Security First

Howard Schmidt, the former chief security officer at Microsoft, speaks about the national plan and other cyber security issues.

by / July 1, 2002
Howard Schmidt is vice chairman of the president's Critical Infrastructure Protection Board, which is helping to formulate a national plan for information systems protection that is due out later this summer. Schmidt, the former chief security officer at Microsoft, speaks about the national plan and other cyber security issues.


Q: What can we expect from the National Plan for Information Infrastructure Protection?

A: What will happen is that the first cut that we'll be doing at the end of the summer will be sort of a general strategy, a general plan on some things that we can continue to build on and translating that into a strategy in the things that we can actually execute on.

Q: Are there any specific plans that state and local governments can adopt?

A: Absolutely. One of the key components of this is the first responders and those that are in the cities and counties.

Q: Can you give us a preview of the board's report that's going to the president?

A: If you go to GCN.com/cybersecurity, you'll be able to see the outline basically of what we're working on. And there are basically 55 sets of questions. Now what we've done is we've [discussed] this with virtually every group that we can think of. We sent this out to the private-sector owners and operators, IT companies, national security agencies, the critical sector such as banking and finance, and we circulated a series of [questions asking], "If a national strategy was developed, what are the questions that you'd like to have answered in that strategy?" And that's what these 55 questions has come up with.

Q: You've said that a combination of public/private partnerships and market pressure on software vendors is the right approach to security of the country's networks. How do you put pressure on the vendors and what kinds of things are you asking them to do?

A: First and foremost, the market forces are the key as opposed to regulation. One of the things that we've seen, both Dick [Richard Clarke, the president's principle advisor for cyber security] and myself, when we've met with CEOs of everything from small boutique companies up into some of the larger companies, is that there's a true recognition that security is not some necessary evil that they've got to contend with, it's a core part of the business process, therefore if it's a core part of the business process for them, the same products and services they provide for others have to have those same components of security built into them.

And so we've seen a dramatic escalation of where the priority of security fits into their business models. And that's once again, based on the premise that in order to be successful in business you've got to have security and privacy built into it.

Q: There have been suggestions that the government ought to be encouraging ISPs to install egress filters. Is this the type of discussion you're having with the private sector?

A: Not specifically that. I know that discussion has been had. As a matter of fact, there have been a couple working groups that we've been tracking very closely where ISPs have come together, both the small and the large ISPs looking at different ways that they can improve security so you or I as either the consumer or you or I as members of a corporate/government agency, some business folks can worry less about what's going to be coming at us through an ISP.

The challenge we've got with the ISPs -- as we all know, the telecom industry at this juncture doesn't have a tremendous amount of money out there to enhance some of the features they've got so that's one of the challenges we've got.

But that's some of the things we hope to have out of the strategy, both short-term and midterm, what we can do to better protect the critical infrastructure.

Q: What kinds of technology will be needed to stave off electronic attacks? Do we need bigger anti-virus programs?

A: The common misconception is this is a technology issue. But it's not a technology issue. For example, the DOD did an analysis last year and it's somewhere in the high 90s, like 97 [percent] to 98 percent of things that have hit the DOD systems have been the result not of some new piece of technology but exploitation of people that have not had processes in place to install patches or to configure their systems properly.

So in framing this you look at it as a people process and technology perspective. We think in a lot of cases, absent some of the deficiencies, the quality control issues that we all are very concerned about, but it's the people not doing what they're supposed to do. You know, don't click this, or keep your anti-virus software up to date and people just aren't doing it.

The process thing is when we're building servers, we're putting things out on the Web, we don't configure them properly so that's what's going to make the difference.

Q: Are we then too consumed with the perimeter defense and not cognizant of threats from within the enterprise?

A: I think so. Particularly in this day and age when virtually at some point in the not too distant future, everything we do will have an IP address. So consequently, the perimeter no longer is the perimeter as we used to know it, say even three to five years ago. The perimeter in many cases is my mobile phone. The perimeter in my home system is connected to a DSL or cable modem so we have to look at it from basically three perspectives: securing the core critical infrastructure of the IT systems such as the servers, the routers, the things that basically make the traffic move back and forth to where we are. We also need to make sure that the transporter is secured. Free from denial-of-service attack, free from the ability of somebody to intercept our data and either modify it en route or change it en route so we get the wrong data. And the last piece is securing the client side. Better authentication mechanisms so if I'm not authenticated using two-factor authentication such as smart cards or biometrics, I don't get to do certain things.

Q: What are some of the emerging technologies that are becoming viable security tools?

A: First and foremost the one that we are long overdue to have, and that's two-factor authentication, the use of smart cards. I've seen tremendous work being done by the Department of Defense with their common access cards, which have not only their biometric signature but it also can be used for smart cards with the digital certificates on there, as well as the same device that they use to get in and out of buildings and everything.

