Cybersecurity expert Rod Beckstrom chats with Howard A. Schmidt

Recently, Rod spoke with the former White House cyber security chief and partner in Ridge-Schmidt Cyber about Edward Snowden, the Heartbleed bug and life after the White House.

Howard Schmidt

According to Michael Daniel, who’s now in your old position in the White House, there are significant “barriers that the marketplace has to date failed to overcome: interoperability, liability, usability and privacy”. How do you think these should be addressed?

We’ve been saying this for a long time. Back when I was in a corporate environment, one of the vice presidents said, hey, nobody’s asking for security. They’re asking for reliability, scalability, manageability, but nobody’s asking for security. So why should we put security measures in our products? We can always respond if something happens. And even if it does, that doesn’t mean it will happen on a widespread basis. It’s a small number of people with very specific skills and people with an axe to grind who would do these things.

But the mass intrusions we are seeing today are becoming standard and all the national strategies since I arrived at the White House have addressed these key principles. We’ve been talking about them in the security world for over 20 years.

The only thing I would add is the emphasis that we now have on privacy. While a number of people and organisations have always paid attention to privacy, we really didn’t see the high-level government and corporate attention to it that we see now. Privacy must be a factor in all our considerations.

What has changed since you left the White House? What do you know now about cyberspace that you wish you had known then?

I wish I had known how governments would react to so many different aspects of cyber security. First, many governments believe that government can solve the problem. It’s their responsibility, their jurisdiction. They believe if they take over the Internet, things will be better.

The second thing – and I’m not a novice, nor am I naïve – is seeing what the United States was doing from an information collection perspective. I wish I had known that so I could have taken a different stance on it. Because my role – and they were very clear on this – is that I was the defender, not the guy who handles these other things. So it was a difficult position to be in. I was supposed to be developing policies and strategies that would actually work with what the intelligence agencies were trying to do. And I wish I had known what a strong force I was up against – I would probably have been a little bit more assertive in dealing with that, not just dealing with critical infrastructure issues.

A year or so after your departure from the White House, the Edward Snowden story broke. How did you feel when that happened?

A couple of weeks after it broke, I was with the host of a conference in Germany – a major CEO in Europe – who had just seen President Obama state that the U.S. does not spy on its citizens. He asked me questions I couldn’t answer: since I’m not a U.S. citizen, does that mean that the U.S. spies on me? I send emails to my U.S. colleagues and I call and visit the United States. Am I being spied on?

And my response was: I don’t know. The bottom line is that intelligence agencies around the world can spy on anyone who is not a citizen of that particular nation state. And in many cases even if you are, they can and will spy on you.

After the session that I led on cyber security, another CEO of a smaller European company said this is great for us. Now we can market our Cloud services in Europe as a way to prevent U.S. access to information. So this made me think a lot more about the revelations as they affect people beyond our borders. Not everyone in the world sees the revelations as a bad thing.

Do you think that the revelations and concerns expressed by some parties around the world are having a significant impact on Internet governance discussions?

Yes. There has always been a lot of discussion about what governments may be doing and should be doing, but I think the revelations have had an impact. I don’t know what the results will be – only time will tell. But the pendulum has swung to those advocating less government control. They have a much louder voice than they had before.

Many in the technical and security community view you as a defender of the Constitution. How do you feel today about where the U.S. Constitution stands on this?

I raised my hand when I was 18 years old and took an oath that I will defend the Constitution. I take that seriously.

Many people are looking to work their way around the Constitution or to interpret it to their own benefit. A lot of people, some in legislative positions, don’t really understand how technology affects policy, how policy affects technology and what we all have to lose and to gain.

So as a consequence, when you look at all these things coming together, things are invariably going to change. There will be events that challenge us and my only real concern is that some people will view these events as a way to argue that leaving it in the hands of private sector has not worked and we need greater government control over the Internet. And if you’re not well grounded in how all these pieces fit together, including the technology, that discussion could go badly very quickly.

NATO has announced that its members will agree to defend each other in the event of a cyber attack, the first time that a major alliance has come to such an agreement. What do you think about this move? What does it really mean? What issues will NATO face in implementing this?

This has been debated for a long time. Under Article 5 of the NATO Agreement, an armed attack against a member nation is considered an attack against them all. Many defense organizations have said that should apply in cyberspace, too.

The distinction is that when you start considering military in a cyber context, you are looking at activists, at criminals, not at a military force. Here in the United States, for example, you’re not going to have the United States military going after an activist group unless there’s some direct correlation to military activity. And even then, the FBI would have the lead from a civilian perspective.

NATO members that I’ve worked with, including the United States, have said we don’t have that right. It’s a matter of how we exercise it, which is still one of the biggest problems.

The other thing to look at is capabilities. While many feel that the United States has the greatest cyber capabilities both defensively and offensively, we are not unique in that.

