations for both the public and the private sectors. The new Department of Homeland Security (DHS) will play a central role in the strategy, serving \u201cas the primary federal point-of-contact for state and local governments, the private sector, and the American people\u201d on cybersecurity issues. DHS is absorbing several agencies that handle cyberspace, including the White House board (now formally dissolved by executive order) that Schmidt has been heading.<\/em><\/p>

On March 6, 2003, just a few weeks after the release of the new cybersecurity strategy, we sat down with Howard Schmidt in his office.<\/em><\/p><\/blockquote>\n\n\n

The New Atlantis:<\/strong> How would you define the term \u201ccybersecurity\u201d for laymen?<\/p>\n

Howard Schmidt:<\/strong> For the layman, cybersecurity is the realization that computer systems affect our basic needs on a daily basis. Electricity, water, telephone \u2014 these things are all run by computers, and my job is to work with owners and operators and government agencies to make sure that they continue to function properly and are not disrupted because of security events that then, in turn, affect our daily lives.<\/p>\n

NA:<\/strong> How does cybersecurity relate to other areas of critical infrastructure \u2014 to energy, food, transportation, finance, and so forth?<\/p>\n

HS:<\/strong> We\u2019ve received tremendous benefit from the IT revolution, and as a result we\u2019ve been able to do things we\u2019ve never been able to do before. It is the underpinning of all those utilities, all those critical infrastructures that you mentioned. But there are also new risks. For example, if a computer system is down for the national rail system, you could still physically move trains, but you wouldn\u2019t want to, because you won\u2019t know where perishable items are supposed to be delivered. Or perhaps chemicals that need to be moved to help water treatment plants won\u2019t get there \u2014 so within a matter of time, water treatment facilities would be having problems. The underpinning of all these critical infrastructures are computers that must be protected.<\/p>\n

NA:<\/strong> Looking through the cyberspace strategy your office just published, this was the closest thing we could find to a description of a specific threat:<\/p>\n\n\n

In peacetime America\u2019s enemies may conduct espionage on our Government, university research centers, and private companies. They may also seek to prepare for cyber strikes during a confrontation by mapping U.S. information systems, identifying key targets, lacing our infrastructure with back doors and other means of access. In wartime or crisis, adversaries may seek to intimidate the nation\u2019s political leaders by attacking critical infrastructures and key economic functions or eroding public confidence in information systems.<\/p><\/blockquote>\n\n\n

Could you expound on that a little? Could you offer other examples, other specific threats to cyberspace?<\/p>\n

HS:<\/strong> This is the high-level perspective on the worst things that could happen if we don\u2019t continue to develop more robust cybersecurity. Let me qualify some of these things, when we talk about threats. Take the recent Slammer worm that took place a little over a month ago, for instance. When that happened, we did not get the kind of notice you have when you see a smoke plume coming off the trailing edge of a rocket saying, \u201cBoy, there\u2019s a threat.\u201d Nor did we see some underground communication that said, \u201cWe\u2019re going to do this specific act against these specific systems.\u201d<\/p>\n

So identification of threats in more specific terms than we\u2019ve outlined in the strategy is oftentimes a challenge. We know they exist. We\u2019ve seen them by virtue of the disruptions they cause \u2014 everything from the Morris worm years ago to the Melissa macro virus, to Slammer, Code Red, NIMDA, the attacks on DNS servers. We know the threats are out there, we\u2019ve seen them occur. But in many cases, we don\u2019t know what the sources are, and that\u2019s a challenge we\u2019ve got. So to get more detailed as to what the threats are, I think, is to do nothing more than look at what has hit us so far, and take those disruptions very seriously.<\/p>\n

NA:<\/strong> Some people have argued that the threat to cybersecurity has been somewhat inflated \u2014 for example, that the effects of the recent Slammer\/Sapphire worm were exaggerated. You\u2019ve probably seen some of that criticism in response to the new cybersecurity strategy.<\/p>\n

