BankInfoSecurity.com Interview with Howard Schmidt on the State of Information Security in the Finance Industry
LINDA MCGLASSON: Today BankInfoSecurity.com is speaking with Howard A. Schmidt, a true information security luminary. He is a pioneer in network, data and internet security.

During Howard’s remarkable career in public and corporate service, he has seen it all from the inside. He began his information security career in government in the U.S. Air Force and helped establish it’s groundbreaking computer forensics lab. He then moved into law enforcement. Later he left public service to head information security at software giant Microsoft, and then also at online auction site e-bay. After 9/11, he was appointed Vice Chair of the President’s Critical Infrastructure Protection Board and was Special Advisor for Cyberspace Security or the White House.

Schmidt is currently the International President of the Information System Security Association, ISSA. He has also served as the first President of the Information Technology Information Sharing and Analysis Center, and as the Co-Chair of the Federal Computer Investigations Committee. He is a member of the American Academy of Forensic Scientists, and an Advisory Board member for the Technical Research Institute of the National White Collar Crime Center.

In addition, he served on the President’s Committee of Advisors on Science and Technology. He has co-authored both the Black Book on corporate security and the Black Book on government security. His most recent book, Patrolling Cyberspace: Lessons Learned from a Lifetime in Data Center, is available from Larson Publishing and is on sale on Amazon.com. Welcome, Howard.

HOWARD SCHMIDT: Thanks Linda. It’s great to be here.

LINDA MCGLASSON: We’ll go right into the questions that I have for you. In your opinion, what is the number one information security threat on the horizon for financial institutions?

HOWARD SCHMIDT: That’s a really good question because the financial industry has done such a remarkable job over the past few years of suring up their infrastructure, working together even with competitors to make sure that the institution itself, the enterprise itself, is more secure than ever. So I think the right answer to your question is the end user because as we have more control over our ability to interact with our financial institutions, we have greater flexibility in working internationally.

Sitting in a hotel room in London, for example, and transferring funds from one account to another gives us better control of what we’re doing, but it also puts us as sort of a hinge pinge [ph] in making sure that we are secure. So the end user, the one that uses that service, is probably the biggest threat because not everybody is savvy about technology, and more specifically savvy about what it takes and what it means to really be secure.

LINDA MCGLASSON: That leads right into my next question. The globalization efforts of international companies, including financial institutions, is far ahead of law enforcement’s ability to protect them. What are some of the things you see happening to slow the surge of international cyber crime and what more can be done?

HOWARD SCHMIDT: I think there’s a few things. One, first and foremost, the technology has really changed significantly. I mean we’ve seen plug-ins to web browsers, for example, that do a better job of protecting the end user from, you know, inadvertently getting - - stumbling on to one of these fishing - - one of these identity theft related websites. We’re seeing filters being placed in email clients, so these sort of fishy emails and identity theft related crimes don’t even get to someone’s inbox so they don’t have the ability to click on it and then once again be caught by a web browser somewhere.

But when it comes to the globalization what we see is the law enforcement community’s been working very, very closely with the private sector organizations making sure that (1) that they understand that law enforcement’s not going to come in and rip out their IT infrastructure to investigate a crime, that they work as partners; that often times what we’re seeing now is particularly financial services are hiring former high tech crime investigators whether they’re federal agents, whether they’re investigators from law enforcement agencies from around the world, or they’re even local police officers, and basically so they can better understand what the needs of law enforcement are, but also help better protect their customers.

And one of the examples I see more often than not is where we see financial services see a particular trend taking place. They have their investigators obtain the information using the authorities that the financial institution has, getting in touch with law enforcement internationally, sitting down working with them making sure the evidence is transferred, and helping to aid in the prosecution of the criminals that are taking advantage of the customers, thereby doing two things – (1) protecting the customers and their assets; but also sending a clear message that the institutions will indeed work with international law enforcement to send a message that you will be held accountable for your crimes.

Now is that to say all crime will be wiped out in the next few years? It never happened in the physical world; not likely it’s going to happen in the online worked, but we do have much better resources, much better coordination between financial institutions, international law enforcement, as well as the end users.