That's the emerging technology that we really need to bring us up to the next level. That's technology that we currently have but it's not been widely deployed. As far as future stuff goes, the ability to authenticate users on a much more rapid basis, create an environment where packets can be validated before they reach a certain destination. That's the sort of emerging technology we're looking at.

Q: Is there a danger in the interim of rushing some of these new technologies to market before they're viable security options?

A: That's always the danger and that's put us in the situation where we are now. Let me qualify something. We've got wonderful technology, wonderful things we can do with it now, but one of the challenges we have is we've moved so far so fast we've outstripped the capacity to understand what we have in our infrastructure on a daily basis. We probably will move just a tad bit slower in deployment of security technologies to really make sure that they're robust and we're not going to be creating another generation of something we're going to have to Band-Aid in the future.

The other piece in conjunction with this, and this is something that's changed over the past few years: I've had conversations with numerous IT professionals, CIOs, CEOs who say, "Show me where the threat is. Show me where there is somebody really trying to do this." We really need to change that model to where we're not looking at where the threat is but where the vulnerability is and fix that vulnerability so that if a threat does arrive, it's effect will be minimal at best.

Q: That goes to education, which is one of your priorities as vice chairman of the Critical Infrastructure Protection Board. Who do we teach, and how and what do we teach them?

A: Like so many of the things in our world today, it's a multi-tiered approach. We have to start at the primary grades teaching kids about computer ethics. We teach them to not steal cookies or take money out of your classmate's desk, but we don't give them a whole lot of education as far as it's not okay to download copyrighted software, it's not okay to go out there and use some technique, even if someone left their door unlocked, effectively, to look into their computer to see what their files say. We need to be very circumspect about that.

Then in the middle years we need to teach them how to operate these things. It was once said that in the very beginning the only people who drove cars were the ones who could fix the cars themselves because there weren't mechanics out there. And now computers have been such a commodity, but there still is such a fundamental lack of understanding [about] what happens once you turn it on.

An analogy that I often use is, there used to be a time that I'd stop in the wintertime at a 7-Eleven, grab a cup of hot chocolate, leave the keys in the car to keep the car warm and come out of the store and the car was still running. But after you do that and your car is stolen you learn not to leave the keys in your car anymore. The same thing happens in the computing environment where people think just because I install anti-virus software once that it's good for six months. In reality having anti-virus software without dated signatures is only marginally better than having not at all.

The next tier is in the enterprise environment. We have a shortage in this country of trained IT professionals. We have an even greater shortage of those who are trained in IT security. Consequently creating programs like we currently have with the centers of academic excellence, and I don't know how many universities we have now, to provide that secondary training. And then there's the research and development component where we need more education, we need more people in doctorate programs and in tenured professorships that can do that forward thinking, do the [research and development] to create the next generation of secure products and services.

Q: What can the government do to facilitate the development of more research?

A: There are a couple of things and one of them the board is currently working on. The government funds through various consortium and national laboratories, a fair amount of money to go out and do our research and development. One of the things that we've done with the board is create a research consortium where we're bringing in those federally funded programs that we give dollars to; bringing them in and having them be more responsive to the work others are doing and to reduce the amount of redundancy that's going on as well as supplement each other's research and development.

Q: What about a self-healing computer-security model? Is that in the offing?

A: I think that's something that we all look for the self-healing, self-repairing-type situation. I'll give you an example that's been used for a long time. I look in my home now and it used to be that I had one computer in a corner somewhere. Now I've got three or four computers around the house, I've got a laptop. Now obviously I'm a technical person, so that would be the case. But in reality, what we see as we move into the future, that will become more common for the every-day person. Does that mean we're going to have to hire a CIO for the household? Or a chief security officer for the household? The simple answer is no, we're not going to be able to do that. We need to strive to create those self-healing, self-repairing systems that don't require a complex operation to fix them, that give us the ability to self-repair, self-heal, but not let someone do something bad to the system to create the negative effect.

Q: How might the self-healing model work?

A: You have a device connected to the Internet like an Internet camera that some people have set up at their homes where they can watch their kids or they can provide interactive things with day-care centers and things like that. So while you're connected it would automatically go out and pulse every once in a while that there's a need to, say, update a particular feature relative to security. You'll have it set up to where it's coming from a specific authenticated source, it's non-spoofable, it will automatically update your system without creating a reboot, without creating the potential for something else to break on your system, and effectively it's done in the background and you hardly recognize it.

Q: How far away is such a system?

A: I'm guessing it's 10 years out but that's one of the things I hope to be proven wrong on because the private sector, academia and government -- we've got a ton of really, really smart people out there and in pooling those smart people from those different organizations we may be able to accomplish this a lot quicker that we had hoped.
Jim McKay, Justice and Public Safety Editor Justice and Public Safety Editor