Obama Names Cybersecurity CoordinatorObama Names Cybersecurity Coordinator
Former Bush administration official and Microsoft security official Howard Schmidt is tapped to develop a federal cybersecurity strategy.
December 22, 2009
BlackBerry Pearl Flip 82200
Almost 7 months after President Obama announced he would personally select a new White House cybersecurity coordinator position to help orchestrate and integrate federal cybersecurity policies and agendas, the administration has finally named its man: former Bush administration official Howard Schmidt.
In a video posted on the White House website, Schmidt said that the President has directed him to focus on creating a new comprehensive cybersecurity strategy, developing a strategy to respond to future cyberincidents, strengthening public-private and international partnerships, pushing cybersecurity research and development and leading a cybersecurity awareness and education campaign.
“In our digital world, the information technologies we depend upon every day present us with both great opportunities and great danger,” Schmidt said in the video. “As president Obama has said, this cyberthreat represents one of the most serious economic and national security challenges we face as a nation. I’m committed to bringing all stakeholders together around a new comprehensive cyberstrategy that keeps Americans secure and prosperous.”
Schmidt, who was president and CEO of the Information Security Forum, a nonprofit cybersecurity research firm, immediately before his appointment, has had a long career in cybersecurity. He served as top security official for both Microsoft and eBay, did cybersecurity work for the FBI, and spent time as cyber adviser to the Bush administration. He has also recently been serving in advisory roles for a number of cybersecurity companies, including McAfee, PGP Corporation, and Fortify.
In an interview with InformationWeek earlier this year, Schmidt pointed to three cybersecurity areas which he believes need particular improvement: encryption, strong authentication, and secure software development. "You constantly hear about breach after breach," he bemoaned.
In that interview, Schmidt expressed mixed feelings about the state of the Federal Information Security Management Act (FISMA) and pending cybersecurity legislation and applauded efforts to push for common architectures across government IT systems. "People treat government agencies as independent controls unto themselves," he said. "We’re all doing these individual architectures which are tremendously complex. Everything has to be done separately and managed separately and that’s the enemy of security."
Schmidt’s name had been being bandied around for months as the possible appointee, but sources have said that he was not necessarily the White House’s first choice. Several others turned down the job, and former assistant secretary of Defense Frank Kramer was seen as a recent front runner.
In a May speech, President Obama said that the cyber coordinator would have regular access to him, but it became clear that the position would not have budget authority, and would have two bosses in the heads of the National Security Staff and the National Economic Council (not the President himself). If Obama sticks to the policy laid out in the White House’s 60-day cybersecurity review completed earlier this year, Schmidt would not have any "operational responsibility or authority, nor the authority to make policy unilaterally," instead relying on partnership and interagency coordination, working in concert with federal CTO Aneesh Chopra, federal CIO Vivek Kundra, and a slew of other officials to forward administration goals.
Some commentators have expressed concern that the cyber coordinator position lacked the power to affect real change. “I’m starting a new contest,” James Lewis, director of technology and public policy for the Center for Strategic and International Studies, said in a recent e-mail. “The new cyber position is so low, cyberczar really isn’t right. Cyberpeasant? Cybervillager?”
Lewis called the appointment a “good move” Tuesday, saying that Schmidt’s job could be made easier if officials believe he carries with him the authority of the President, but adding that there is a significant amount of work to do to fit together work that’s been started at places like the Department of Defense and Department of Homeland Security.
In the months since announcing the new position, there have been significant shifts in cybersecurity in government. The military began to stand up the U.S. Cyber Command, which will integrate and manage both offensive and defensive cyber capabilities for the military, under NSA chief Keith Alexander. The Department of Homeland Security has consolidated authority over cybersecurity in civilian agencies. The Office of Management and Budget has begun work on new cybersecurity metrics. The Office of Personnel Management has started working on new training and classification for cybersecurity professionals. And new FISMA guidance focuses more on operational metrics than on toothless compliance.
Several of Schmidt’s friends and colleagues applauded the appointment. Greg Garcia, a consultant who was formerly assistant secretary for cybersecurity at the Department of Homeland Security said that he had been advocating for Schmidt’s appointment since the position was created, and that Schmidt has “all the ingredients.” PGP Corporation CEO Phillip Dunkelberger said that Schmidt, who has long served as an adviser for the company, has “the right background and qualifications” to be effective in his new position.
"Howard has the breadth to cover government and private industry, and he really understands the technology," Fortify CTO Roger Thornton said in an interview, characterizing Schmidt as more of a doer than a talker. "When you look at the job, that job will only be successful if the person in it can bring together disparate parties and drive consensus. His biggest challenge is going to be getting everyone to take a step back and say, we need to rethink what we're doing."
For Further Reading:
About the Author(s)
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
Passwords Are Passe: Next Gen Authentication Addresses Today's Threats
How to Use Threat Intelligence to Mitigate Third-Party Risk
Concerns Mount Over Ransomware, Zero-Day Bugs, and AI-Enabled Malware
Everything You Need to Know About DNS Attacks
Securing the Remote Worker: How to Mitigate Off-Site Cyberattacks