Howard Schmidt is a much sought-after expert in his field, and a quick glance at his career history makes it easy to understand why.
Schmidt has served as the chief security specialist for the U.S. Computer Emergency Readiness Team (CERT), as the CISO and CSO for Microsoft Corp., where
he spearheaded the trustworthy computing initiative and most recently as the CISO for online auction company eBay. Schmidt left that position last month to devote more time to his consulting work for CERT, other international governments and some corporations.
ITBusiness.ca recently spoke over the phone with Schmidt, who will be heading into Toronto on June 15 to speak at the Infosecurity Canada conference.
ITBusiness.ca: What are the biggest cyber security issues facing businesses today, and how are they changing?
Howard Schmidt: I think the biggest things are still the same things that we’ve been seeing in the past 20-some odd years, and that’s vulnerabilities in software and firmware within hardware that we are constantly creating in environments where we have vulnerabilities and holes that are oftentimes unpatched for a multitude of reasons. And what’s changing about that is that it used to be, for the longest time, particularly those involved in hacking and denial of service attacks on a regular basis, (that they) were generally attacking large enterprises. As we saw, the distributed denial of service attacks back in February of 2000, they were against large corporations and things of this nature. We’re starting to see now, the small and medium enterprise can be targeted as well as the consumers and the end users through a variety of different methods. Not only through vulnerabilities in their systems, but also the electronic version of social engineering, and with phishing and spyware, and things of this nature.
ITB: Do you have advice for other businesses on how they can deal with those issues?
HS: I think first and foremost, you need to have an organization that has senior leadership enough that’s on par with other executives in the business world. First and foremost, there’s a perspective in many cases in the business folks that security actually slows down one’s ability to generate revenue, slows down the ability to innovate and do business. That’s traditionally been the focus: That security is this necessary evil. You know, “We’ve got to have it, but try to avoid it at all costs.” In the recent past, in the past four or five years that the model, the way we do security has changed to where it actually becomes a business enabler and actually helps with the branding, helps with making sure that the functions are taking place as they should be — making sure the availability is there. So we’ve seen some change in there, but that’s only been because the position of security officers has been raised to the business unit executive.
ITB: Are vendors doing enough to address the issue of security?
HS: Well, vendors have changed dramatically over the past three years or so. I know when I was at Microsoft and we started the trustworthy computing group, that was, you know, a clear issue where the whole focus was shifting to security being priority No. 1, instead of just a priority. I know Oracle and Sun and Cisco and all the big IT companies are really, really focusing on doing a better job on security. The challenge we see right now is we’ve got a whole lot of legacy equipment out that’s out there, a lot of legacy operating systems and hardware that it’s tantamount to driving a 1950s car that did not have airbags, that did not have safety belts that did not have collapsible steering wheels. You can’t afford to buy a newer car with the new safety features. So even though vendors are doing more, they’re doing a better job, it’s going to take a while to transition to the safer operating systems, safer applications than we’ve seen in the past. Part of the challenge with that is some of the new technologies that are designed to help us be more collaborative — for example, instant messaging, some of the peer-to-peer activities. As we get better about security operating systems and better about networks, people are starting to look for things, like “Oh, gee, peer-to-peer — I can start attacking that and hit instant messenger,” for example. Now people are using it for business reasons.
ITB: What led to the trustworthy computing initiative at Microsoft?
HS: I think it was a couple of things. The CTO, Craig Mundy and I were talking about the security of our enterprise, and of course back in the year 2000 even Microsoft was the victim of a hack, even though we were doing a lot of things right. It turned out it was an external system which was insecure and it led to someone’s ability to come inside a corporate network. So the idea of having firewalls and all the other protections to keep someone out that came in appearing to be a legitimate user. And that’s what many companies have experienced. Most of the hacks we see are run that way, as a matter of fact. So, consequently, it was recognized, well, if the company with the IT resources that Microsoft has could be subject to that, can you imagine the people that had less expertise? So therefore it was decided to create the trustworthy security group and make that a company-wide priority.
And once again, just to be fair, it wasn’t not only Microsoft. That just happened to be the one we were personally involved in. At the same time, Mary Ann Davidson from Oracle, who’s the chief security officer there, who runs the product security component (did the same). Many of us were meeting and talking at the time about how there was no competition between us as security officers, it was all about “How can we make not only our own specific companies more secure, but how can we make the infrastructure more secure as well?”
ITB: Do you think there needs to be legislation to make sure security is an integral part of the efforts of vendors?
HS: Well, I think to some level, particularly in the U.S., we’ve seen some movement in that direction, for example, the Gramm-Leach Bliley Act on the banking and financial industries talks about the security of financial systems, and Sarbanes-Oxley, which was not designed to be an IT security tool. It was more around accountability — it was more around financial systems. It has indeed been translated into things relative to cyber security. So we do have the recognition. The government has created some legislation. I think overall, there’s not much the government can do to legislate these things, other than making sure the resources are available for law enforcement to successfully investigate and hold people accountable for doing these things.
Because these are not being done by corporate security people, these are being done by criminals. As long as there’s a way for a criminal to commit a crime and there’s an incentive for them to do so, they’ll continue to do it. So by putting some in jail and holding them accountable for their actions, sending a clear message, that, “Yeah, you may find someone who leaves their keys in their automobiles when they go to the shopping malls, because they forget or they weren’t thinking, or whatever, that doesn’t give you the right to go out and steal something.”