HS:<\/strong> I don\u2019t think the threat is inflated at all. The perceived impact of some threats, like the Slammer worm, depends a lot on inaccurate reporting. As time goes by, we have the ability to better identify what the true effects were. That doesn\u2019t change the threat model, though. Part of the reason this activity was not more disruptive is that we have been paying attention to cybersecurity over the past two years. My response to those critics who say \u201cit\u2019s overinflated\u201d or \u201cit\u2019s done to create FUD [fear, uncertainty, and doubt] and scare-mongering\u201d is that the more we become dependent upon IT systems, the more we depend on the critical infrastructure being run by IT systems, the harder we\u2019ll have to work to make sure we don\u2019t fall into the situation where these threats become more than just an inconvenience.<\/p>\n

NA:<\/strong> Your predecessor Richard Clarke famously spoke about a \u201cdigital Pearl Harbor,\u201d a phrase that has been very harshly criticized in some quarters, especially after September 11. Many people argued that it was inappropriate to compare threats in cyberspace to threats against civilian or military targets in the offline world. What\u2019s your feeling about the term and the concept of a \u201cdigital Pearl Harbor\u201d?<\/p>\n

HS:<\/strong> The term \u201cdigital Pearl Harbor\u201d was actually used years ago in one of the early information warfare settings, in one of the hearings that were going on up on the Hill. It\u2019s been used over and over again, to make a point about a surprise attack, a debilitating attack. It\u2019s unfortunate that a description that is put out there with the best intention gets misinterpreted as being something more than it is.<\/p>\n

Part of the reason that a \u201cdigital Pearl Harbor\u201d hasn\u2019t occurred is because we\u2019ve been talking about cybersecurity. Something similar happened with the Y2K issue: Y2K didn\u2019t happen because we talked about it, we were prepared for it. So we need to continue our preparedness, we need to continue to champion cybersecurity. We can enjoy the features, the richness, the robustness of IT, and protect privacy while still being secure. But I don\u2019t use that term because I think it has become a distraction.<\/p>\n

NA:<\/strong> What about the term \u201ccyberterrorism\u201d? Both you and Mr. Clarke are opposed to it, and the term doesn\u2019t appear at all in the cybersecurity report. Can you explain why?<\/p>\n

HS:<\/strong> Well, for one thing, it conjures up physical events that would not actually be taking place in cyberspace. The word \u201cterrorism\u201d has connotations \u2014 like mass panic \u2014 which I don\u2019t think you would see in the cyber-world. So instead we talk about cybersecurity, and the threats against it, and the integrity and availability of systems.<\/p>\n

NA:<\/strong> But if terrorists were to use the Internet in a way that would, say, incite mass panic, then that might be an acceptable use of the term.<\/p>\n

HS:<\/strong> I think if we ever saw that occur, or if we ever saw indications that that was a way people were looking to do business in the terrorism world, then yes, we may actually be able to use that term for that specific event. Most of what we see, most disruptions, we don\u2019t know in many cases whether it\u2019s coming from the Middle East or the Midwest. But the fact that it\u2019s disruptive is what concerns us.<\/p>\n

NA:<\/strong> Let\u2019s return to the new cybersecurity strategy. According to a recent article in Slate<\/em>, \u201cThe bulk of the report\u2019s solutions are lame. Most are meaningless jargon, such as suggesting that \u2018future components of the cyber-infrastructure are built to be inherently secure and dependable for their users.\u2019 A fantastic sentiment, but as mushy as stating that the president is \u2018for the children.\u2019\u201d How would you respond?<\/p>\n

