Howard Schmidt: TJX Arrests Show We're Gaining Ground in War on Cyber CrimeInterview with Security Luminary on Attacks, Defenses and the Next Big Vulnerabilities
Schmidt, a household name in information security circles since his days as CISO and information security leader at Microsoft and eBay, discusses the global war against cyber criminals; the right approach to security spending; TJX what it means to the global fight; and what approach financial institutions should take when fighting cyber fraud.
Howard served in the position of Chief Security Strategist for the US CERT Partners Program for the National Cyber Security Division, Department of Homeland Security. He has served as international president of the Information Systems Security Association (ISSA) and was the first president of the Information Technology Information Sharing and Analysis Center (IT-ISAC). He retired from the White House after 31 years of public service in local and federal government. Schmidt was appointed by President Bush as the Vice Chair of the President's Critical Infrastructure Protection Board and as the Special Adviser for Cyberspace Security for the White House in December 2001. His focus now as the first president of The Information Security Forum is to gain more recognition for the group, which has 50 percent of the Fortune 100 companies as members.
ISMG: Tell us some good news about the war against cyber criminals. The arrest and indictment of 11 hackers involved in the breach of nine U.S. retailers (including the infamous TJX breach) earlier this month -- is it the light at the end of the tunnel?
SCHMIDT: Well, I don't know that it's the light at the end of the tunnel, but the sky sure is becoming lighter as the dawn is finally reaching us. I think it is a benefit on many different levels. One, I think that on the professional level, the people side, we're seeing people in the business side and in the IT side better trained to recognize threats, including the known threats that are out there. I see the level of people being certified increasing, and this is becoming a criteria for hiring in information security.
The vendors out there are building technology and have shifted the way they're doing business, leaning more toward building protections and better security into what they're building -- and how they're building it into their services, being more cognizant and bringing security experts into their companies to build scenarios should their products and services could be exploited. The third thing to cite is the response to these attacks. The international cooperation sends a clear message that we still may be vulnerable and there still may be vulnerabilities out there we don't yet know about, and people who are willing to exploit it for personal greed and gain, but there are people out there who are looking to investigate it and prosecute those that are interfering with our systems.
I don't know that I would say no matter where they are that they will be caught, but I will say their actions won't go unnoticed or undetected. Within the extent of the law, law enforcement will track them down and prosecute.
ISMG: What is the state of information security, both globally and here in the U.S.?
SCHMIDT: Starting here in the U.S., we've reached a point where the whole issue of information security and critical infrastructure protection is something that is now in mainstream discussions. When you see the President discussing it in his press conferences and coverage in daytime television cable news shows, this sends the message to everyone that this is a major issue and not just some niche technical issue we're dealing with.
I think at the same time businesses have realized information security's importance, some have realized it because of regulatory and compliance requirements, and some have realized that it's just the right thing to do. Others have addressed it because it is attacking their businesses, and they have upped their security processes.
Indeed, we're far from perfect, but we're doing more now than we've ever done before, and as I tell people who ask if we're winning, we're doing better than we did last year, and next year we'll do better than we did this year. But this is something we are still learning about.
Globally, as far as other western nations out there -- we're all pretty much in the same boat. One of the challenges I see in emerging economies is that while they are dealing with the economic woes, additionally they're dealing with the bad guys targeting those businesses in their economies, and they don't have the internal resources to fight them internally, so they need the technical resources to fight them effectively. Then we're also seeing some of those things leading to the formation of IMPACT, (International Multilateral Partnership Against Cyber Terrorism). The prime minister of Malaysia has formed this group -- 25 nations are involved - to work with the large economies and the developing countries to make sure they receive the benefits of technology while short-circuiting the deficiencies when it comes to security.
ISMG: Speaking of IMPACT and the incursion of the Russian Army into Georgian territory, there recently was a sustained cyber attack against government and private business websites in Georgia that preceded the invasion. Are U.S. government and private industry networks well prepared to fend off these types of cyber attacks?
SCHMIDT: From the most part, it depends on what type of attack it is and the severity of it. Going back to the Estonian days, when "hacktivists" took down the Estonian government's websites, the U.S. government realized it could happen here, and that there is a high likelihood that something like that will take place. So, consequentially we've taken a look at those areas that are critical to reduce the likelihood that something very similar like what happened in Estonia and Georgia happens here. And the question is: When is enough enough?
The perspective is that under some given scenarios we basically have the ability to withstand that in some sectors, but what happens is there are some areas that if there was some disruption it would be, how do I say, newsworthy, but may not have a devastating effect on the economy. That is one of the things we've done a very good job, to reduce the impact of these types of attacks, even if they're affected at all. It's down to a very short period of time, and the number of people that are bothered by it is minimized. Others may argue that differently, but the plans and scenarios are out there, the people have been trained, to look to make sure we're taking care of ourselves.
ISMG: There have been a great many financial institutions hit by cybercrime. Are there any threats out there globally that you've seen in your travels that we should be on the watch for that haven't fully hit our shores yet?
SCHMIDT: I think the biggest thing people have to take into consideration is not what it is, but how it hits. The methodology has not changed much, these criminals who are breaking into systems haven't changed drastically in the last couple of years. They still have to break into the system, steal the data, they have to turn the data into a monetized product, whether they're selling it to someone or using it themselves to perpetrate fraud.
