[inaudible conversations] >> for more information visit the author's website michael wallis.com. ..

>> this week "the communicators" begins a four-part series on u.s. cybersecurity. white house cybersecurity coordinator howard schmidt is interviewed about the obama administration's efforts to protect the u.s. against cyber attacks. >> host: well, this is week one in "the communicators" four-week series on cybersecurity, cyber threats and legislative proposals to address those cyber threats. we're pleased to be joined on our first week by howard schmidt, assistant to the president, and also white house cybersecurity coordinator. be guest reporter from the "wall street journal." mr. schmidt, if we could start before we dive into the proposals that the obama administration has put forward on cybersecurity, is there a working definition of what

cybersecurity is across governments and across the different stakeholders of what it is and what it will entail? >> guest: i think the term that we use and approach in what we now call cybersecurity has evolved over the years. used to be called computer security, then informs information security, then it was information insurance. it encompasses everything from end user devices such as smartphones all the way up to and including government systems and defense systems. so we've pretty much gone around that from a government perspective. internationally, other governments use information security still. they look at issues around computer security. so locally we've got it, internationally it's not the same. >> host: is it a global issue? >> guest: it is very much, and i think that's why not only are we paying a lot of attention to it within the u.s. government and private sector, but the economics of the world has turned around on the technology backbone that we see today, and a lot of this hinges on how well

we do security. >> host: in the last couple of months, the white house has released a series of cybersecurity proposals, some legislative. how would you encapsulize those proposals? >> guest: i think they're a continuation of what the president asked us to do in may of 2009 where he released a cyberspace policy review and said there are some specific things we need to look at. one of them, of course s the april release of the national strategy for trusted identities in cyberspace looking at, you know, identity and how do we do that and how do you get trusted identities. the second one, of course, is about the legislative piece. what are the things that congress can do to help not only the u.s. government, but u.s. businesses. and the third one which is sort of the cornerstone of lot of what we're looking at, the presence of international strategy on cyberspace. and note that i said cyberspace strategy, not cybersecurity because the subtitle is prosperity and economy in a sort of a technical world that we live in today.

>> host: i'm wondering if we could just do one more sort of stage-setting question. if you can characterize, because we're seeing on at least a weekly basis new evidence of cyber infiltrations, attacks, things like that. how do you, when you look across the board whether it's state-based cyber crime, how do you characterize the threat the united states is facing right now? >> guest: i think, one, you'd have to bucket it in the correct area. as you mentioned, cyber crime. clearly, we've seen cyber crime ever since we moved from bulletin board systems to the internet and web and e-commerce, there's been concentrated efforts by criminals out there to take advantage of that. so there's one piece we continue to see. that, of course, increases the more we become dependent on i.t. systems, the more opportunities to operate in cyberspace. on the other end of the spectrum, we start looking at the except si we have as a government and civil society.

the lights are on because somewhere there's an i. t. system running a power system. so, therefore, because that dependency exists, any threats against those systems have a more dramatic effect on us which is why we're getting more focus on identifying what's going on out there, trying to isolate what exactly the impact's going to be, but more importantly, how do we stop it from happening? >> >> host: different corners of the government seem to have different views on how severe the threat is. and one of your jobs is to coordinate these differing views. but one of the most vocal opponents has been the pentagon with officials warning of a cyber pearl harbor and things like that. a lot of times in your comments i don't necessarily see that sort of approach taken. i'm wondering how publicly we're suppose today assimilate different views across the administration in terms of how severe the threat is. >> guest: when you look at different parts of government, the department of defense is

responsible for looking at the worst case scenario and protecting in our interests against that. other parts of the government; commerce, department of treasury who all have different respondents and see it through their lens. you're correct. when the president created this office, the idea was to coordinate these and develop good policy that the president could put forth on behalf of the u.s. government. >> host: what do we make of the pentagon's much stronger statements? if you liken it to a cyber pearl harbor or, you know, when they talk about the millions of scans that are done of defense systems every day? >> guest: yeah. and i would say it's not necessarily only the defense systems that are scanned. we have private sector, other parts of the government including other governments. and what it is, we hear what they say, we take that into account, figure out what they can do to help, how much is it directly related to defense activities, how much of it goes to the fbi, department of

