Howard Schmidt officially steps down this week as the Bush administration's cybersecurity advisor, leaving the government without a public point-person on computer security matters.
His departure doesn't reflect well on the White House's commitment to cybersecurity, especially in light of Richard Clarke's resignation in February. Clarke previously held the position of presidential advisor on cyberspace security and chairman of the president's critical infrastructure protection board.
There doesn't seem to be an heir waiting in the wings to fill Schmidt's shoes, either. As it stands now, the top federal official with any responsibility for cybersecurity is a lower-level official in the Department of Homeland Defense.
Few would doubt the usefulness of having a high-level official to influence federal policy about cybersecurity matters. What that person can actually accomplish is a different matter, experts said. For example, the National Strategy to Secure Cyberspace, released in February, was widely regarded as a "toothless" document for its lack of regulation and its abundance of recommendations on public-private cooperation.
In some ways, improving cybersecurity will take an organizational effort similar to the war on drugs, suggested Eugene Spafford, a computer science professor at Purdue University in Indiana and a well-respected cybersecurity expert. In other words, Spafford suggests a position like that of the drug czar, so that the
Computer security is a unique problem because so many people have access to computer networks. The second most accessible infrastructure is telecommunications, "but you don't have the level of access with them that you do with computing," Spafford said.
Still, a cybersecurity official must be more than just a policy wonk, said Bruce Schneier, founder and CTO of Cupertino, Calif.-based Counterpane. "Appointing a czar won't necessarily protect credit card numbers. But passing liability laws will."
Schneier said that having the word "czar" in the title doesn't really matter, just as long as the person has real power in the administration. In other words, the person should know what needs to be done and have the ability to get it accomplished.
Both Schmidt and Clarke pretty much knew what needed to be done, Schneier said. "Howard Schmidt is a smart guy. We didn't always agree, but I would prefer to have a smart guy in there who I don't always agree with than a dumb guy who always agrees with me."
However, the options open to Schmidt and Clarke were limited. The administration's approach to improving cybersecurity has focused more on "press releases and documents and not enough meat," Schneier said. The National Strategy to Secure Cyberspace is a case in point. "If in six months, little is done, then it meant nothing," he said.
Truly improving cybersecurity will take a mix of approaches, Spafford said. One can't take a "one-size-fits-all-approach" to improving security, but all avenues have to be explored. The government can use the "carrot and stick" approach, in addition to setting a good example itself.
Carrots could include tax credits or other enticements that encourage secure practices. Sticks could include lawsuits or penalties for vendors selling insecure hardware or software. Today, small companies don't really have any recourse when products they buy are insecure. Their lot is similar to that faced by cigarette smokers years ago. The tobacco industry argued that smokers knew the risks and were able to escape liability but, over time, the environment changed.
The federal government can also set a good example by being a paragon of good security practice, which it isn't today, Spafford said. Today, government agencies install cheap systems and secure them afterward, rather paying extra to get more secure systems in the first place. "It's like the Navy deciding to buy rowboats instead because they are cheaper," he said.
FOR MORE INFORMATION:
FEEDBACK: Ultimately, does the lack of a cybersecurity czar impact your company's IT security?
Send your feedback to the SearchSecurity.com news team.