Schmidt says cyber coordination on upswing

Monday - 8/9/2010, 6:52am EDT

WFED's Jason Miller

Click below to hear the report on the Federal Drive

Download mp3

By Jason Miller
Executive Editor
Federal News Radio

"We are probably better organized now as a government working internally than we ever have been in the past."

That is how Howard Schmidt describes the changes he's seen during his first six months as White House cyber space coordinator.

Schmidt says he meets regularly with the departments of Commerce, Defense, Homeland Security, State, Treasury and Veterans Affairs to cover a breadth of areas related to cybersecurity from policies to procurement to people.

And he also brought in cabinet officials and private sector experts to the White House in July to discuss cyber issues.

"It was a good opportunity to say 'here are some things we are doing, but by no stretch of the imagination we are anywhere close to being done but we are making progress and the senior members of government really care about this,'" says Schmidt during his presentation to the Information Security and Privacy Advisory Board (ISPAB) Friday.

Schmidt says among his top priorities are to reduce the vulnerabilities agency systems face, implement logical access using secure identity cards and improve communication and sharing with industry.

Along with requiring the use of employee and contractor secure ID cards to log on to networks, Schmidt's office also is reviewing comments on the National Strategy for Trusted Identities in Cyberspace and its implementation plan.

Agencies, vendors and other experts submitted comments July 19 on the strategy and later in the July on the implementation plan.

The plan, which Federal News Radio obtained, calls for the government "to establish a National Program Office that will take the lead on federal coordination and is responsible for advancing the goals of the strategy," and "create a comprehensive list of the activities needed to enact the full vision of the strategy," including plans to accelerate the expansion of government services, pilots and policies for identity ecosystem, work to implement enhanced privacy protections and coordinate the development of risk models and interoperability standards.

Schmidt says the strategy could be to the President for his signature by the fall.

"It's been an interesting exercise on that," he says. "I've found over and over again that there is no shortage of opportunities for people to misunderstand something that is written. I still get e-mails from people talking about the government taking over identities in cyberspace. For those you that have actually read the draft, you can see that it's quite the opposite. What we are trying to do is look for an ecosystem out there that people can voluntarily participate in whether they want some strong identity to financial transactions or do e-commerce or nothing at all that they want to do. That's their choice."

He adds whatever comes from the strategy will not be a government entity, but rather a private sector, non-profit or a consortium to build the system that gives the citizens the opportunity to do as little or as much as they want.

The White House, however, wants federal employees to only use their secure ID cards under the Homeland Security Presidential Directive-12 initiative to log onto agency networks.

He says now that more than 80 percent of all federal employees and contractors have HSPD-12 cards, it's time to use them.

"There will no longer be a day when you will have to remember 14 character complex passwords and have to replace them every 60 days," he says. "We will have a mechanism by which we will have a two-factor authentication device that gives us the ability to do digital signature encryption for anyone to be able to use. Agencies are making good progress and recognize this is overdue and are working hard to do it."

The use of two-factor authentication for logging onto computers also will help reduce the cyber vulnerabilities agencies face.

Schmidt says closing up these common cyber holes will not only help stop hacking and attacks, but also let agencies focus their time and money on the more complex and egregious problems.

"Number 1, identify where the vulnerabilities are, where the reoccurring vulnerabilities reoccur and how to remediate them while still keeping the machines and operating any applications we are doing," he says. "The reason the [attacks] are successful is because we have vulnerabilities. If we reduce the vulnerabilities, we reduce the likelihood of someone being successful."

Reducing cyber vulnerabilities also requires cooperation from industry. Schmidt says agencies typically don't understand the capabilities vendors bring to the table.

"I know firsthand how robust disaster recovery plans, business continuity plans and the efforts, expense and resources that private sector is putting in not only in their enterprise but the enterprise their customers use," he says. "When you look at the…ecosystem of running an IT system, we are moving in a direction where we are building it in from the very beginning instead of trying to go back and patch it."