justice, secret service, how much of it goes to homeland security. but this is part of an overall picture but not the whole picture. >> host: we alluded to the white house's legislative cybersecurity proposal. i'm wondering if we're going to see a little bit more action. in speaking with people on capitol hill, identify heard a lot of -- i've heard a lot of fears at least from aides on this issue that things have stalled out. can you give us a little bit of an update? >> guest: yeah. and we believe we're going to start seeing some moves on this when the congress comes back. this has been a big issue. we recognize there's a whole lot of pieces we need to put in place on this. legislative is only one of that. now, while this has been up there since we've submitted the proposal on behalf of the president, that doesn't mean we've stopped all work waiting for congress to do something. we continue to make efforts. but we think there'll be extra focus on it both not only in the senate, but also in the house, and we'll see a continued movement forward on a bipartisan basis recognizing that there's pieces of cybersecurity i think

the legislative body can help us with. >> host: you talked about pieces of cybersecurity legislation. would you prefer to see a whole package passed, or would you like it in bits and pieces? >> guest: yeah. we submitted what we consider to be a comprehensive package based on requests from senator reid, and we think that's the important way to look at it. because when we start looking just at the process of getting things through congress, if we have small bite chunks, it's going to take a lot longer. looking at it from the perspective, here's the pieces we need to put in place, let's put them in place at one time and then continue to evaluate. if we need more in the future because technology changes, the threat changes, then we can adjust them in the future. but looking at them in a comprehensive fashion is, i think, the way forward now. >> host: if congress doesn't look at it that way, which one piece do you think is critical to get passed? >> guest: i think the biggest one is the part where information sharing with the private sector, particularly the

critical structure. we've long debated what is private sector's role, how much interaction there should be. private sector's been staying for a -- saying for a long time there's a lot of things they can do on their own, but the government has other activities, they really need that. those are the two pieces we really, really need to make sure we get locked down so we can sort of accept that shared responsibility we have to protect the critical infrastructure. >> host: what have you been doing to work with private industry on this? in talking with people on capitol hill about the prospects for this legislation, i've heard considerable pushback from not just the chamber of commerce, the telecommunication companies aren't fans of the sort of system that your proposal and other proposals on the hill would set up to kind of require certain parts of critical infrastructure to evaluate their systems and kind of report back on that. and i'm wondering what -- how

the white house is managing industries' concerns on this. >> guest: i think there's a couple things. one, as we said when we rolled out the proposed legislation, this is the beginning of the dialogue. this is by no means, you know, the end of the dialogue. secondly, as we work with the private sector not only the white house, but also all the departments and agencies that have a sector-specific responsibility getting feedback with the private sector in shaping what is it that we really need to do and what are the things that they need. i don't know that i would characterize the private sector response as being tremendous pushback. there's concerns -- >> host: one person characterized it to me as they came out with guns blazing. so some of the folks getting feedback on capitol hill described it as significant. >> guest: yeah. and i think the vast majority of people i talk to say it seems to be measured. they want to understand the devil's in the details, we need to define what exactly is critical infrastructure, what is that reporting mechanism. we want to make sure if somebody has a particular reporting requirement now to some government agency that we're not

piling something else on top of them. those are the concerns i've heard with the private sector which, by the way, are shared concerns we have. as we get into the details, we need to continue the economic growth that i.t. and technology gives us while still making sure that the lights stay on and we have the ability to communicate. >> host: would you anticipate any changes being paid ma to that -- made to that portion of it? the guts of the legislative proposal and also the thing that's causing heart burn at least among some in industry? >> guest: yeah. i would think as this moves forward congress, if they get more coalesced on what are the details in this thing will work together, and we anticipate changes, and we expect them to come back with some of the proposed changes so we can provide feedback on how workable we think that is under the current set of situations we're living under now. >> host: and, mr. schmidt, an article by shah bonn goreman, she quoted a document that said

this: >> guest: and it's interesting because we read that article, needless to say, and i've had a number of conversations with the chamber. and, basically, as they try to bear in mind that there are a number of different companies and organizations with different perspective. so as they're trying to -- and that was a draft. it was not fully vetted with the other members. so, basically, that getting out there was not quite fully representative of the position on the chamber itself and what they've told me. we continue to be sensitive to their needs, we continue to hope that they work together internally to figure out what are the alternatives that can not only once again continue the business needs that we have out there while also improving security. >> host: i want to read one other quote to you, if i may, sir. josh corpsman of the 451 group quote inside the huffington post on may 15th after the white

