President’s cybersecurity chief defends agenda

President George W. Bush’s top cybersecurity advisor defended his boss’s Internet security agenda but called for help from everyone from large corporations to individual Internet users to protect the U.S. homeland by protecting their own little piece of cyber turf.

Howard Schmidt, the special advisor for cybersecurity at the White House, defended the president’s National Strategy to Secure Cyberspace, released in mid-February, by saying Tuesday that it intentionally left most cybersecurity decisions up to private companies.

Some participants in the cybersecurity sector criticized the strategy for not including regulatory teeth with its many recommendations, but Schmidt said Internet companies know better how to run the Internet.

The president’s strategy “didn’t go out and tell private businesses how to run your businesses to be more secure,” Schmidt told a group of IT executives gathered at the Secure E-Business Executive Summit, sponsored by the Interoperability Clearinghouse, a consortium of standards organizations. “We made suggestions, we alluded that ‘one should consider,’ we alluded that ‘they can consider.’ I don’t think any of us would like some government agency to say, ‘here’s the protocols you have to use, here’s the operating system you have to use, here’s the database you have to use,’ because one size does not fit all.”

Schmidt noted that 80 to 85% of the Internet is owned by the private sector, and he said it should stay that way.

“If the government was good at innovation, the government would pay us taxes on the money they make off of innovating,” Schmidt told the executives.

However, the White House and the rest of the U.S. government does have a role to play, Schmidt said, in making recommendations to companies and Internet users and bringing together competing companies to talk about cybersecurity. “Government is great at being a convener,” Schmidt said. “I can’t think of a time where somebody would say, ‘No, I don’t want to go to the White House for a meeting.'”

The federal government can use its pulpit to call on others to pay attention to cybersecurity, Schmidt said, because some organizations still aren’t paying attention to the issue. Some observers said the Slammer worm attacks on the Internet in late January were a wake-up call for cybersecurity, but Schmidt said he’s heard those predictions before about other worms and viruses. He believes Slammer won’t be the last large-scale attack to be called a wake-up call.

Schmidt called for more communication between private industry and the government when Internet attacks occur, and he called on all Internet users to be vigilant about warning signs. Several companies had warning signs about the Slammer worm, he said, but the word didn’t spread far enough. Schmidt, who was once a police officer in Arizona, said people often hesitate to report suspicious activity or don’t recognize that the barking dog and the breaking glass together mean something.

“We have a tendency to justify the abnormal things as to why we don’t do something, because we’re afraid we’re either going to embarrass ourselves or we’re going to bother somebody,” he said. “When it comes to information sharing and homeland security, we need to get beyond that. It’s not a matter of embarrassment, it’s not a matter of bothering somebody, it’s matter of being able to make a difference.”

People seeing cybersecurity threats should pass along the information to a law enforcement agency or the nearest Internet network operations center, Schmidt said, but no one person or organization should feel they have to implement all of the president’s cybersecurity agenda. “There is a role for home users, there is a role for small and medium enterprises, there is a role for government,” Schmidt said, responding to a question about whether the Bush plan asks too much. “So as we move forward … we can all do our piece of it to make sure we’re committed to fixing the problems we’ve got.”

Earlier in the conference, Vance Hitch, the CIO of the Department of Justice detailed his efforts to tie together the IT infrastructures of more than 30 divisions, including the FBI, the Bureau of Alcohol, Tobacco and Firearms and U.S. attorneys. Hitch, hired as the department’s CIO in March 2002, said he’s in the middle of an IT reorganization focused on sharing information within the department and with other law agencies, and he said the DOJ will need plenty of help from private companies.

“We don’t need just bodies, we need committed organizations,” Hitch said. “We need people who will embrace our goals. … What I want is business partners who will become part of our team.”