Cloud Security's Silver Lining: Q&A With ISF President Howard Schmidt
Nov 18, 2009 4:00 AM PT
The Information Security Forum may bill itself as the world's leading independent authority on IT security, but the companies and agencies that its members work for are finding themselves more dependent than ever on its computer security expertise.
Current trends that are expanding access to networks for companies and consumers are also providing more potential opportunities for IT's "bad guys": hackers, cybercriminals, Web fraudsters. Whether it's cloud computing, the move to put health records online or the growth of wireless devices, it's Howard A. Schmidt's job to make sure the ISF can be a go-to organization for those looking to secure their networks.
Schmidt's resume straddles both private and government security arenas and spans more than 40 years of service. He was in the U.S. Air Force and with the Chandler, Ariz., police department before beginning his entry into the world of computer forensics and network security with the Air Force Office of Special Investigations and the FBI's National Drug Intelligence Center. It was at the latter job that Schmidt began to garner a reputation as a pioneer in probing computer-related crimes.
Schmidt left his first go-round with government service to become chief security officers with Microsoft and then eBay. However, he returned to the public arena shortly after the Sept. 11 attacks as special adviser for cyberspace security for the White House -- in effect, the nation's first cybersecurity "czar."
Schmidt became the ISF's first president and CEO in 2008, and he spoke with TechNewsWorld from Vancouver, British Columbia, the site of the ISF's 20th World Congress.
TechNewsWorld: What are you learning at the Congress about how your members are dealing with the latest threats to IT security?
Howard Schmidt: My reaction is that we're seeing tremendous similarities with the things we're doing worldwide. It doesn't matter whether you're a small country in the Nordic region or one of the big industrialized Western countries, the attacks are the same, the ways to solve those problems are the same -- the move from technology to a sort of risk-management, that's pretty much consistent across all the members who are here.
TNW: I would think some of the other countries would look to the U.S. for a little bit of direction. After all, the Internet is an American invention, and some of its top minds are working for U.S.-based companies. Do you see that as well?
Schmidt: No, I see it totally different, as a matter of fact, which is really interesting. When you start looking at the knowledge people have specifically in technology and then bringing that up to another level, which is information technology, and then taking that to a third level -- the information security space -- we find people that are just absolutely brilliant at this around the world. I think one of the distinctions is -- as the early adopters, as we are seen in the U.S. -- a lot of the problems that we were dealing with in security issues, other countries are looking at as they roll out their infrastructure, and they're saying, "We don't want to go there, we don't want to follow the same path, we want to make sure we take another approach." Like for example strong authentication -- the idea, that of user IDs and passwords, has been nothing but problematic, and so they're going to go in a different direction.
TNW: You have members here from corporations, government, law enforcement. What are the trends they are seeing regarding the bad guys, the ones pushing malware out on the Internet?
Schmidt: There's a clear recognition that the bad guys are different now than they were even five years ago. As the Internet becomes more of a vehicle of the economy, it's like any other segment of society, so the bad guys come along with that. They're looking to steal your money without coming anywhere near your house and not get arrested. Also, when you start looking at international laws, we have countries with really good cybercrime and cyberfraud laws, and others that are sort of in the fledgling stage, so that makes a difference. We're literally all over the map.
The other piece is: How do you defend against all this? It depends on how critical the IT system is and how much you as a country or company are doing online. The U.S. was a big target for phishers and scammers because we were spending a lot of money online, and other countries are now saying, "We want to spend a lot of money relative to our GDP online, but we don't want to give the bad guys any opportunities." Plus, the hackers are becoming more organized and directed in their attacks.
TNW: More companies are heading to cloud computing. We're trusting more people with our data in the cloud. You can access that information in the cloud from a wireless device, like a smartphone. It would seem to me that there's an obligation these companies have to make sure that data is secure. Do you think they are taking it seriously?
Schmidt: We have all these members here (in Vancouver). It's been a touch economic time, but we have a full house here, so that indicates all these companies are willing to send their people to this Congress because they do take it seriously. They don't want to be in a position a year from now saying, "I wish we had done this or that differently," which is something we all worry about.
I'll go to cloud computing specifically. All the lessons we learned over the years with viruses and worms and malware and authentication and ID theft -- all the businesses that are now looking at the cloud are saying they don't want to go through all that again. So when they sign up for a cloud contract, they want to make sure there's good encryption, make sure there are boundaries about where their data goes, how they get access, what about backup -- all the things we would worry about, not only from a security perspective but from a resiliency perspective.
That's what we're asking our cloud people to do. So if there's a silver lining here, it's that we're about the build the next generation of network security that's more consistent and has better privacy controls right from the outset.