Howard Schmidt, Special Assistant to the President and Senior Director for Cyber Security, Office of the U.S. President

Morning Keynote Address, April 4, 2012.

Summary by Keith Watson

In the introduction, Professor Spafford mentioned many of the roles that Howard Schmidt has had over his many years in the field. He specifically highlighted Mr. Schmidt’s service to the nation.

He also indicated that things in information security are not necessarily better since Howard last attended the CERIAS Symposium in 2004, but that was not Howard’s fault.

Howard Schmidt began his keynote address by thanking the staff and faculty associated with CERIAS for their efforts. Mr. Schmidt disagreed with Spafford regarding his opening comment about things not being better since his last visit. “The system works,” he said. It is fraught with issues with which we have to manage. Mr. Schmidt indicated that there are many things that we can do online that we were not able to do twenty years ago. We can make it work better though. We have bigger threats and more vulnerabilities due to increased accessibility, but it works. We have to make it work better.

In 2008 when then Senator Obama visited Purdue, he talked about emerging technologies and cybersecurity. He stated, “Every American depends — directly or indirectly — on our system of information networks. They are increasingly the backbone of our economy and our infrastructure; our national security and our personal well-being.” We take technology infrastructure for granted, and we must ensure that it continues to be available.

One of the issues discussed in the government today, is reducing the likelihood that new generations of victims are created. We need cybercrime prevention. Then law enforcement agencies have a better opportunity at scaling up to deal with the issue. Currently, law enforcement can only focus on the most egregious crimes. The FBI is moving cyber crime moving up on their priority list. They are looking at cyber crime internationally.

An estimated $8 trillion were exchanged over wired and wireless networks last year. Online shopping increased even in a down economy.

The President has promised to make cyber infrastructure a strategic national asset. He has called on all of us to look ahead and design and build a stronger infrastructure.

Howard related a story about about writing code for a TI-99/A for aiming his antenna to conduct Earth-Moon-Earth (EME) communications for his ham radio hobby. He sat down with expert developers to talk about buffer overrun issues. The question that the developers had was, “Why would anyone do that?” Because they can.

The President created the Office of the Cybersecurity Coordinator in a unique way. The Office is part of the National Security Counsel and the National Economic Counsel. Mr. Schmidt has two roles in addressing security issues and ensuring that the system remains open. If specific expertise is needed from other government agencies, those experts can be brought in to assist. Setting strategy and policy is a major effort of the Office. It is also responsible for execution.

The FBI Director has identified the primary and high-level actors in the cyber world:

1. Foreign intelligence services. They are no longer breaking into buildings and doing surveillance. We have to protect our cyber infrastructure from them.

2. Terrorist groups. They are interested in critical infrastructure and how to attack it.

3. Organized crime. They see cyberspace as a business opportunity. Some hacker groups are loosely organized but working together to disrupt the infrastructure.

Mr. Schmidt outlined several programs and initiatives of his office:

• International Strategy for Cyberspace

• A Policy Framework for the 21st Century Grid

• Electric Sector Cybersecurity Risk Maturity Model Pilot

• Consumer Privacy Bill of Rights

• National Strategy for IDs in Cyberspace (NSTIC)

• National Initiative for Cybersecurity Education (NICE)

Questions/Answers:

Question: What is your vision for Continuous Monitoring?

Answer: It is possible to be FISMA-compliant and still unsecure. The creation of the reports required by the law take away time and effort from actually protecting the infrastructure. The goal now is to use continuous monitoring to deal with issues in real-time.

Question: What are the challenges in getting service providers to allow third-party identifiers?

Answer: We hope that there are multiple drivers for federated IDs. One is a market driver for business. They can reduce costs and lower risks by accepting trusted identifiers. We hope that innovators address some of the technical challenges. Finally as consumers, we have to demand better IDs.

Question: Are we at the point where we need to create a new agency responsible for cybersecurity?

Answer: No. It is not necessary. What we need is coordination, not another branch of government. The Office of Cyber Coordinator is the right model to coordinate activities across government.