Presidential appointee's advice on homeland cybersecurity

Immediately following the tragic events of September 11, departments and agencies from across the federal government took steps to strengthen the safety and security of the American people. Everyone is aware we must be vigilant for physical world attacks, but what is our level of risk for electronic attack?

Security professionals are constantly scrambling to react to new threats and existing vulnerabilities.

Security expert Howard Schmidt suggests securing your personal computer plays a crucial role in protecting our nation’s Internet infrastructure. Schmidt was appointed by President George W. Bush as the Vice Chair of the president’s Critical Infrastructure Protection Board in December 2001. The board reports to Condoleezza Rice, National Security Advisor, and Tom Ridge, Director of Homeland Security. Previously, Howard was chief security officer for Microsoft.

The Cyber Security Board focuses on building a specialized group of senior government and private sector leaders to focus on cyber security issues and coordination of security related incidents.

Schmidt gave us a glimpse into the state of cyber security and what we can do to stay safe.

Q: Please tell us specifically about your Vice Chair appointment.

Schmidt: October 16, the President signed an executive order creating the Critical Infrastructure Protection Board. A couple of positions were created as Presidential appointees – the Chair, Richard Clark, and the Vice-Chair, which is myself.. Dick Clark was also appointed as the cyber security advisor for the President. The executive order created ten standing committees dealing with things from private sector, state and local outreach to engineering and research and development issues to national security issues. Our job is to run the board and the standing committees.

Q: Are you facing some of the same cyber-security issues as when you were with Microsoft?

Schmidt: Yes. All the issues around cyber-security are the issues we’ve grown up with as we expanded the information technology sphere of activity around national security and public safety. In this case, its being done on a national/international level.

Q: Can you tell us who has been appointed to your Cyber Security Board?

Schmidt: The folks on the Board are the Secretary of the Treasury, the Secretary of State, the Secretary of Defense, the Attorney General – all the senior department heads of the national government or their designees.

Q: Everyone hears about the physical world terrorist attacks like the one on Sept 11, but are we really facing a growing risk of this cyber-terrorism?

Schmidt: I think, simply stated, that since 9/11 we can try to look for threats in many areas that we do but the threats may become transparent to us in our daily lives. So consequently we have to look at the risks and our vulnerabilities that currently exist out there. The risks become greater as we become more dependent on the technology, which has done such a tremendous job enhancing our lives and recreational time as well as enhancing our productivity.

As far as the risks go, they break down into three major categories:

1. The risks to the issues of national security, as in the lack of ability to communicate in times of national crisis.

2. The risk to law enforcement and public safety. People use this great technology for malicious activities, everything from disrupting communication and online activities to theft of property and credit cards.

3. The trust of the economic prosperity that we’ve enjoyed throughout our history. We’ve been able to make these technological advances because we trust the systems. We trust that when we put money in the bank, that we’ll be able to get it out when we need it.

Consequently, anything that interferes with those three things indeed poses a risk that we have to be very conscious of reducing.

Q: E-mail-borne virus that creates quite a disturbance within government and corporations. Are these the biggest threat?

Schmidt: It depends what the intent of the virus might be. For example, a virus that uses a mass mailing becomes more of a nuisance. But if it really does have a destructive payload to it, where it deletes data or your ability to use a system to control traffic lights, then its capabilities become a lot more worrisome.

Q: What are the areas that we are most at risk for electronic information attack – banking, government, military, utilities?

Schmidt: We don’t know. We’ve seen some of the dramatic effects from the use of worms and Trojans last year: code red, NIMDA , I love you virus, the Melissa virus. In the scheme of things, those have all been expensive and remediating, but they’ve not been disruptive on a long-term basis. Our goal is to create an environment where the critical infrastructures – the banking and finance industry, the transportation, oil and gas industries, the telecommuni-cation and health care industries all have the ability to withstand an attack of any kind without creating massive destruction and when they occur – notice I said “when” and not “if” they occur – we can be resilient and be back up and running in a relatively short period of time.

Q: What are your policies as we move forward and this risk grows?

Schmidt: We have ten major areas of priorities. The first is awareness. The terms I like to use is a few years ago the only people talking about security were the chief security and information officers, where today it becomes a CEO issue and part of the business process itself.

One of the things we’ve done about awareness is we, working with the private sector, academia and other government agencies, have created the National Cyber Security Alliance. We have a Web site now called You can get direct information or links to other places that will make them more secure.

Q: Do you have any idea when we might see a large scale electronic attack? As you said, it’s not “if,” but “when.”

Schmidt: We hope a “large scale” becomes never. We see the small scale on a regular basis. We’ve seen Web defacements and denial of service attacks on a daily basis. As far a prediction, none of us have a crystal ball. What we can do is make sure we reduce the amount of surface space we have in vulnerabilities. Use anti-virus software and update the signatures regularly. On home systems that use DSL and cable modems, put the appropriate firewalls to stop malicious activity.

Q: Would the same terrorist organizations that attacked us on September 11th, be the same type of folks that we should be concerned about in the future or does our biggest domestic threat come from U.S.-based hacker organizations?

Schmidt: Hard to tell. For instance, with NIMDA and Code Red we don’t know much about who was behind that – an organized crime group, a nation-state or just a group of hackers trying to make a statement. We should be focusing on not so much who is doing these things as preventative measures so they aren’t able to be disruptive.

Q: It seems these electronic attacks are coming from China and abroad. Is there anything we’re doing to address that issue from an overseas standpoint?

Schmidt: Yes, with people from the State Department, people with the national communications systems and the private sector are holding bilateral discussions with a number of countries around the world looking at the impact of the critical infrastructure protection in their countries effect the global environment. We have a mature industry when it comes to IT. Some of the other countries are just beginning to go through the growing pains that we had, which mean their systems are inherently far less secure than ours. Consequently, it doesn’t necessarily mean the attack is being originated from that country. It just means that their systems are being used. It’s very difficult, until such time as you catch the person whose fingers meet the keyboard, to identify where they really set in. We’ve seen instances where people sitting in South America have launched attacks through insecure systems in Asia that affected systems in the U.S.

A full audio interview with Howard Schmidt can be heard at

Dana Greenlee is a Web designer and co-host of the WebTalkGuys Radio Show, a Tacoma-based talk show featuring technology news and interviews. It is broadcast locally on KLAY 1180 AM Saturdays at 11 a.m. The show is also on CNET Radio in San Francisco and Boston, on the Web at, and via the XM Satellite Network, on IM Networks’ Sonic Box and on NexTel’s Wireless Web.