Howard Schmidt — international cyber-security system two years off

Howard Schmidt, former chief security officer at Microsoft and eBay, and former special advisor to the White House on cyber-space security, recently keynoted at ISSE 2005 in Hungary. There, he spoke on the topic of global cyber-security. He is currently president and CEO of R&H Security Consulting. Brian McKenna caught up with him in Budapest for Infosecurity.

In your keynote you spoke a lot about the increase in the scale of the threat to internet security from the spate of DDoS attacks in February 2002 until now. Could you expand on that?

The success of those DDoS attacks was based on network weaknesses in universities and companies. That’s much better now, but the systemic vulnerability has now shifted to small to medium enterprises, and consumers, who don’t have the resources to deal with the problems – particularly that of being part of a bot network. Now you have the same bandwidth coming into the home and small offices as you had in large corporations five years ago. That increases the scale of the threat significantly.

Is this where ENISA’s role lies in Europe – that is to say, in raising awareness among SMEs and consumers?

I think that’s right. It will help with that.

You spoke in your keynote about the necessity of an international cyber-security system. What could the shape of that be?

We could get together a dozen large companies, say, with international networks and get them to share the security threats they face, and then escalate that up to the level of, say, the US CERT, the BSI in Germany, ENISA at an EU level, and so on. The idea would be to get real-time knowledge of the health of the global network of networks we all share.

But how close are we to an effective international, real-time, 24/7 cyber-security system?

I’d say we are two to two and a half years out. In terms of the technology, we are already pretty much there — we have the means to aggregate the information from IDSs, patching systems, vulnerability management systems, anti-virus technology, and so on. I can look at all of that, as a security officer, at the executive dashboard level. What we need to do is roll that visibility up to the regional level and then the international level.

We need to get to a point where if you have an attack that ‘follows the sun’ there is a mechanism to alert and disconnect networks. We need to get out of a respond mode and into a detect mode. There is too much fire-fighting in our business. We need to be more strategic and to translate the threat response into business sense.

What has to be put in place to get us at least 80% of the way there?

The challenges really lie in getting it over to corporate lawyers, who are concerned that this is going to reveal intellectual property flaws. And then, at the government level you need to get over political objections.

Turning to the source of many of these attacks that 'follow the sun', what are your views now on vulnerability reporting? Should full disclosure be made a crime?

I don’t think should be a crime. But there should be some kinds of sanction around vulnerabilities and their disclosure. Obviously it is best to have no vulnerabilities! And there is significant reduction taking place.

As a security researcher, you should report the vulnerability to thevendor. If the vendor is being tardy, you should be able to go to an agency – a national CERT, or an entity like Enisa across the EU, or NISCC in the UK. Then the government can put the pressure on the vendor. Remember, governments are big customers of the IT vendors, so they do have pressure to apply!

You said in your talk that infosec professionals need to move away from a physical security- like focus on threats to fixing the vulnerabilities. But are IT security professionals not already too hung up on fixing all vulnerabilities regardless of business imperatives?

In the world of military security you do things like track weapons movements by satellite. The mentality there is ‘show me the threat and I’ll fix the problem’. But you can’t really say that in IT security. However, you do know that we have certain vulnerabilities, so I’d say, in this sphere, don’t wait for the threat assessments.

At a recent Gartner event in London an analyst said that the security officer of the future will have a business school education, and that a top-line understanding of information security as a technical discipline will suffice. In other words, risk management ousts infosec. But don’t you really need to understand hacking at a profound level to be a good IT security manager?

Well, it is perfect if you can do both the management and the technology. My own educational background is that I have a business administration degree and a graduate degree in organizational management. Oftentimes the best security people are those with joint disciplines and that really is better — because it is about managing risk; no doubt about it.