And as far as what more can be done in that area, I think what we’re seeing now is through the harmonization of international laws. One of the loopholes that we saw for a number of years was where someone would go to a particular country that has not cyber crime laws, act with a level of impunity from that country, victimize someone and the long arm of the law couldn’t reach out to get them.

So what we’re seeing now with the Council of Europe Convention on Cyber Crime, the subsequent treaty which has been signed by a number of countries around the world, we have better treaties and laws now that give us the ability to no longer let criminals hide behind national law because the laws are much more harmonized and more at a level basis than they have been in the past.

LINDA MCGLASSON: Okay. Well this is a follow up question to your answer there. We’ve got regulations and laws such as GLBA protecting customer information here in the U.S. How is personal information being protected once it leaves our borders? For example like a lot of the outsourcing of back office work to companies in Asia. What’s your recommendation - -

HOWARD SCHMIDT: Well - -

LINDA MCGLASSON: What’s your recommendation how we can better protect our customers and our own corporate information?

HOWARD SCHMIDT: Yeah, I think there’s a common misconception that those sort of regulatory requirements and the protection of data somehow stop at the borders. That’s not the case. I mean it talks about the data itself. And one of the things that’s being done on a regular basis to help extend that even further is the service level agreements, the contracts that the institutions will have with their outsourcing partners that basically ensure that they will indeed protect the data at the same level, if not higher, than we have a requirement based on law or in some cases the corporate policy sometimes is even greater than what the law may require because I think many financial institutions recognize how important it is and what an amount of trust that the customers put into the institution themselves.

So consequently, when they let a contract with an outsourcing partner, be it domestically or be it internationally, what they do is they make sure as part of that contract that there are points put in there that help make sure that the their data is guarded. And if a breach should take place, just like it happens anywhere in the world that we’ve seen in the past, that the proper notification is done to comply not only with law, but also corporate policy.

LINDA MCGLASSON: Okay. If you were authoring the federal law on privacy and data breach disclosures, which I believe that they’re working on right now, what would you want put in it?

HOWARD SCHMIDT: Well I think some clarity and some consistency. That’s one of the issues that we’re dealing with when we start looking across the international spectrum. As, you know, you mentioned in one of your earlier questions, this is truly and international issue, and one of the most difficult things to do is to comply with 27 different sets of laws or even in the United States 50 different sets of state laws on data breach notification.

So looking at consistency across the board so you can build it once, you can make it rich and robust and really worthwhile without having to change it depending upon where your customer is living at, or in the worst case situation depending on where your servers are may dictate how you indeed protect the data. So I’d want consistency and I’d want conformity across the spectrum when you’re looking at offering such laws.

I think also we have to understand what’s reasonable and what’s not reasonable, and this comes through a whole process of education of lawmakers, as well as the corporate security people, making sure we understand what - - what possible unintended consequences could be. For example, I’ll give you a quick insight into years ago when we were looking some international - - the Council of Europe treaty for example - - there was a great deal of concern around a provision that effectively made it illegal to do research around security vulnerability.

So if a legitimate professor or legitimate company was looking for vulnerability in a product that may be considered against the law. The same thing applies in data breach. If you’re doing what you think is the best thing and it winds up that it has an unintended consequence of exposing more data than it is protecting, obviously that’s something we need to think through. So these things need to be conforming, conforming to specific standards, but also need to be very, very well thought out and not be a knee jerk reaction to an instance taking place.

When you look back at the number of compromise that we’ve seen over the past few years, the numbers are staggering. They’re very, very high. But when you look overall at the number of incidents where someone’s data that had been compromised something negative or something bad has happened to that person, that’s relatively small. Part of that’s in response to the financial institutions responding very, very quickly helping the people to protect themselves.

So the point being is when we start deliberating these things, we offer these things, we have to look at all the aspects of it to make sure we’re making really, really good, sound decisions and good laws that are not going to have a negative impact on innovation, while still doing what we can to protect the end users.

LINDA MCGLASSON: Going back to your book Patrolling Cyberspace, your career in information security has been a storied one. May we ask that you talk about your most memorable “you won’t believe it but there we were” story?

