Tip:
Highlight text to annotate it
X
[ Music ]
>> Howard Schmidt has had a long and distinguished career
in defense, intelligence, law enforcement, privacy, academia,
and international relations that span more than 40 years.
He served with the Air Force, police departments, the FBI,
and the White House on the government side, Microsoft
and eBay and industry, and has headed the Information Security
Forum, and has served on advisory boards
such as the Department of Commerce
and Information Security and Privacy advisory board,
the permanent stakeholders group
for the European Network Information Security Agency,
and a high level experts group
for the International Telecommunications Union.
Mr. Schmidt is currently special assistant to the President
and is the cyber security coordinator
for the federal government.
In this role, Mr. Schmidt is responsible
for coordinating interagency cyber security policy
development and implementations and for coordinating engagements
with federal, state, local, international,
and private sector cyber security programs.
Howard.
[ Applause ]
>> Schmidt: Thank you very much for that kind introduction and,
once again, thanks for the invitation
to this very important event and special thanks
to Secretary Locke
in the Commerce's Internet policy task force
in putting this together.
Secretary Locke was at an event I held
at the White House last week, and it was not only great
to see him as my former governor, but it was also great
for him to participate in the event
and really show the leadership that Department
of Commerce is putting together in this effort as well
as their contribution in the overall efforts that we're doing
in helping the commercial sector face some
of the cyber security threats that we see today.
You know, as we, many of you are very much aware
of our cyber security policy in the U.S.,
it's devoted significant attention to the issues
of looking at the systemic risk across the infrastructure,
and I see Ken Watts and a few others
in the audience have been doing this for a long time
and recognize back when we used to talk about the owners
and operators of critical infrastructure, the 85%,
and looking at the numbers of mix and match
between government systems and private sector systems,
we recognize that there is a tremendous, tremendous risk
in the critical infrastructure, which just as importantly,
and one of the things I am really appreciative
of the Commerce taking the lead on is looking at the rest
of the sectors, looking at the commercial entities here
and looking at the business world as we look at.
When we look at some of the things we've done,
for those of you who that haven't heard in the past week
or so, some of the things that we've been talking
about that the government has done, for example,
the release of the national strategy
for trusted identities in cyberspace.
We released that last month which is out of character.
It's not a, you know,
requirement to release these sort of things,
but it was important to us to make sure that we did hear
from the private sector on a whole myriad of things relative
to trusted identities.
But the key issues looking
to have something that's a voluntary basis.
There's privacy enhancing that basically people get
to feel more secure in their transactions online,
but not limited to government.
Looking at private sector to sort of put things together,
they give people the choices they want to have, form factor,
the type of sort of solutions they want to use
to protect their own privacy, how they control it,
and making sure we're not in an environment where sort
of the government is a solution for identities,
and getting the feedback from people has been wonderful.
Relatively short time frame, but we're trying
to push these things out and do them
in a rather quick manner rather than go
through the traditional take 6 months to develop a plan,
then out of that, we're going to develop another plan.
The other thing is the national cyber security instant response
plan which is being developed by the Department
of Homeland Security, once again, a collective effort
in putting things together, bringing this to a point
where during the Cyberstorm III event coming
up this fall we'll be able to actually put this
into play working with the private sector
and across the government.
The other thing that we've been doing
from the government perspective is issues around FISMA,
the Federal Information Security Management Act,
and this has been a big issue for many of us,
particularly those that have to implement this moving away
from the environment where to become FISMA compliant,
you don't necessarily have to be secure.
I've used this comment many, many times.
I think this is another good form to reiterate it,
that the idea is if you become secure,
you become FISMA compliant.
And so changing the way we look at this,
changing the way we look at metrics, changing the way
that we wind up doing continuous monitoring is really key
to our ability for the government systems
to be more secure, but also look collectively.
But these efforts are, and continue to be, a foundation
in what our cyber, what our overall cyber security strategy
is, particularly, and someone raised this to me this morning
which really was surprising,
we're actually entering the second decade
of the twenty-first century, and it seems just
like yesterday we were worrying about Y2K and here we are,
you know, ten years into this issue.
So when we look at this, we recognize some of the things
that we've done to get us here are not sufficient,
and I've got a distinguished panel coming
on after I get finished that'll talk about some of those issues.