HS:<\/strong> Obviously we didn\u2019t think it was a lame report. We thought it was a serious and well-balanced report. We had input from a widespread number of people: industry, academia, government, security consultants, IT vendors \u2014 and basically, when you read through the report, everybody is committed to being more secure. I think the better question that some of these critics should be asking is: \u201cWhy don\u2019t we stop the criminals from doing these things?\u201d It would be very nice not to have to worry about that \u2014 to receive the rich, robust features we have without worrying about somebody violating your system because of a flaw that wasn\u2019t built intentionally. In the meantime, let\u2019s make sure that the people that are committing the felonies, the criminal acts, abusing the software \u2014 let\u2019s make sure that there\u2019s attribution.<\/p>\n

NA:<\/strong> In the new cyberspace strategy, many responsibilities will be shifting to the Department of Homeland Security. The intention is to evolve from existing organizations in the private sector and existing government agencies to create a more effective cybersecurity system. But how long will it take DHS to get a handle on these things? Will a \u201cnational cyberspace security response system\u201d be up and running in a year? Two years?<\/p>\n

HS:<\/strong> One of the things relative to DHS when it comes to cyberspace is that many key institutions are already in place. The National Communications System, the National Infrastructure Protection Center (NIPC) within the FBI, the Federal Computer Incident Response Center within GSA, the Department of Energy Information Assurance Division and the Critical Infrastructure Assurance Office \u2014 these are all organizations that have been independently functioning in this area for at least a couple of years now. Consequently, the ramp-up time is going to be much shorter.<\/p>\n

For example, consider the National Cyberspace Security Response System, an idea that we propose in the report. The government \u2014 in this case, the National Communications System (NCS) has had the lead on it \u2014 has been building out the Cyber Warning Information Network (CWIN), expanding that into the private sector, so when they start seeing an incident take place they have the ability to react.<\/p>\n

At the same time, the FBI has been building relationships with the Information Sharing and Analysis Centers (ISAC) to do a similar thing. What we do now is collapse them together and we\u2019ll have the capabilities a lot quicker than we had anticipated.<\/p>\n

Some of the first challenges are just the physical facilities and just getting these things put together. But the move to DHS shouldn\u2019t impact our current status in any way, shape or form, and the reorganization will do nothing but enhance it in the long term. I would be seriously surprised if, within a year, we\u2019re not beyond full operating capacity, with a new system up here that runs as flawlessly as ever. They\u2019ve got some really good people over there who have been doing this for a while.<\/p>\n

NA:<\/strong> You have an unusual personal history, having gone back and forth between the public sector and private sector on these issues. How would you respond to the security critics who say that the private sector has a poor attitude when it comes to cybersecurity? Most prominently, there\u2019s the fear of embarrassment, the risk of tarnishing the company\u2019s reputation if it reveals security flaws.<\/p>\n

HS:<\/strong> Let me break that into two separate pieces. The first piece is the private sector identifying vulnerabilities and communicating aspects of that vulnerability; the second piece is when companies themselves become victims.<\/p>\n

First, on the vulnerabilities. Yes, there used to be a time when many companies practiced \u201csecurity by obscurity.\u201d The concept was, \u201cWell, we know about the vulnerability, probably nobody else knows about it, there\u2019s no rush to get this fixed.\u201d Once again, as the threat picture has changed over time, as we\u2019ve become more dependent on IT infrastructures and Internet Protocol-based networks, we\u2019ve seen that change dramatically. Many people \u2014 and I used to be one of them, when I was with the government before \u2014 thought that if there was a vulnerability, they wanted to know about it. And what happens is, if a lot of people know about it, the exploit comes before the fix does. Many times, that just makes things worse.<\/p>\n

So you have to look at it from a balanced vulnerability-reporting perspective. No company has a program that says, \u201cOh, we\u2019re not going to worry about it.\u201d Many of them have set up teams that work nonstop on critical vulnerabilities, to get the work started on the patches right away and to get them out to consumers. So I don\u2019t think you\u2019ll see companies just knowingly letting things sit in the background and hoping nobody finds out about it.<\/p>\n