HOWARD SCHMIDT: Boy that’s really a tough one to talk about because there’s been so many fascinating - - I’ve worked with some of the great people in the industry that have challenged each of us and myself included to figure out the next best way to fix something or to do something better, to do it quicker, or to do it in a more enlightened manner, but I think one of the ones that was probably - - that sticks in my mind the most was in the early days when we really didn’t know a lot about computer evidence or computer forensics as the term went, and we were out there using technology to identify that certain crimes were occurring using technology, and one in particular was we were always worried about not wanting to set what we call bad case law and bad case law is defined where a decision is made in a law enforcement environment that causes at some point when something goes to trial for the judge to say no, what you did was wrong, therefore have a cascading effect that impacted others. So we were very, very concerned about that.

And in the early days one of the big things we had a lot of sensitivity about was we did not want any data altered that would impact your ability to successfully investigate and prosecute the case, and part of that was we wanted to make sure that we followed procedures even though we were building them as we went so to speak, and we found an incident where they brought in a - - at the time the days were called MIS, Management Information Specialists, now they’re called IT folks, in to assist on a case and the individual not understanding the rules of evidence had saved some data to a disk which totally changed the date that the file was accessed, thereby creating some question later on by the defense attorney on whether or not it was done by the law enforcement agencies deliberately to make their clients look guilty.

So that’s sort of the one that sticks out in my mind the most as being, you know, boy that was sort of a turning point in my career. It wasn’t the biggest case in the world. It was just a burglary case, but nonetheless really made me pay a lot of attention to doing things the right way moving forward.

LINDA MCGLASSON: Oh that - - I - - I remember reading that in the book, and I recommend everyone read your book for the - - all the really neat stories that you have.

Getting onto a pretty serious question, how vulnerable is our information infrastructure here in the U.S.? This would include not just manmade or man-caused events, but also events like hurricanes or earthquakes.

HOWARD SCHMIDT: Well I think we - - we are vulnerable, although we have better response than we’ve had in the past. And let me explain that if I could on what I mean by that because the greater dependency we have on a resource, the more vulnerable we become, and if you look at just simple things like the cost of fuel and our dependency on oil, the greater the dependency the more changes in the way we do things have an impact on our day to day life.

I remember a time where in the early days where when you had a pager it basically did nothing more than vibrate, and then in turn you called a number to find out what your message was. That evolved into having a number that was displayed that evolved into having a number and set some text, and now of course we see mobile devices in which we get every piece of valuable information just like we would on a desktop or a mobile system. We’ve become dependent on that now for our day-to-day existence. So when that vulnerability - - when that dependency exists, the vulnerability further.

Now more people right now are depending on it which makes us even more vulnerable because we no longer think about carrying a pen and pencil with us when we figure we can just use our mobile devices or using our thumbs to send a message. But when it comes to the ability to protect it, we now have much, much more attention paid to protecting those sort of resources whether it’s protection against anti virus and worms and Trojans and things of that nature, or outages themselves because it distributes the service attacks.

Those things will occur. They have occurred. We’ve seen recently even here where I live in the Pacific Northwest we had eight days without power. We had eight days without internet connectivity. We had eight days without phone service, and, consequently, that was somewhat of a hardship on a lot of people. Business wasn’t transacted. You know, family members were worried about family members in the area and things like that. But basically what had happened is that was restored in a relatively short period of time.

Now one may argue that eight days is a long period of time to be without these services, but it could have been a lot - - a lot worse. And so the point being is we do have vulnerability, but they’re not insurmountable. They’re not things that we can’t work around. We may experience some inconveniences and some shortfalls and for a relatively short period of time, but we look to mitigate the risk as much as possible knowing we may have an outage somewhere, we may have an inconvenience somewhere, but the idea is to make sure that that is the shortest duration and impact the minimum amount of people possible.

LINDA MCGLASSON: Well this is a question I think that’s pretty relevant right now. The use of encryption software is being embraced by many businesses, including the U.S. government and financial institutions, to ensure that their data is going to be protected. However, criminals are also availing themselves to use the same software to hide their data from law enforcement. What’s your opinion on who should be allowed to use encryption software?