Now the way it's done over the years has changed. It used to be they were attacking the network; now they're attacking the application, attacking wireless networks, which is the next big front that many of us are worried about -- the mobile environment.
Because you see the phones we are around now are PCs in our pockets. They are equivalent to what we traditionally do with laptops and PCs, so the applications written for those devices need to be written without vulnerabilities, they need anti-virus and anti-malware installed. They need some kind of mechanism if they are lost that data can't be taken off them. So these are the things that are taking up time to develop.
ISMG: So you're saying the biggest unknown is the mobile security evolution. Are there other things out there that we should be concerned about?
SCHMIDT: There are a couple out there. One is how we will deal with identity and access management in the future, and how do we do application development security? Inherently, we've seen time and time again that what is the contributing factor in many of these hacking incidents are applications that are insecure, that have vulnerabilities. Those are the vulnerabilities that have been exploited, leading to the theft of data. So one of the things we look at globally is how do we manage identity, and how do we keep people from getting enough information about a person that then gives them the ability to do something, whether it is a fake passport, or a fake credit card?
Even simple things like going to a gas station, people think nothing of going in and plugging their credit card into the machines. Well, the criminals have put those credit card skimmers on the pumps and leave them there for months, stealing thousands and thousands of credit card numbers, which leads to even more identity theft and credit card fraud. There is a lot of our infrastructure we need to take a look at and change sooner than later.
ISMG: It seems we're hearing so much more about data breaches -- is this the year of the data breach? And what are your insights to stopping them?
SCHMIDT: I don't know if this year is the year of the data breach, but it continues to be a year that criminals look for new ways to circumvent our controls to get illegal access to our data. One of the things I think that needs to be done, especially in this financial climate where spending is a challenge and the economy is going sideways in some countries, is businesses need to harness and use the power of their professional organizations like ISF.
This is not the time to be spending more money on other things, as opposed to spending money wisely. The ability to bring a group of information security professionals together to create documents on best practices on how to protect your company is more important than it has ever been to leverage your input, bringing in a force multiplier by bringing in the experts to figure out how to do something rather than trying something and failing, and trying something else and failing and spending more money again bring the right people together and leverage the same experiences people are having world wide.
In many places, the technology is deployed. It's just figuring how to run it and handling change control. There are a lot of things that can be done in this economic climate to continue to build security and not spend a fortune doing it.
ISMG: Catch our audience up with what have you been doing as President of the Information Security Forum?
SCHMIDT: ISF is a good organization, run by volunteers who put a lot of work into it with some contracted staff. We've been growing organically, and now we're looking to go to the next level. The direction we're taking is to grow the organization and get more recognition within the profession, as well as make sure people know about the research we're doing.
ISMG: Are more regulation and compliance coming in future? Thinking of the long-awaited data breach notification law and the identity theft bill in U.S. legislature -- can we expect to see more of these types of laws and regulations?
SCHMIDT: In this political climate, especially in this country, I think there is a tendency for legislators to look for ways to protect their constituents, and they get calls from them saying, "I've lost my house, my identity has been stolen." Unfortunately their laws and regulations as solutions don't always wind up solving the core problem and have unintended consequences. Regulations don't always solve the problem. When we start looking at this problem, other things need to be done, and when regulations come in, they need to be done with some consistency. There has to be a way where it's not going to impact the level of security we'd be willing to offer. A classic example is if you have states with 27 different breach notification laws, and you as a company have to develop a schema to handle that, it can become very expensive to the point where you don't want to be in that business. You won't want to provide that service because it's just too much risk from a legal perspective, and you wind up spending more time worrying about the legal angles of it than the business or service you're providing. So consistency and singularity in those cases where it has to be done would help tremendously.
ISMG: What do you and the ISF see as long-term solutions to the growing number of identity thefts that are happening around the globe?
SCHMIDT: It is a three-fold approach. First, develop specific awareness and education about identity theft, and not just for the companies providing services. Look at healthcare as an example. What happens if a person is wrongly identified and given the wrong drug? There are some defined processes for awareness and education that need to be implemented not just for consumers, but for businesses as well. That's one leg of the stool.
The second leg of the stool is to continue to build the technology and business processes that do all that can be done to protect identities while still providing the business or services and developing the best practices for everyone to follow to protect people.
Third is constant vigilance when it comes to prosecuting these guys. Bad guys will never ever go away. Look at society even back in the caveman days, where people would steal other people's food. We've still got burglaries and break-ins despite alarm systems, and despite a police force. We must have consequences for these crimes, because no matter what, we will still have people who will try to perpetrate these cyber crimes. So the ability to report it and for law enforcement to successfully prosecute are key.
Combine all of these and we'll end up with fewer victims and better services that people can rely on and not have to worry so much about the bad guys out there.
ISMG: What do you see for information security and its future?
SCHMIDT: I have always been the eternal optimist when it comes to information security over the years. We've got a lot of dedicated people out there working to solve problems, and fight the battles along the way. They're not only fighting the bad guys, but also people within their own companies, and now at least they're not resistant to it anymore. While those people might not know information security, they realize that we do and are allowing us to do those things we need to do more than before, such as grow the business by helping protect the brand, ensure the consumers and customers are protected. I think now that we're becoming more cohesive as a profession, and our voices are being heard that the key line is that in times of economic turmoil as we see today, now is the time to define information security practices more than before because no business can now afford to waste money doing things the wrong way, they have to do it the right, secure way from the beginning.