Second, on being the victims. There\u2019s always a sense, if something bad happens, that you are at fault. I don\u2019t know many people who\u2019d like to raise their hands and say, \u201cI\u2019ve failed today.\u201d So consequently, they may not want to report it internally. They will often just try to fix it and move on, which doesn\u2019t give us good data on what is really going on out there.<\/p>\n

At the same time, the law enforcement agencies that collect this information have changed the way they do business. They\u2019re very, very circumspect about making a big issue out of a vulnerability because of the fear of harming the companies. So we\u2019re working more closely together; we still have a long way to go; we still need to make it less shameful to be a victim \u2014 and clearly, that\u2019s the point: you\u2019re a victim.<\/p>\n

NA:<\/strong> Some people argue that, by allowing vulnerabilities and victimization to stay more secret \u2014 which is what the FBI and other investigative agencies are trying to do, so that companies will feel encouraged to come forward \u2014 that some of the negative information that should be getting to investors just isn\u2019t reaching them.<\/p>\n

HS:<\/strong> It\u2019s a tough trade-off. The other piece that plays into this is deterrence. If you don\u2019t see people being arrested and successfully prosecuted, there is this perception that they\u2019re getting away with it, when in reality they\u2019re not.<\/p>\n

Relative to investors: Any of us who have been in security for any amount of time have a saying that we use over and over again: \u201cSecurity is not a destination, it\u2019s a journey.\u201d So if there is a gaping security vulnerability that has allowed something to happen for a period of time, I can guarantee that vulnerability will soon be fixed. Is this something that needs to go to the investor community, because it was a problem that occurred at one point in time? That\u2019s for the board of directors and the company principals to decide, working with the investors.<\/p>\n

NA:<\/strong> There are also cybersecurity problems at the end-user side, the individual side. How do we go about creating an awareness of cybersecurity, a culture of cybersecurity? Especially among ordinary individuals \u2014 for example, people who unthinkingly use one password for everything \u2014 how do you make them aware of the risks, aware of issues like identity theft?<\/p>\n

HS:<\/strong> Clearly, there are some people who aren\u2019t aware of the risks. Some people think that they\u2019re only one of 70 million users, so they feel statistically safe. And then there are the folks who say, \u201cYeah, I know I\u2019m probably not going to be safe, but it\u2019s just too hard to remember all these passwords,\u201d which brings us back to the technological fix: for example, two-factor authentication, with smartcards or biometrics.<\/p>\n

How do we do more on education? First, the Federal Trade Commission has launched its \u201cSafe at Any Speed\u201d program, designed for consumers and small-to-medium enterprises. It\u2019s online; that information is out there.<\/p>\n

Second, we have been working with the National Cyber Security Alliance, which includes both government agencies and private sector companies. We have a website that consumers can visit to see not only the risks, but also some FAQs on anti-virus software and why you really need it, personal firewalls, and use of broadband technology. So that\u2019s a component that we have right now.<\/p>\n

Another thing that we\u2019re working towards is drawing enough resources together to do some public service announcements on television, which reaches a much broader audience. We also have a program that\u2019s run through the National Infrastructure Protection Center (NIPC) and System Administration, Networking, and Security Institute (SANS) to try to raise awareness in the school systems. It has a double effect: first, the kids get energized about submitting posters and everything else, and the teachers become more aware of the issues. We\u2019ve also been working with the American Association of Community Colleges, EDUCAUSE, and the universities.<\/p>\n

NA:<\/strong> What is the official government position on so-called \u201cpatriotic hacking\u201d \u2014 that is, people sympathetic to the United States, who would deface websites or otherwise use their computer skills against \u201cenemy computers,\u201d say, in conjunction with a U.S. military attack on Iraq.<\/p>\n

HS:<\/strong> NIPC sent out a clear message a few weeks ago saying that this kind of thing cannot be condoned, that it is not an official action, that it is a felony and people will be prosecuted if they do that.<\/p>\n