But as the President said in his speech last year
that this is one of the most serious economic
and national security challenges we face as a nation,
and that our economic prosperity
in the twenty-first century depends on cyber security
in cyberspace, which is one of the things
when the President created my position,
making sure I was dual hatted, to widen the field of view
so we're looking just beyond the national security interests,
but also looking at things
that enhance our security and our prosperity.
And today's symposium, of course you're aware, this is going
to take us to another level.
Also with the Department of Commerce's release of the notice
of inquiry that these are significant steps
in meeting the President's mandate.
So sometimes, believe it or not, I've actually had people say,
well why should we care?
And I think there's a real case
where [inaudible] again this symposium here identifies how
critical cyber security is in our economic competitiveness.
Some of the stats that I got which I found even unbelievable
as long as I've been doing this, the Internet now serves
as a platform for 10 trillion in online transactions and expended
to surpass 24 trillion in 10 years.
Last year even with the economy overall was struggling,
experiencing what many of you refer to as a downturn
in total retail sales, online retail grew by 2%
to almost $135 billion.
I mean, that says an awful lot.
The other thing is that businesses of every size
and type across our nation really depend
on the communication information networks that we, many of us,
have learned from an entertainment perspective,
from a government perspective, but clearly this is much broader
than that, that basically even some simple business things,
like running their travel, running their payroll systems,
basically just through day to day operations depend
on the Internet and the very technologies
that the Internet gives us on a day to day basis, but with that,
I think there is still a lot of work that needs to be done
in recognizing that with these great strides in technology,
there are vulnerabilities that many people don't anticipate.
I know in my most recent life, I was sitting down with a bunch
of VC's, and talking about business plans and some
of the things that small businesses were looking to do.
They had great business plans.
They talked about the things they were going to sell,
the things they were going to make,
the innovations they were going to do,
whether it was mobile platform or it was a look
at enterprise platform.
But rarely did I find anybody saying about, you know,
how we're going to be able to protect this technology,
what are we doing to do to make sure that we have cyber security
in our startup business plan.
As one of the things when I look at some of the work
that Commerce and the Internet policy task force is doing
to make sure that that conversation takes place
in everything that everyone's doing.
But when we start looking across the bigger structure and we go
into the issue about critical infrastructure [inaudible] other
businesses, there were an estimated 29.6 million small
businesses in the United States in 2008 according
to the Small Business Administration.
The National Cyber Security Alliance did a survey
of 1500 small businesses last year and found out about 65%
of them store some sort of customer data
on their local systems.
Oftentimes those systems are multiuse.
They use them to do their personal email,
their business use [inaudible] stored on the same system,
and connected in the Internet.
Significant percentage of these companies also store credit card
information, financial records, their actual property,
personal emails, and everything else, yet only 53% of them
that were surveyed checked their systems to ensure
that operating systems, firewalls, antivirus,
anti spy ware, anti whatever the bad things
out there might be are even up to date.
You know, that data point unto itself is interesting,
but the one that really worries me is the fact that 11%
of them say they never check it at all.
So when you start looking at the things
that small businesses need to do in the economic world today,
we really need to look at some of these things.
The other parts of the survey were interesting that only 20%,
28% of U.S. small businesses have formal Internet security
policies although 35% of them say they do have training
for employees on how to protect themselves
from Internet security issues.
Fifty six percent of them believe
that cyber security is the cost of doing business,
and 21% believe it's just a nice thing to do.
Twenty five percent
of the businesses do not ensure password protection
for their wireless networks.
You know, this is an interesting take because, as going back
to the early days of war driving for wireless connections
and many of you may remember some of those days,
it was not uncommon to a, find a very small amount
of wireless connections and most of them open,
and now what I'm seeing, and particularly since I'm living
in the downtown areas as I go around with my mobile device
and look for wireless connections and see list
after list of systems that are locked out which is a good way
of doing business and particularly
in the high density population areas down where I live at.
It's seen even in the condominium complexes
that people are locking those down,
so we are making a difference, and I want to make sure
that while 25% of the businesses do not ensure they have it,
there's a lot of people that 75%
that just a few years back would have been much smaller
than that.
So when we look at some of the strides that we made
in this area, we're looking at some
of the things the government's done, we recognize
that the threats are growing as well.
Semantic report in April type of mass distribution intrusion
such as fishing exploits, spam, Trojans [assumed spelling],
are typically now targeting individuals, and if you think
of the evolution of this, this used to be attack on companies
and universities and governments,
and now it's directing more towards the individuals.
