Skip to main content

This guy advised two presidents on cyber security. Here's what he has to say

ITProPortal is at the 27th annual Information Security Solutions Europe Conference (ISSE), one of Europe's largest gatherings of cyber security experts.

As former cyber-security coordinator for the Obama administration, adviser to two presidents and security consultant with Microsoft and the air force, Howard Schmidt is uniquely placed to comment on the security industry. He gave a fascinating talk on what he's learnt about the industry, and where it's going. Here are some of the highlights.

Even before we had the Internet, we had what we would think of as hacking. We had a big problem with people looking through phone lines and trying to find computer systems connected to phone lines.

We didn't have the IT structure we have today in organisations, so that's how you used to access the systems and perform maintenance on them – through the phone line. And I remember time and time again, as a policeman, how we'd get a call telling us that someone's computer system was acting funny, or slowing down, and they didn't know what was going on. And time and time again, it was someone accessing that computer system and looking for credit card information.

As we develop the Internet of things, these 4 billion connected devices that there currently are, will become the heart and soul of your organisation. The scale will move. In this world, you don't have to be anywhere near the crime scene to commit the crime.

People use the term today advanced persistent threat (APT) – and I agree with the P and the T, but not with the A. These aren't advanced attacks. A lot of the time, vendors have discovered the vulnerability, they've patched it and fixed it, but people just don't apply it. Where we fail is: we don't execute. So many times we discover the crime, we follow the trail back, and we find something that could have been prevented. And more than anything, it's something that's asked you "do you want to keep going?" and the instinct is to click yes.

I always tell the story of my 8-year-old son and my 88-year-old grandmother, who are both on the computer and see a dialogue box that says "this website might be dangerous, are you sure you want to continue?" And my 8-year-old son will click yes, because he wants to get where he wants to go. But my 88-year-old grandmother, with a PhD in education – she'll click on it too, because she wants to get where she wants to go. No one is too clever to be caught by cybercrime.

When we look at the threats of the future, we can see that the price now might nt be that high to pay, but the price of inaction could be huge. Both presidents I've worked for have said that when it comes down to critical infrastructure, there are 17 major sectors that must be protected.

Among the most important are the power sector, which is what keeps our world running, and keeps the lights on. Then there's the telecommunications sector, which is how we communicate, but also how criminals can spread malware if it's compromised.

Then there's the financial sector. And that's important, because that's the bedrock of democracy. We're no longer a single market, we're global market. And software has to be recognised not only where we come from, but where we're going too.

I have this discussion with people all the time, who say "you can't write perfect code" – and that might be true, but it doesn't mean we shouldn't try. When you look at the supply chain, and you look at your key vendors, and their software – what they do effects you in serious ways.

I may sound sort of solemn in saying all this, but having spent 20 years in law enforcement, and advising two presidents and major corporations, I remain optimistic. The truth is: we know how to do this. The problem is executing it.

Follow all of ITProPortal's coverage of ISSE 2014, for all the latest in the world of cyber security.