HOWARD SCHMIDT: Yeah it’s interesting. I, you know, I have long debated this issue having lived in both worlds – the corporate security where, you know, I demand better encryption, easier to use encryption, and encourage employees and users, family members to use encryption. At the same time, the law enforcement side of my life says yeah the bad guys are doing it and I have to have some way to go ahead and keep them from using it to prevent me from successfully completing an investigation.

But I think what we do is we focus on the technology as opposed to the crime itself, ant’s where I sort of get off on the side of, you know, encryption for the purpose of security far outweighs the risk the bad guys would use it. For example, if a bad guy is using encryption to hide the possession of child pornography, that’s tremendously problematic, but by virtue of the fact that they’re using encryption doesn’t mean that there’s not other evidence out there that we can use to successfully and investigate and prosecute this person.

The same thing applies when we’re dealing with hackers and the hackers and the things that they put out on hack servers where they encrypt data and hide it out there to hide their identity. At some point they have to do something with that data and that also becomes a point by which we can gather more evidence to help prosecute.

The last thing being when it comes to encryption the weak point of any encryption is the fact that whatever the pass phrase or the password must be, and criminals are like human beings. They have problems remembering complex passwords. They have to write them down. There’s other methods out there by which one can acquire the password, so it’s not a zero sum gain. Yes, there have been investigations in the past not involving technology that we have not been successful in solving and I think the same thing will apply when it comes to use of encryption.

But there should not be restricted use, but there should be penalties for using it like you would use - - have a law and hiding evidence or corrupting evidence in a criminal investigation. Those laws I think are the things that are relevant and how you use it and for what purposes.

LINDA MCGLASSON: That’s a very insightful answer. Thank you. When you were the Chief Security Officer at Microsoft the Presidential Decision Directive 63 was released. Are we better prepared and protected than when it came out nine years ago?

HOWARD SCHMIDT: Oh absolutely, and it’s one of the things that I’m particularly proud of we’ve done as a nation, and not only those in public service at the time. I remember as we were working on the President’s Commission for Structure Protection, or the PCCIP which was the organization private-public sector that came together that did the data collection which resulted in the creation of PDD 63.

And as I would go brief the Board from time to time at the time I was Director of Computer Private Information Warfare for Air Force OSI and I would go meet with the folks and brief them and talk to them about some of the things that we had seen in the Department of Defense and investigations of computer crimes; what I had seen when I was with the FBI; what I had seen with local law enforcement.

And having that transition from all the briefings they received from myself and probably 20, 30, 40 other people, to see that transition into a Presidential Decision Directive and ultimately resulted in the creation of the ISACs and a lot of the other things which I hope we’ll talk about later on, but ultimately result in the national strategy to secure cyberspace that we worked on when I was at the White House with Dick Clark and the President’s Critical Infrastructure Protection Board.

Now we have the full office and the Department of Homeland Security virtually every government agency has an office of critical infrastructure protection. Many private sector organizations, now companies, have offices. If they’re not called critical infrastructure protection, they’re part of a security function they have. We’re looking at things around skatus [ph] security. There’s been a tremendous change not only in just the awareness, but the actual execution of people doing things to make things more robust. So consequently, I think that was a real key turning point in where we are about protecting the critical infrastructure, particularly the critical information infrastructure sections.

LINDA MCGLASSON: Oh, here’s your follow up question to that. Are the ISACs, the Information Sharing Analysis Centers, meeting the needs of the industry as they cover and what value do the ISACs offer individual corporations and businesses?

HOWARD SCHMIDT: Well the first ISAC which was your Information Sharing Analysis Center was created with the financial services which really led the way and bringing even competitors, I mentioned earlier, together to share information not only about vulnerabilities and press, but also best practices. That was one of the key things that I think when the financial services ISAC was first put together the ability to say listen, you know, yeah we may compete in the marketplace, but when it comes to the trust, when it comes to security, when it comes to protection and privacy we all have to - - have to work with each other.

Followed on by the creation of the ITISAC when we created that and I was very fortunate to be elected as the first President of that, the whole issue continued that whole philosophy that we need to share information with each other not only what’s bad out there, but also what are the things we are doing right to protect each other.

