Establishing Digital Trust: Don't Sacrifice Security for Convenience
WASHINGTON -- The man hand-picked by the President to run point on the titanic endeavor of reshaping and modernizing federal cybersecurity will be the first to admit that there is no silver bullet to solve the problem.
Keeping hackers out of sensitive public and private networks isn't a matter of better defense. Or education. Or deterrence. It's all of them, and then some, Howard Schmidt, the White House cybersecurity coordinator, said Thursday here at a government and industry conference.
Instead, Schmidt outlined a multi-pronged strategy he is trying to orchestrate across the agencies that seeks to do many things at once, while acknowledging that cybersecurity is a cat-and-mouse game, and that there is no universal panacea.
"Of course, in our planning, our strategic planning, we have to always consider the worst-case scenario. But we can't build our resources on that because the resources just aren't there to do it," Schmidt said. "So as a consequence we have to look at the issue of resilience."https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
Resilience, as Schmidt sees it, is similar to what an enterprise might classify as risk mitigation or disaster recovery. The idea is that when an attack breaks through -- and government officials acknowledge that civilian and military systems are probed around the clock -- it is detected early, that the damage and disruption are kept to a minimum, and that the affected systems are restored quickly.
For Schmidt, the analogies to the private sector come easily. In addition to a lengthy military career and extensive experience in government, he has also held senior security positions with Microsoft (NASDAQ: MSFT) and eBay (NASDAQ: EBAY). President Obama gave Schmidt the nod to step in as the first White House cybersecurity coordinator in December, tapping him for a job that involves extensive coordination across the federal agencies and with Congress and the private sector.
Evaluating the cost/benefits of cybersecurity
Schmidt stressed a policy of deterrence as a central operating tenet of his fight against cyberthreats. "We look at the cost/benefits of doing cybersecurity," he said, explaining the doctrine of deterrence as "trying to deny any benefits to our adversary."
In practice, that could mean erecting defenses so substantial that it would consume more resources than an enemy could muster to mount a successful attack. In other words, how can you make the process of cracking a system more costly than whatever the hacker stands to gain from the intrusion?
Part of that entails new perimeter security technologies under development within the administration, including a trusted Internet connections initiative, and the development of versions 2 and 3 of Einstein, the government's automated system for monitoring and analyzing security threats.
"The idea that some e-mail comes through and looks like it's from the director of NSA that looks realistic enough and gets to your desktop and that you believe it's real and you feel compelled to click on -- it should never even be there," Schmidt said.
In championing less porous perimeter defenses, Schmidt acknowledges the limits of user education. That is, no matter how much coaching you give rank-and-file staffers on sound computing habits, malware purveyors are constantly working to polish their product to make bogus e-mails, spoofed websites and other traps look more like the genuine article.
"We can't go out with the idea that we're going to somehow teach end users how to be security experts. And that's one of the things for a number of years we tried to focus on," he said. "We need to make sure that we're not putting people in the position to use skills that they don't have."
That's not to say that Schmidt and his team are abandoning the notion of educating users altogether, only accepting its limitations. Indeed, a multi-pronged education strategy remains a central part of the administration's cybersecurity strategy.
That includes both a general public education campaign and efforts to expand cybersecurity training programs at higher-education institutions.
The education efforts outlined in the recommendations of Obama's cybersecurity policy review also call for policies to promote the training, recruiting and hiring of cybersecurity experts, both in the private sector and the government. In the latter, Schmidt noted that the agencies remain at a disadvantage because many have not created a viable career path for cybersecurity experts, a situation his team is hoping to correct.
"In the Department of Defense we've made tremendous strides, but on the civilian side we need to continue to move forward," he said.