Howard Schmidt, who was appointed by the Obama administration to lead the federal government’s cybersecurity efforts, is retiring after serving in the White House advisory role for over two years. His leadership is being mostly praised by experts in the security industry, despite a myriad of cybersecurity-related issues they say remain unaddressed.
He had to let vendors know that they don’t get to demand everything and not deliver secure products.
Alan Paller, director of research, the SANS Institute.
Schmidt will depart at the end of the month. He will be replaced by Michael Daniel, chief of the White House budget office’s intelligence branch, according to a report by the Washington Post. Daniel has been involved in funding projects for the intelligence agencies. He led intelligence reforms after the 2001 terrorist attacks, and coordinated funding for the Comprehensive National Cybersecurity Initiative, which began under the Bush administration.
Schmidt was appointed White House cybersecurity coordinator by President Obama in December 2009. His role was to help manage cybersecurity policies across government agencies, coordinate cybersecurity responsibilities between the NSA and the Department of Homeland Security, as well as work with the private sector to advocate for better security defenses for critical networks and infrastructure.
There is still a lot of unfinished business.
Marcus H. Sachs, former White House advisor on information security
Schmidt gets high marks for increasing the public’s visibility of cybersecurity issues, but he falls short on using the White House to get security vendors to work together to protect the nation’s critical infrastructure, said Alan Paller, director of research at the SANS Institute. Paller said security vendors are wielding too much power, which is resulting in ineffective legislation.
“They’re damaging every bill and killing the ones that might make a difference,” Paller said of security vendors. “He had to let vendors know that they don’t get to demand everything and not deliver secure products.”
Schmidt’s retirement comes at a time with key legislation before Congress. Two bills in the Senate that aim to address network security at critical infrastructure facilities are being hotly debated. Two other bills, the Stop Online Piracy Act (SOPA) and the Protect IP Act (PIPA), aimed at curbing software piracy, were quashed by an outpouring of vocal opposition from privacy advocates as well as high-profile security experts. Schmidt and the White House were opposed to parts of the legislation. The Senate is also beginning to deliberate over the CISPA legislation, which passed the House last month. It would clear security vendors from any liability over sharing customer threat data with intelligence officials at federal agencies. The White House has sided with privacy advocates, threatening to veto the bill.
Schmidt has done far more than anyone to strengthen cybersecurity at the federal level and communicate the role everyone has to protect sensitive data, said Marcus H. Sachs, a former White House advisor on information security. Schmidt and Sachs worked in the Bush administration and helped develop the National Strategy to Secure Cyberspace, published in February 2003. Schmidt did not update the national strategy, Sachs said, but he did succeed at creating the National Strategy for Trusted Identities in Cyberspace, which is seeking support from the private sector to develop secure electronic identities to identify individuals.
“It’s one thing to come up with all these great plans, but we still need to see that they be executed on,” Sachs said. “There is still a lot of unfinished business.”
Sachs said the next coordinator needs to address roles and responsibilities of government agencies and create a clear definition of the Department of Justice and law enforcement’s role for cybersecurity versus the Department of Defense’s (DoD). The private sector also plays a critical role in defending against a cyberattack, Sachs said. The Internet is unique in that it was built and is maintained by the private sector.
“This is not something the military can dominate without the private sector’s involvement,” Sachs said. “Howard did a lot in terms of building those bridges.”
Schmidt held high-profile and top information security positions at Microsoft and eBay during his career. He also served in the Air Force, something that experts say helped bridge the communication gap between the DoD and civilian authorities.
The White House could have given Schmidt more budget authority, but ultimately he was dealing with a lot of competing priorities, making objectives difficult to completely accomplish, said Gregory Garcia, a former cybersecurity and communications assistant secretary in the U.S. Department of Homeland Security. Garcia said Schmidt also helped foster better communication between the government and the private sector to get the focus on securing critical infrastructure.
“When he came into the job, one of the first priorities was to get the federal agencies working together in terms of securing their own systems, but also working together on policy matters and establishing the lanes of the road,” Garcia said. “Howard was the whole package … he advanced the ball on cybersecurity in terms of awareness of the need for better cybersecurity and the priority the government is placing on it.”
Garcia said Daniel, who is slated to take over Schmidt’s role, is more likely an insider who knows the inner workings of the federal bureaucracy. “You can have an insider mechanic and perhaps Daniel fits that, or is someone who has been in government for a long time who understands the complex interplay in the federal system and has visibility in the private sector,” Garcia said. “It’s hard to find both, but [Schmidt] had both; an understanding of the private sector as well as government processes.”