I think back to some of the instances where some of the early worldwide viruses or worms took place and we’d see a lot of media attention on the fact that 350,000 systems were affected by this, but often times it was in the background and this is where one of the benefits of the ISACs came into play where there wasn’t a lot of attention, and well why weren’t these 14 companies affected by this? Why were they able to protect themselves? Why were they not impacted either financially or technically from this particular event? And you generally would find out that their information came within the resource of the ISACs, would provide here’s how you protect yourself from this, therefore, they weren’t affected.

Now the ISACs can be only effective as the members are willing to share the information, and some companies feel more comfortable than others in sharing it, and I don’t think anybody’s really viewed as well I share more than you, therefore, you shouldn’t get this. I think they’ve done a really good job in helping to make sure that there is value to the individual corporations when they join, but often times, like anything else, when you’re talking about information sharing you get out of it what you put into it. If you’re willing to put the extra effort, the information in there, what you get back is really, really worthwhile.

LINDA MCGLASSON: Discerning what is important to financial institutions amid all of the cyber white noise is hard. What do you recommend we do to filter it out?

HOWARD SCHMIDT: Well it’s going to be interesting. I had a discussion with another security colleague of mine here recently via email, and one of the comments he had made, which I felt was really amazing, that we know how to do these things. We know how to better protect these systems where in a lot of cases we just don’t do it, and that’s because people are always looking for something that doesn’t exist out there. You know the areas of intrusion protection, intrusion prevention, the area of anti virus and anti spamming and all these things, technologies are pretty good now where in many cases I feel we have matured to a level where those technologies are doing what they need to be doing.

So that what I call, you know, paying a lot of attention to things that have already been built falls in that category as sort of the white noise. So what are the things we need to start paying more attention to that rise above that level? I think one of the first things that we need to look at is the vulnerabilities that still continue to exist in software. Why aren’t we using the automated tools that are currently out there that gives one the availability and the ability to do an analysis of source code to make sure that we identify the vulnerabilities before it becomes a computer program we’d run on our systems?

The second thing with the proliferation of wireless. Wireless is just wonderful. I mean I was one of the early adopters and use it everywhere - - expect to use it everywhere I go for the most part, but basically what we look at we often times are now we sort of forget the lesson we learned in early deployment of networks and saying we need to secure this before we widely deploy it. So, consequently, we’re in a situation where that’s another piece that we need to raise above the white noise level.

The other thing is the operations - - yes, operationalizing of IT services. You know for a long time the sort of spectra of security was, you know, security group needs to do it all and it’s just not practical anymore. What we need to do is make sure that security is built in the day-to-day IT operations.

Then the next thing we need to look at is sort of moving the battlefield off of the desktop. As we know, and has been proven many, many, many times through testing, that the end user is not sophisticated when it comes to IT security whether it’s in a corporate environment or whether it’s a home user environment, so, therefore, we should not be putting the battlefield on their desk.

What we should be doing is be moving it back to the gateways using devices that take care of a lot of these things ahead of time. Those are devices that you can rise above the white noise and have just a simple home gateway device that - - that blocks all that stuff from even getting to your system so you don’t have to worry about it. And these are things, again, each environment that a company or an individual could look at and say yeah I’m doing these things pretty good. Well let me focus on these newer threats that we’re looking at and those are things we need to raise above the level of putting them in a category of white noise.

LINDA MCGLASSON: Customers use financial institutions that they trust, and with the recent authentication guidance issued by the FFIEC, are we moving in the right direction to increase that trust?

HOWARD SCHMIDT: Yeah, absolutely, and it’s one of the things that as I’ve talked with my colleagues in the financial services industry, it’s not as if that the industry was not looking at these things and moving forward, but basically there was not the perception of a lot of consistency. So, consequently, with the guidelines that have been put out by the FFIEC what we see is a groundswell of people saying yes we need to move quicker, we need to do more, and, consequently, I think we’re - - we’re doing that.

