Howard Schmidt Holds Court

First of all, lets get one thing straight: The Nov. 7 Town Hall meeting in New York to gather feedback on the draft of the National Strategy to Secure Cyberspace was not set up as an informal, school-cafeteria type of affair, where a crowd of concerned citizens would engage in rancorous debate with government officials. Instead, it was part of an orchestrated tour that the Presidents Critical Infrastructure Protection Board is using to sell a strategy widely derided as having no teeth.

CIPB Vice Chair Howard Schmidt and three other panelists were lined up at a long red table, set far back on the imposing black stage in the auditorium at the John Jay College of Criminal Justice in Manhattan. In front of a podium with five flags, a parade of speakers posed for photo ops. They stood committed. They pledged support. They praised the local, state and federal government. Two cameras pointed back at the audience, where a few hundred mostly men in mostly suits clapped politely and waited for the main event: the moment they could step up to the microphones and give Schmidt & Co. a piece of their mind.

Schmidt, New York City Police Commissioner Raymond Kelly, Chris Painter from the Department of Justices Computer Crime and Intellectual Property section and Deb Peinert from the trade group Information Systems Security Association braced themselves for questions. They poured bottled water into wine glasses, then sipped it as they thumbed through bound copies of the draft. When the questions commenced, in no time at all it became clear why Schmidt was tapped for the job from his post as chief security officer at Microsoft. With the flair of a seasoned politician or a game show host, he can deftly field the most technical questions while also alluding to a close relationship with the likes of Bill Gates.

Instead of looking at computer hacking as a negative, how about treating that as a positive? asked someone from John Jay College, suggesting that the government register individuals and allow them to attempt to hack inside corporate computer networks and report on their findings. I know its counter to the way criminal justice thinks, but why not enlist the youth to attempt to do this?

I think the gentlemen youre talking about are called security consultants, Schmidt answered, and the snickers in the audience turned to laughter. There are some of them here, he said, paused for more laughter, and then gave a sound bite about education and scholarship programs.

With all endeavor to be respectful, asked another brave soulthis one a security software developerin an Orwellian way, some of us are more equal than others. Major operating system companies have a greater responsibility not to focus on releasing new products at the expense of security. Calling it unconscionable that a new OS would be released and within days need thousands of fixes, he said, They have a responsibility to be more secure and perhaps even regulated to meet certain standards.

Applause thundered. The other panelists looked at Schmidt, waiting. I saw that one coming, he said affably. We have met with every one of those CEOs, including the one I think you alluded to. He spoke of an unnamed company spending $100 million on training and development to improve security, but said it would take 18 to 24 months for those improvements to hit the market.

It may take 18 to 24 months for development, but it only takes hours to discover vulnerabilities, quipped back the software developer.

Someone else called into question the strategys reliance on ordinary citizens to protect their own computers and suggested shifting the burden to centrally managed places like ISPs, so were not relying on Grandma to configure her firewall in a certain way.

Are you an IT professional? Schmidt asked. The speaker said yes. Are you also the chief information officer for your family and neighborhood? The speaker was afraid so. The audience guffawed. Schmidt assured him that the major ISPs were already coming together and were committed to improving security.

In one question after the other, Schmidt deflected queries about the draft with humor, while demonstrating a considerable talent for the non-answer. He listened to example after example of cash-strapped companies not having the resources to improve security, and law enforcement agents not having the resources to deal with crimes that do occur. He told a story about his son, a computer crime detective in Arizona, where a dispatcher once sent an ambulance to someone who called and said, I think Ive been hacked! He said that telecoms that werent investing in security will just not be there at the end of the day. Most of all, he repeated his mantra that market forces, not product liability or government regulation, are the way to get companies to create more secure products. Only his jokes deviated from the canned answers that started to sound like the adults on the Peanuts television specialsMwa mwa mwa mwa market forces mwa mwa. Yet with his curly hair and quick wit, Schmidt was eminently likeable.

It wasnt until near the end of the 75-minute Q&A session that he seemed to get the kind of feedback he really wants people to offer between now and Nov. 18, when the comment period for the draft closes. (The next and final stop on the tour is Phoenix on Nov. 14. Visit http://www2.cio.com/events for details.) A young man, introducing himself as one of those kids whos a security consultant, asked why the draft suggested the need for one security certification accredited by the government. Why isnt there a need for a strong diversity of certifications? he asked.

Thank you for pointing that out, Schmidt said, seeming surprised that the young man had gotten that impression. He nodded and indicated that the strategy should have made it clear that yes, the market should support multiple certifications for multiple skills. He put his hand on the draft of the strategy in front of him. Ill take this back and fix it.