Howard Schmidt today is the CEO of R&H Security Consulting. However, he’s better known around the world for working in the White House for 31 years. A former White House security adviser, he was appointed by President Bush as Special Adviser for Cyberspace Security just three months after the terrorist attacks of Sept. 11, 2001.
When it comes to security, Schmidt has been around the block. On the corporate side, he once served as vice president and chief information security officer and chief security strategist for eBay and he also was chief security officer for Microsoft. In the military, he was director of the Air Force Office of Special Investigations Computer Forensic Lab and Computer Crime and Information Warfare Division.
In an interview with Computerworld, Schmidt talked about running background checks on IT workers, balancing privacy and security, and passports with RFID chips.
What’s the scariest thing you see happening in security right now? I think it’s the mobile devices and the capabilities that we want … but there isn’t enough attention to making those things secure. We now have the capability to download and install all kinds of applications on our mobile devices. People use a mobile phone for more than talking. I use mine to pay my Paypal account, to check my back account. I see criminals out there who know this. What they’ve been attacking on the desktop, they’ll starting attacking in our mobile devices as they become more like PCs in our pockets. We can’t wait five years to do something about it. We have to do something now.
What are CSOs telling you they’re most worried about? One of the biggest things in a work environment is the whole issue of risk and compliance. Most of the CSOs I talk to say less about what’s the best technology, [and more about] how [to] make sure their firm can feel confident they’re doing good governance, risk and compliance. How do they know they’ve minimized risk for the company, and [that] they comply with federal laws, state laws and international laws with the way their business needs to be run?
How can companies strike a balance between security and privacy? For a long time there’s been the perspective that if you have security you don’t have privacy. The way I look at is if you don’t have security, you can’t guarantee privacy. Privacy falls into two buckets. One is directly related to data protection. How can we protect our data? You do that using good security. The second part of the discussion is who does what with my data, how can I control that and how can I revoke it? This is the difficult part. Right now, we are not in control of that data. I’ll give you a live example. One of our boys is in medical school in Wisconsin. Rather than pay for board, we bought a house there. We weren’t financing it, but they wanted our Social Security numbers. I said, “Why?” The lady said, “I don’t know. It’s just a company form.” I told them, “You’ve got my ID, my passport, my license. You’ve got confirmation of who I am. Why do you need my Social Security number and what happens to it if someone breaks in here?” I didn’t fill it out. I was very assertive and took control. The answer right now is to develop more rights over our private data. We basically need a bill of rights over privacy of information.
What do you think about passports with RFID implants? We’ve seen recent cases where that’s been a big question. I don’t think it’s a bad idea, but I don’t think security was as high a consideration as it should have been, I have one. And knowing the security implications of it, I’m very cognizant of where I put it and where I store it to make sure no one can use a mechanism to read something from it. You’ve seen these card readers where you go up to a gas pump and it has a little RFID wand or you’re at your company and you have an RFID reader to open the door. You walk up to it and flash the card in front of this reader. The government and customs are not the only ones who have access to these readers. Someone just has to get close enough to you and they can read the data off your passport. Once they have that data, they can use it to create a fake passport.
What do you think about companies doing background checks on IT workers – both during hiring and periodically throughout their tenure? I think it’s not a bad idea, realizing that every company has a different culture. IT is just no longer a function that helps you share Powerpoints and do word processing. IT has become a part of our day-to-day critical infrastructure. It’s how we make our financial services run and transportation systems work. If people are involved in IT, they need some scrutiny to make sure they’re not at potential for doing bad things to the company or even to national security. [Companies should] check for criminal history. If someone has a history of financial problems for non-explainable circumstances, are they more prone to commit some financial crime against you? If they have a gambling problem or a drug problem, would they be more inclined to sell your data to a competitor?
Bear in mind that background checks … are not a way to guarantee that people will do what they should do but it gives you an indication if they have it in them to commit fraud or if they can be trusted around your systems.
How likely is it that terrorists would attack computer networks in the U.S.? They don’t want to wind up attacking a system they depend on. Terrorists now can push Bin Laden videos to mobile phones. They’re doing pod casts and web casts. To attack the Internet is not in their best interests because they’d suffer like everyone else. Attacking a financial system to cause economic harm, is that a possibility? Absolutely. But the protections you put in place to protect against a regular hacker would be the same best practices you’d use against anyone, including a terrorist.
If terrorists did want to launch a cyber attack, what do you think they would target? There’s been indications for years that one of the things they want to go after is our financial services systems. It would affect not only us but everyone globally. I think it would be the most likely target, but also the most difficult to penetrate because of all the work financial services has done.
What can the government do to increase cyber security? There’s education and research that the government could help more on. And using the power of procurement, they could push vendors to develop more secure systems. If the government says, ‘Design me a more secure system and here’s the money to go do it,’ the vendor [would do it and] then sell it to the private sector. The other piece is that there’s not a whole lot of emphasis from the government on research. What is the government doing to make sure universities and companies have dollars to do research that will enhance security? There is R&D that needs to be done that may not benefit homeland security but it might create the next generation of the Internet that is more secure. The government could seed the next generation of tech savvy researchers to look at our problems and figure out how we can solve them.
What can those government agencies getting dismal scores on their computer security report cards do to get better? There’s some pending legislation on The Hill that will redirect the focus and give government agencies [the power] to make security changes rather than just spending all their time and money generating the [security] report. They are doing more paperwork than fixing anything.
We’re hearing a lot about the Chinese breaking into our government networks. How secure are we against these kinds of attacks? Go back to the mid-1990s. Sen. Sam Nunn, in a meeting at the Pentagon, asked me: if there was a technological war and another country was to attack us, on a scale of 1 to 10 (10 they have no chance of affecting us and 1 is they would devastate us and own everything we have), [how would we fare]? I said we’d be sitting somewhere around a 5 or 6. If we were on the attacking end, I felt we would have more gain than losses attacking their system. Today, that has changed dramatically. I think we’re in a much better situation. We’re much more secure and we’re reducing our attack vectors. In terms of withstanding an attack, we’d be closer to an 8 or a 9. We have the ability to turn back attacks. We also could shut down systems that might be under attack and bring them internal.
You’ve said that you worry that cyber security will be reduced to a “second-tier issue” – to where we just respond to attacks and are not proactive in protecting against them. Is that still a problem? Look at the world post 9/11. One of the struggles has been trying to convince the government to protect the IT infrastructure as much as our planes and trains. Everyone has spent a lot of money, time and energy looking at the physical attacks. And, yes, that is where people get killed. But we can’t make cyber infrastructure a second-tier issue. Look at medical records being stored electronically. People get medications based on electronic records. You could wind up with someone who has an allergy to penicillin getting penicillin. That would be deadly. The argument I get is you can’t have more than one Priority One. I argue that you have to be able to multi-task in your protection plan.
Yah, I think we have looked at it as a second-tier. The government has recognized that work has to be done. We’re getting much closer to having them on equal footing.
Learn more about this topic
This story, “Howard Schmidt talks privacy, background checks” was originally published by
Copyright © 2008 IDG Communications, Inc.