Exclusive: Schmidt says cyber progress being made quietly behind the scenes

Friday - 4/22/2011, 7:36am EDT

WFED's Jason Miller with Howard Schmidt, White House cybersecurity coordinator

Click below to hear part 1 of the interview

Download mp3

WFED's Jason Miller with Howard Schmidt, White House cybersecurity coordinator

Click below to hear part 2 of the interview

Download mp3

By Jason Miller
Executive Editor
Federal News Radio

Howard Schmidt isn't interested in measuring the progress the Obama administration is making in securing federal computer systems by the number of policies or initiatives it announces.

Rather, the White House cybersecurity coordinator and special assistant to the President said agencies are making improvements out of the public eye and much more quietly than in previous years.

"We are operationalizing a lot of these things," said Schmidt in an exclusive interview with Federal News Radio. "When the decision was made to go to TIC, DNSsec, looking at the Federal Desktop Core Configuration, and looking at some of the other things we are doing to assist intrusion detection and prevention across the government; these are all work that is being done on a regular basis."

But this lack of public exposure also is leading to the perception that Schmidt's office and the Office of Management and Budget are less interested in federal agency cybersecurity, especially compared to the focus the Bush administration gave it.

Over the past two years, OMB issued six memos on cybersecurity, including two that just detailed Federal Information Security Management Act (FISMA) guidance, compared to 14 under the Bush administration the previous two years.

Schmidt and others are quick to point out that memos alone are not a measurement of interest or improvement.

Federal and private sector experts, however, say there is a vacuum around leadership of cybersecurity being filled by the National Institute of Standards and Technology and the Homeland Security Department. But NIST and DHS have much less and, in some cases, no authority over agencies.

The experts, who requested anonymity so they could speak more freely about this sensitive topic, said industry and agencies aren't getting a clear message that cybersecurity is as important as, say, cloud computing or openness and transparency.

Several federal chief information officers and industry executives say they were surprised that federal CIO Vivek Kundra barely mentioned security when he issued his 25-point IT reform plan in December.

At that White House event, only Defense Department CIO Teri Takai brought up cybersecurity, saying the government needs to treat IT security in the same respect as it is focusing on efficiencies and reforms.

Kundra responded to Takai's statement. "I can't overstate the importance of security. Our view - it's vital. It's baked in. These reforms are targeted about how we manage the $80 billion portfolio. To me, security is part of that DNA. It's not something that is separate."

The Obama administration brought a lot of hope around cybersecurity when it first came into office. The President requested a cyberspace policy review report and named Schmidt to be the first cybersecurity advisor in the White House. Schmidt also sits on the National Economic Council to help advise how cybersecurity issues affect the economy.

But over the last 15 months, Schmidt's focus has been mainly on external issues, including the development of the Strategy for Trusted Identities in Cyberspace, which the President issued April 15, as well as working with the private sector to improve partnership and information sharing.

OMB, meanwhile, has changed FISMA to move to continuous monitoring done by DHS, established blue and red teams at DHS to test agency networks, and issued a memo last July giving DHS more authority and responsibilities over FISMA.

Experts say these are minor things, many of which were in process when the Obama administration came into office.

Just recently, the White House sent draft legislation to agencies for review that would boost DHS's authorities and responsibilities around civilian agency cybersecurity.

Schmidt would not comment directly on the move to codify DHS's role in protecting civilian agency networks.

"The existence of any draft or legislative stuff is something, of course, we would be working very closely with our legislative partners and the executive branch on," he said. "Speculation on what may be out there is not something you and I can be in a good position to discuss right now."

Schmidt added that DHS's responsibilities when it comes to protecting the .gov domain and working with the private sector are clear.

"I don't know if there is any question about that," he said. "We've seen it through memos. We've seen it through HSPDs in the past. So, I hear people say that from time to time but the bottom line is there is no lack of clarity when meeting with the CIOs, CISOs and the executive leadership across the agencies. Everyone is clear, that I've dealt with, that hears the roles and responsibilities that the departments and agencies have, DHS has, NIST has, and what the EOP does."