There's actually sort of this underground business
of crimeware where we've actually seen some
of the things, and for those of you that research this,
you've seen them as well,
that are actually competing against each other.
Buy my crimeware, you know.
We do tech support 24/7.
You know, we have an ability to support our crimeware.
That's how prolific this has become today.
So there's that competition between them,
which basically really is telling
that how profitable this is for them.
And when you start looking at the advanced for system threats,
or the ATP as we call them in the government a lot,
against large enterprises, those are becoming more common
as cyber criminals are looking to economic espionage
and exploit intellectual property,
financial data, and customer data.
You know, it's all about the data.
That's what they're after now.
But we also remember that it's because of the insecure systems
out there, don't just put the businesses themselves at risk,
they put all of us at risk.
We start looking at some of the major data breaches.
While some of us may do good security in our day to day world
because our data's somewhere else, we have to make sure
that they're paying as much attention to it
and as serious about it as we are.
But we can do better in helping to protect American businesses
and reduce the risk that we have out there
with some basic safeguards
that would help enhance our economic security
and competitiveness by reducing some
of the systemic vulnerabilities that we have.
So whose responsibility, and, of course,
we talk about this all the time,
and it's a shared responsibility,
and probably more sensitive
than I think we've ever have recognized in the past.
When the President gave a speech last year, he said,
"We will collaborate with industry
and find technology solutions that ensure our security
and promote prosperity."
That's one of the things that we're looking to do
with the event and the work that Commerce is doing on this.
We have to continue to find ways to work together.
I think most of us are probably looking for a new way
to discuss public private partnerships.
You know, back in the mid-90's
when they became very popular term, we had it defined as well,
private sector would get together and sort
of organize amongst themselves, looking for ways
to share information on threats, vulnerabilities,
and best practices, and hopefully give some
of that information to the government.
But we've come a long way since then.
We have to redefine what it really means
and actually make sure we're doing things that are going
to be not only helping the government do its job,
but also help private sector to be more productive
and more economic and reduce the economic challenges
that we have today.
So some of the ways we need to do that, which is why events
like this are important and the Secretary's commitment in this
as well as Secretary Napolitano by the way
in the event we had last week.
We need to raise awareness amongst business leaders
to make sure that they understand
that the cyber vulnerabilities
in their enterprises can be integrated into business risks.
It's got to be part of the matrix.
It's got to be the things they're talking
about at the board level and the executive day to day management.
Looking to promote extensive and comprehensive changes
within their business model
to make sure they're looking after these things.
That would go a long way to help us improving our
security overall.
We also have to look at the metrics
and what are the incentives.
There's a lot of discussion as how can we get them to say
when they're trying to drive forward business needs
and technology development, how we can say, "We're not going
to throttle you down with security,
we're going to enhance it," and build this into some metrics
that says by doing this better,
here's how your business improves as well.
We also must look at the area in the research and development,
and there's been a lot of discussions
from the government side recently about what are we doing
in a private, in the R&D environment, looking at doing
that consistent with the needs of private sector,
so my sort of, you know, advertisement, if you would,
is a lot of these things if you go
to whitehouse.gov/cybersecurity, you'll be able to find a lot
of these things that I've talked about so far
in my comments today, but also get some more links to some
of the things the Department of Homeland Security are doing
and the Department of Commerce, the R&D world
from all [inaudible] technology policy
and looking how all these things are coming together
to make [inaudible] changes.
So in my closing comments,
and I know we're running a little bit late,
just sort of remind us that we are indeed diverse communities
across the government in a private sector,
but together we can bring those resources
to actually make some [inaudible] changes and to look
at our collective authorities to identify threats, put the word
out about what those threats are,
how to remediate those threats, and make sure, and as important
as anything, that we're developing the next generation
of technologies that basically are going to take
into account the threats that we've seen
and work this way collaboratively.
Now I look forward to hearing about the panel coming after me,
but as the President said last year,
"The nation that invented the Internet,
that launched the information revolution,
and transformed the world,
what we did in the twentieth century will lead once more
into the twenty first century.
Working together, we can become more secure, more prosperous,
and we can do our part to secure our part of cyberspace."
So, thank you, once again, for the opportunity
to come here and address you.
Thank you.
[Applause]