NA:<\/strong> How do other countries compare to the U.S. in the area of cybersecurity \u2014 in terms of both capability and interest?<\/p>\n

HS:<\/strong> I think the interest is high in many international venues. I was just over in the U.K. not too long ago. The U.K. has set up a couple of offices similar to ours \u2014 high-level government offices to coordinate cybersecurity activities. Canada has the Office of Critical Infrastructure Protection and Emergency Preparedness (OCIPEP). Australia has its own system, as does Germany. So we\u2019re seeing a lot of interest.<\/p>\n

As far as capabilities, it varies once again from country to country, based on their dependency on IT infrastructure. As that dependency continues to increase, their cybersecurity capabilities have to be more robust. That\u2019s one of the things that we\u2019ve been working on with them.<\/p>\n

There\u2019s good news here. We were already a long way down the path of dependency on IT systems when the security issues started to pop up and started to become viable and relevant. Since many other countries are not quite as dependent as we are, they have the ability to get ahead of the cybersecurity game sooner, relatively speaking, than we did.<\/p>\n

NA:<\/strong> What would you say have been the greatest successes to date of the public-private partnership on cybersecurity?<\/p>\n

HS:<\/strong> First and foremost, this has become a CEO issue. For those of us who have been in the security business, one of the things we\u2019ve always lamented is, \u201cWell, we can\u2019t get the boss\u2019s attention on this.\u201d The boss is now paying attention.<\/p>\n

The second success is that we\u2019ve raised awareness levels. After we released the draft national strategy in September 2002, a number of different sectors came forth with their strategies at the same time. Different sectors came out saying, \u201cHere\u2019s what our strategy is. Here\u2019s how we\u2019re going to achieve better security. Here\u2019s how we\u2019re going to shore up national security, law enforcement, public safety, and economic prosperity.\u201d<\/p>\n

And third \u2014 and I receive a tremendous amount of enjoyment from this \u2014 are the actual changes that have taken place as a result of this growing awareness. You have people deploying security strategies, but also people doing more to build security into product implementation in the first place. Industry has responded. We just have to keep the message going: we want the features, but we want the security to go along with it.<\/p>","protected":false},"excerpt":{"rendered":"

An interview with \u201ccybersecurity czar\u201d Howard A. Schmidt<\/p>\n","protected":false},"author":1,"featured_media":0,"template":"","article_type":[20],"noteworthy_people":[],"topics":[2274,4999,5005],"_links":{"self":[{"href":"https:\/\/www.thenewatlantis.com\/wp-json\/wp\/v2\/article\/10129"}],"collection":[{"href":"https:\/\/www.thenewatlantis.com\/wp-json\/wp\/v2\/article"}],"about":[{"href":"https:\/\/www.thenewatlantis.com\/wp-json\/wp\/v2\/types\/article"}],"author":[{"embeddable":true,"href":"https:\/\/www.thenewatlantis.com\/wp-json\/wp\/v2\/users\/1"}],"version-history":[{"count":2,"href":"https:\/\/www.thenewatlantis.com\/wp-json\/wp\/v2\/article\/10129\/revisions"}],"predecessor-version":[{"id":22722,"href":"https:\/\/www.thenewatlantis.com\/wp-json\/wp\/v2\/article\/10129\/revisions\/22722"}],"wp:attachment":[{"href":"https:\/\/www.thenewatlantis.com\/wp-json\/wp\/v2\/media?parent=10129"}],"wp:term":[{"taxonomy":"article_type","embeddable":true,"href":"https:\/\/www.thenewatlantis.com\/wp-json\/wp\/v2\/article_type?post=10129"},{"taxonomy":"noteworthy_people","embeddable":true,"href":"https:\/\/www.thenewatlantis.com\/wp-json\/wp\/v2\/noteworthy_people?post=10129"},{"taxonomy":"topics","embeddable":true,"href":"https:\/\/www.thenewatlantis.com\/wp-json\/wp\/v2\/topics?post=10129"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}