And so that’s the sort of thing the government can help in. And we’re seeing that internationally.
ITB: What kind of measures should companies put into place to guard against internal threats?
HS: Insiders always have and always will be a challenge. Number one, I think we fundamentally have to redo the way we do identity management in society. If you think about some of the recent things that have become available in the media about tapes that are becoming lost, insiders stealing tapes, ripping off bank accounts, not only domestically, but internationally as well. So these are the sorts of things that basically are successful only because we provide access to too much data for the wrong reason. For example, say you have tech support for an issue with your mobile phone, and you call tech support. Why would a help desk person need to have your Social Security number or your national ID number? Why would they need to have your date of birth, your credit card number, all of these other things? All they should know is that you’re a legitimate subscriber and here’s the level of service that you’re entitled to. We haven’t done a good job of looking forward on what people would have access to. Another example is issues around when people would open up fake businesses and then pull data down and do identity theft. That’s been going on now for almost 20 years. In 1986, when I was a policeman a lot of my first cases were like that. Because what happens is, we have a desire to aggregate data — whether it’s credit ratings or to make it easier to look things up on people legitimately. I think it was a fundamental failure to realize that this can also be used by bad guys to do bad things. So, number one, that’s what we need to do. We need to change the way we do identity management, the way we aggregate data, and only have that amount of data necessary to do, say, the tech support job or reset your password that one would need to do without providing more information than that.
ITB: So how exactly do we need to change the way we do identity management?
HS: Two-factor authentication clearly is one of the ways to go forward on this. Smart cards are one way, secure ID tokens. Some of the companies are coming out with mobile devices, for example, where you have the one-time password with rotating numbers so its also on a USB device. You can plug it into a USB device.
Now, as I think you fully realize, there is no such thing as 100 per cent security with any technology. But two-factor authentication clearly gets us to the next level.
The next piece after the strong authentication would be more granular authorization that we go to. And once again, I’ll give you a classic example. In many of the vulnerability assessments — the many security service companies — what they will do is they will walk into a company, whether it’s SMB or a large enterprise, or a government agency, as part of their testing, they’ll sit down in a conference room, plug into the network jack, and they’ll start perusing what they can get access to on the network. Often times, as a stranger, they get access to much more than they should have to begin with, but then they also have the ability to identify vulnerabilities that may exist, which oftentimes occur, identify those, exploit those, escalate privilege. And also, within a short period of time, they get access to data they shouldn’t have access to. So having very, very granular . . . and people say by the way, it’s very, very complicated to become very granular, that out of the 150 resources within a corporation, I can only have access to ten of ’em. That’s difficult to do. Well, it may have been at one point, but I think we’re getting much, much better about more granular authorization and resources within an IT system.
The third piece that I think we really, really need to take a strong look at, is encryption. I got some new eyeglasses last year — it was a little local eyeglass shop. I got a letter from them saying “We regret to inform you that your identity may be at risk because our computer system was stolen in a burglary.” It was a standalone PC, not networked to anything, but it still had my credit card information, my medical ID number, all these other things. My first question to them was, “Did you have any encryption on that so people couldn’t get access to it?” And, of course, the question was, “What’s encryption, and why would we need that?”
ITB: So when you talk about two-factor encryption, are you talking about just employees, or citizens as well?
HS: Society in general. And that’s one of the things that I think we really need to accelerate. If you look at some of the countries in Europe that are basically issuing smart cards as part of their national ID, some of the financial institutions, are mandating that in order to do online banking, you must do two-factor authentication. These are situations where normal citizens doing normal online transactions are using them and doing it successfully.
ITB: What about people who would express concerns about privacy?
HS: Clearly, by using strong authentication, you do as much for better privacy than you do for security. The classic example is when one uses a user ID and password, and say that user ID and password is compromised. That’s not a hard thing to do anymore, whether it’s spyware or key loggers. Once you get access to a person’s user ID and password, then the bad guys will try all the different online e-commerce sites, they’ll try the ISP sites. They’ll keep using the user ID and passwords on multiple sites till they find out what they can about you. And invariably, they can wind up finding out a great deal of information.
So, consequentially, two-factor authentication would help reduce the likelihood of privacy violation as well, as will encryption.
ITB: What have you learned from past mistakes?
HS: I think the biggest mistake that any of us in security have ever made is trying to sell security as a black and white issue, that basically, either you do this or bad things are going to happen to you. Because what happens is, particularly in the early days, a lot of executives, when something bad didn’t happen, they would say, “OK, you’ve been telling me that if we didn’t buy this antivirus software, we were going to lose our reputation in the industry. We had a virus come into the system, it took as seven hours to get rid of it, but we’re still doing good.” Clearly that’s an issue where talking about the sky is falling doesn’t help. So that’s one issue. The other one is basically not working with the business units as much as you should. Understanding what the business needs are and how you can help facilitate the business unit work, as opposed to saying, “No, you can’t do this because bad things are going to happen.” Clearly, those are the two biggest lessons that I’ve learned.
And the third piece is, there used to be a time where we in security would view security as something that you had to either do it my way or you shouldn’t be doing it at all. And clearly you have to learn that you really have to operationalize security — where security, particularly the security executive’s role is more about setting strategy, policy and not so much doing the day-to-day work, which the IT folks are very, very good at doing.