Howard Schmidt went the distance

With Howard Schmidt leaving the White House at the end of the month, the critiquing of his tenure is in full swing -- as it should be. There are still plenty of loose ends dangling in D.C., most notably Congress' inability to craft legislation that strikes the right balance between security and privacy.

But Schmidt deserves a lot of credit for advancing the cause. Most importantly, he stuck it out far longer than those who came before him.

True, by the time Schmidt was hired, the job had been overhauled with better access to the president and more budget. The last few so-called cybersecurity czars left in short order, frustrated by a lack of power and influence needed to get things done. Schmidt had already been around the block a few times. He had held high-profile security positions at Microsoft and eBay. He was an Air Force vet who ultimately improved communication between the Defense Department and civilian entities. And he had worked at the White House before, helping to craft the National Strategy to Secure Cyberspace during the presidency of George W. Bush. Those experiences gave him a skin thick enough to tough it out for two and a half years.

He deserves credit for raising the profile of cybersecurity in Washington and working for better collaboration between the government and private sector. In its story on Schmidt's retirement, The Washington Post summed up his record this way:

During Schmidt’s tenure, the White House unveiled its first international strategy for cyberspace, which stated that the United States will respond to hostile acts in cyberspace as it would to any other threat to the country, reserving the right to use “all necessary means,” including diplomatic and military, to defend the country. Schmidt also led the creation of the National Strategy for Trusted Identities in Cyberspace -- a program aimed at developing methods for people and businesses to authenticate their identities online that are safer than using passwords, which can be stolen by hackers.

My friend Rob Westervelt also does a good job describing the work Schmidt leaves to successor Michael Daniel, chief of the White House budget office’s intelligence branch. In his story he notes the following:

Schmidt gets high marks for increasing the public’s visibility of cybersecurity issues, but he falls short on using the White House to get security vendors to work together to protect the nation’s critical infrastructure, said Alan Paller, director of research at the SANS Institute. Paller said security vendors are wielding too much power, which is resulting in ineffective legislation. “They’re damaging every bill and killing the ones that might make a difference,” Paller said of security vendors. “He had to let vendors know that they don’t get to demand everything and not deliver secure products.”

Schmidt’s retirement comes at a time with key legislation before Congress. Two bills in the Senate that aim to address network security at critical infrastructure facilities are being hotly debated. Two other bills, the Stop Online Piracy Act (SOPA) and the Protect IP Act (PIPA), aimed at curbing software piracy, were quashed by an outpouring of vocal opposition from privacy advocates as well as high-profile security experts.  Schmidt and the White House were opposed to parts of the legislation. The Senate is also beginning to deliberate over the CISPA legislation, which passed the House last month. It would clear security vendors from any liability over sharing customer threat data with intelligence officials at federal agencies. The White House has sided with privacy advocates, threatening to veto the bill.

The legislative part is what particularly concerns me. The current legislation pending in Congress, CISPA, is written in a way that could allow the government to overreach and violate our privacy in the name of security, which in my opinion is never an acceptable trade-off. Earlier this week at the ISSA-LA Security Summit IV event, the disconnect was evident in a talk by Bruce W. McConnell, senior counselor for cybersecurity at the U.S. Department of Homeland Security.

McConnell spoke of the Obama Administration working with Congress on cybersecurity legislation. He joked about Congress' perceived inability to push through a federal cybersecurity law to supplant all those state data security laws we've been living with in recent years. He admitted that one of the challenges is for the public and private sectors to clarify the role government must play in this dangerous new world. Then he said things that puzzled me further.

One item was a suggestion that government isn't out to invade citizens' privacy and how, after all, wiretapping is illegal. Then he noted the challenges of the U.S. reaching a better consensus with Europe on how best to proceed. "Europe is very concerned about data privacy," he said. "Europe wants more power for individuals to control their own privacy."

He said that like it's a bad thing.

Indeed, a lot of work remains after Schmidt departs. But on balance, I'd say his tenure was mostly successful. He moved the needle further than it had been moved before, and for that he deserves a lot of credit.

Copyright © 2012 IDG Communications, Inc.

The 10 most powerful cybersecurity companies