But that’s only a small segment of it and that’s the part that I think is really interesting when we start looking at the financial industry overall. Even though there’s much focus on that, it goes beyond just there when we start looking at the issues around trust and identity management and how we deal with people.

You know there used to be a time the only time you dealt with a person was, you know, face to face, and then it sort of went with a piece of plastic to a machine, and now we see machines - - machine to machine doing things on our behalf, so, consequently, the level of trust we have to have on the identity moves way beyond the financial services sector.

So one of the things that, you know, we’ve recommended to many folks is we look beyond the debate about financial services and financial transactions, although they’re very important, and look at the fundamental is how are we going to do better identity management in the digital world and after the 21st century.

LINDA MCGLASSON: Howard, I have two more questions and then we’ll wrap up. Many smaller banks and credit unions typically use vendors to perform much of their IT services, information security, back office. In working with those vendors are there - - is there any advice that you would want to tell these vendors in regards to information security?

HOWARD SCHMIDT: Yeah. I think there’s a couple of things and it goes both ways, not only for the vendor side, but also for the companies looking to hire the vendor. This has been something that’s been difficult for people to transition to over the past few years. For a long time, as I mentioned earlier, security was almost viewed as sort of this quarantine type environment where only very, very few people had access to it, very, very few people had knowledge of it, so, consequently, anyone else with an outsider, therefore, untrusted.

And what we’ve seen over the past year is it just doesn’t make business sense to grow huge security organizations. It’s expensive. The recurring training becomes very expensive. It’s a resource drain. So, consequently, focusing on the core competency of the company, for example, financial services, delivering financial services to a customer is a core competency. Security is a means by which to help one accomplish that.

So understanding that those that you’re outsourcing with are not the bad guys, they are trusted individuals, that’s why you’re dealing with them, and to look that direction to bring people that have expertise that not only get to see your environment, get to see other environments become very, very helpful because none of us are alone in this thing.

On the flipside of the coin for the vendors is just one to recognize that the fact that often times that a full time employee is viewed as more trusted that a contractor or consultant may be, and sort of factor that into it. It’s nothing personal. It’s just the way the mindset currently has been the past few years.

But you also need to make sure the services that you sign up to and the services that you agree to deliver you indeed have the expertise and the ability to do so because particularly in the business of security integrity and ethical behavior is paramount, and the kiss of death for any company that wants to do business with a large enterprise as a security vendor has to understand that they have to be able to show that they have that level of integrity, they have that level of ethical work habits that basically make them worthy of that trust that the company puts into them.

And that’s sometimes a difficult thing to do. It takes some, you know, things just as, you know, checking backgrounds, making sure that your people come from a culture where doing security for the good of security is the primary focus and not doing it to prove that you can break something. There’s a lot of moving parts in that, but I think for the most part we’re getting much better and understanding both viewpoints both from the enterprise perspective, as well as from the vendor perspective.

LINDA MCGLASSON: Okay. Howard, final question. Any final words of wisdom for all of us here in the finance - - financial community?

HOWARD SCHMIDT: Yeah. I think one of the things is never forget to listen to what people have to say in this space. I remember - - I remember a conversation I had with somebody one time. We were talking about a buffer overrun in a particular program and was explaining that, you know, you can type in 257 characters and this bad thing would occur, and the question was asked well why would someone do that, and the simple answer is because they can. The same thing applies here.

So when you start looking at new services you want to offer to customers, if you want to look at new security features you want to put in not only do we need to consider the nonsophisticated technology customer that’s looking for the services from the financial services, but we also have to outthink the bad guy. We have to think about these things ahead of time. Listen to those. Sit around and have brainstorming sessions on how you could break something. It’s easy to build something that’s really, really neat, something easy to use and something that requires two mouse clicks to complete a transaction, but if there’s some underlying shortages and they’re relative to security, we need to find those out in the very outset and keep it from becoming a problem for our customers, which then in turn becomes a reputation issue for us as well.

LINDA MCGLASSON: Well, Howard, thank you so much for taking this time to share your insights and we will all want to go out and make sure that we go buy Patrolling Cyberspace, and thanks again.

HOWARD SCHMIDT: Well thanks a lot. It’s my pleasure talking with you.




Around the Network