First of all, let’s get one thing straight: The November 7 Town Hall meeting in New York to gather feedback on the draft of the “National Strategy to Secure Cyberspace” was not set up as an informal, school-cafeteria type of affair, where a crowd of concerned citizens would engage in rancorous debate with government officials. Instead, it was part of an orchestrated tour that the President’s Critical Infrastructure Protection Board is using to sell a strategy widely derided as having no teeth.
CIPB Vice Chair Howard Schmidt and three other panellists were lined up at a long red table, set far back on the imposing black stage in the auditorium at the John Jay College of Criminal Justice in Manhattan. In front of a podium with five flags, a parade of speakers posed for photo ops. They stood committed. They pledged support. They praised the local, state and federal government. Two cameras pointed back at the audience, where a few hundred mostly men in mostly suits clapped politely and waited for the main event: the moment they could step up to the microphones and give Schmidt & Co. a piece of their mind.
Schmidt, New York City Police Commissioner Raymond Kelly, Chris Painter from the Department of Justice’s Computer Crime and Intellectual Property section and Deb Peinert from the trade group Information Systems Security Association braced themselves for questions. They poured bottled water into wine glasses, then sipped it as they thumbed through bound copies of the draft. When the questions commenced, in no time at all it became clear why Schmidt was tapped for the job from his post as chief security officer at Microsoft. With the flair of a seasoned politician or a game show host, he can deftly field the most technical questions while also alluding to a close relationship with the likes of Bill Gates.
“Instead of looking at computer hacking as a negative, how about treating that as a positive?” asked someone from John Jay College, suggesting that the government register individuals and allow them to attempt to hack inside corporate computer networks and report on their findings. “I know it’s counter to the way criminal justice thinks, but why not enlist the youth to attempt to do this?”
“I think the gentlemen you’re talking about are called security consultants,” Schmidt answered, and the snickers in the audience turned to laughter. “There are some of them here,” he said, paused for more laughter, and then gave a sound bite about education and scholarship programs.
“With all endeavour to be respectful,” asked another brave soul — this one a security software developer — “in an Orwellian way, some of us are more equal than others. Major operating system companies have a greater responsibility not to focus on releasing new products” at the expense of security. Calling it “unconscionable” that a new OS would be released and within days need thousands of fixes, he said, “They have a responsibility to be more secure and perhaps even regulated to meet certain standards.”
Applause thundered. The other panellists looked at Schmidt, waiting. “I saw that one coming,” he said affably. “We have met with every one of those CEOs, including the one I think you alluded to.” He spoke of an unnamed company spending $US100 million on training and development to improve security, but said it would take 18 to 24 months for those improvements to hit the market. “It may take 18 to 24 months for development, but it only takes hours to discover vulnerabilities,” quipped back the software developer.
Someone else called into question the strategy’s reliance on ordinary citizens to protect their own computers and suggested shifting the burden to centrally managed places like ISPs, “so we’re not relying on Grandma to configure her firewall in a certain way.”
“Are you an IT professional?” Schmidt asked. The speaker said yes. “Are you also the chief information officer for your family and neighbourhood?” The speaker was afraid so. The audience guffawed. Schmidt assured him that the major ISPs were already coming together and were committed to improving security.
In one question after the other, Schmidt deflected queries about the draft with humour, while demonstrating a considerable talent for the non-answer. He listened to example after example of cash-strapped companies not having the resources to improve security, and law enforcement agents not having the resources to deal with crimes that do occur. He told a story about his son, a computer crime detective in Arizona, where a dispatcher once sent an ambulance to someone who called and said, “I think I’ve been hacked!” He said that telecoms that weren’t investing in security “will just not be there at the end of the day.” Most of all, he repeated his mantra that market forces, not product liability or government regulation, are the way to get companies to create more secure products. Only his jokes deviated from the canned answers that started to sound like the adults on the Peanuts television specials — Mwa mwa mwa mwa market forces mwa mwa. Yet with his curly hair and quick wit, Schmidt was eminently likeable.
It wasn’t until near the end of the 75-minute Q&A session that he seemed to get the kind of feedback he really wants people to offer between now and November 18, when the comment period for the draft closes. (The next and final stop on the tour is Phoenix on November. (Visit http://www2.cio.com/events for details.) A young man, introducing himself as one of those kids who’s a security consultant, asked why the draft suggested the need for one security certification accredited by the government. “Why isn’t there a need for a strong diversity of certifications?” he asked.
“Thank you for pointing that out,” Schmidt said, seeming surprised that the young man had gotten that impression. He nodded and indicated that the strategy should have made it clear that yes, the market should support multiple certifications for multiple skills. He put his hand on the draft of the strategy in front of him. “I’ll take this back and fix it.”
"Alarmed" is a biweekly column about security and privacy. Look for a new version every other Thursday.