Back in the late 1990s, I was invited to visit several Eastern European countries. I was not in government at the time, and they showed me the tremendous capability they had. Of course I had no way to validate their claims. But the bottom line is that NATO member states aren’t the only players in cyberspace. A lot of other countries have significant capabilities. So this issue is much broader than just the NATO Alliance.

There’s a great debate out there about Edward Snowden. Many people believe he’s a traitor and others believe he’s a hero. How do you view Snowden?

I’m not a lawyer so I can’t make a determination of someone’s legal status. But only time will tell. With the benefit of time, acts that were considered traitorous in the Civil War are now seen as acts of heroism. So we really don’t know how history will view Snowden.

But everyone in government has signed a legal document requiring them to protect classified information. They have sworn to do something and with rare exceptions – for instance, obeying an order in a combat zone – they have the duty and the responsibility to protect classified information. If you have exhausted legal channels without success, what other route do you have without committing what some will consider a traitorous act and others will consider an act of freedom fighting? It will be a long time, I think, before there’s a good answer. People will always have differing perspectives.

One of the other big surprises recently is the Heartbleed bug that showed up in open SSL. Your thoughts on that?

Just so you know, I am Chairman of the Board of Codenomicon, one the two companies that discovered Heartbleed. Google was the other.

When I was at the White House the first time, we were getting ready to go into Afghanistan and I got a call saying that a vulnerability had been discovered in ASN1, the implementation of the encoding protocol. It turned out to be from the University of Oulu in Finland. I had never heard of that university, though I knew Finland very well. Then I got an invitation to join the board of a Finnish company called Codenomicon that discovered the vulnerability in ASN1. I resigned from that board when I returned to the White House, and when I retired they invited me to rejoin.

To have a vulnerability exist through so many generations is a testament to the fact that we need to do a better job in writing software. Whether it’s open source or commercial, we need to have more focus on secure development, to make software secure by design and to help identify vulnerabilities that may exist in a code that’s been around forever.

I’m also Executive Director of a non-profit organisation called SAFECode, created by a number of major companies – including Microsoft, SAP and Intel – so they can share collectively and individually the steps they’re taking to develop more secure codes. They also provide free instruction and best practices to others involved in software development.

So Heartbleed, which was widely distributed and existed for so long, really emphasises the fact that software is our Achilles’ heel in so many ways. We need to strengthen how we identify and test for vulnerabilities, but more importantly how we design software.

How do you feel overall about what’s going on in the world of cyber security? Do you feel more optimistic or pessimistic?

My friend Eugene Kaspersky has a phrase I love. He says those of us in security are paranoid, but he’s a paranoid optimist. I have always been optimistic. I’ve seen a lot of things that could have gone wrong but didn’t because of the incredible people in this business.

It’s not to say bad things can’t happen, but I’m pretty optimistic as long as the private sector is given the opportunity to continue to learn and to share information and to work with – rather than be directed or bullied by – government.

The other thing that reinforces my optimism is how quickly talented security people can now rise within an organisation, not only from the technology perspective but from the policy and business perspectives. Within a relatively short period, they’re becoming the executives in charge, as CISO or in similar roles. This reinforces my belief that not only do we have the right people ascending to some of these positions, but we also have corporations and business units recognising that these people can make a real difference. They not only make us more secure, and help shut off any government regulation or oversight, but they can also make business work better.

You have accomplished so much in your career and you’re still doing fascinating things. How would you summarise what you’re doing now and how do you see that mix evolving over the next five or ten years?

At Ridge-Schmidt, Tom [Ridge] focuses on physical security and I focus on cyber. Then we both focus on where they intersect, which is a lot of places. Along with SAFECode, I also sit on a number of corporate boards like Qualys and Codenomicon, and I’m an advisor for some others. But the core of what I do now is being an evangelist, not so much for the people in the trenches who do the real work every day, but by getting the things we do into the boardroom and the C-suite. CEOs and chairmen and boards need to understand that cyber is not an IT issue. It’s a business issue and as a business issue, they are responsible not only from a governance perspective, but also from an investor perspective. They need to understand that technology’s great, it’s given us a lot, but this isn’t all about technology. That’s the difference I hope to continue to make.

Any other wisdom you would like to share with our readers?

Just one overarching thing. If we try to isolate the cyber threat as the problem of just one nation, as a national issue, we will never find a solution. If we recognise it as a global problem and work together, we can move a lot quicker and more effectively. But if we continue to use every conflict, every conversation, as a reason not to cooperate in cyberspace, we will be having this same conversation 10, 15 and 20 years from now.

So you have a globalist’s view. Are you hopeful that even the U.S. and China can bridge their differences?

I am. At the World Federation of Scientists, where I am a member, we have a permanent monitoring panel on cyber security. The Federation was created in response to the nuclear threat. The world’s leading scientists got together and said we need to convince our governments that dropping nuclear weapons on each other’s cities is not good for the general population. If we can convince governments to recognise that the same thing exists in cyberspace, then there’s hope for China and the U.S., and for many other countries. They can still be competitive, but not at the expense of the goodness that the Internet brings to all of us.

Howard, thank you so much.