house cybersecurity proposals came out: >> host: how do you keep up? >> guest: well, that's the thing. when you start looking at how do you define being ahead of someone, i get that question all the time. we are better now than we were last year. we're more better prepared. we've got better processes not only within the government, but outside the government. but the vulnerabilities that we've had for years still exist, and the bad guys, the bad actors still exploit those same vulnerabilities over and over again. typical thing that we see through sort of the anatomy or the autopsy of one of these sort of events. you have a fishing e-mail exploiting a known vulnerability which gives somebody an escalated privilege. we've seen that for the past 20 years, so i don't know that anybody's ahead. we all recognize it. it's doing that basic hygiene that we're looking at. legislatively as we pointed out

in the proposal we put forward, there are some things we need to catch up on. the penalties for impacting critical infrastructure, the impact on organized crime which is now part of this cyber crime thing that we talked about a few moments ago. so updating that is key, but i don't know that i'd put two years, two years or two years. we recognize some ground we have to make up. >> host: this is c-span's "communicators" program. kicking off today we're doing a four-week series on cyber curt and cyber -- cybersecurity and cyber threat. howard schmidt is our guest, intelligence correspondent for the wall "the wall street journal" is our guest reporter. >> host: one of the other issues in the legislative proposal is the white house put a lot of stock in the role of the department of homeland security. and i've talked with some lawmakers who have some hesitation about that because they feel dhs is still nearly a decade old, not quite yet, still kind of a young agency, and

cybersecurity is an even newer responsibility for it whereas agencies like the national security agency have been doing this for decades. and i'm just wondering why focus so much on the department of homeland security, and how are you responding to concerns from lawmakers? because i understand this comes up from time to time in discussions with the administration. >> guest: first, you mentioned, you know, the department of defense, national security agency which has had great technical capabilities. they're the folks i would go to. but when you look at the civilian responsibilities across the homeland security, you look at the things that have been put in place for homeland security and the relationship with the private sector, they're the best place to put it. drawing on the other resources, drawing within the department of defense, department of energy, the department of justice and fbi, so it's a supportive role, but somebody has to lead this. as a consequence, they continue to build their capabilities as we develop the national cyber response plan. we look at things such as cyber

storm which is some of the exercises. that better gives them a window into some of the things they have to modify and change to do this. so i have confidence in the leadership, i have confidence in the mission they've got, but we continue to build the capabilities with smart people and good, good laws put in place to help support them. >> host: can the government, can the department respond quickly? >> guest: i think they can, and it's the type of thing where it's more than their responsibility. private sector is a big, big part of this. private sector's been dealing with it for a long time. so as a consequence the ability to ramp up what we're dealing with today is ongoing work, but more importantly it's building for the future because part of their role in not only dealing with things we deal with today, but how do we wind up making sure the private sector's better

organized, the government's better organized? so, yes, it's a building of capacity, but they're not the only ones in the world that have to deal with it. >> host: mr. schmidt, james lewis who i think worked with you on this report of csis, saw a quote by him saying that, um, asking private enterprise to help protect cybersecurity systems is like asking the airlines to protect the u.s. from air attack. what's your response to that? >> guest: yeah. i'm not sure that's a valid characterization. when you look at, number one, if you just boil it down just to the business, i think we've recognized in the business more over the past five years there's a business imperative. security's not a luxury, it's something you need to do. it's part of a business process. it's building that into the systems and still having an open system so we can do online transactions to be able to coordinate with our business partners. once again, it's a new thing.

this is a brand new technology that we've been pushing out the boundaries with. so asking them to do it, they have an inherent need to do that to make their businesses successful. you know, people talk all the time about power stations and all these other things. they don't make money if lights aren't on. businesses tonight make money if, indeed, their products can't be sold securely. so there's a business imperative to do it as well. there's some slow to the table to fully recognize their role, but clearly they're getting smarter about it. part of our job is to make sure they understand they have a shared responsibility as well. >> host: at what point does it exceed their responsibility though? one of the thingsing the pentagon is most concerned about is they're reliant on the same power grid that all of us are, and if lights go out, it effects them just as much as it's going to effect the hospital next door or whomever. i mean, when does a cyber attack, an act of war, whatever

terminology we use, but something where it starts to go into the military realm? >> guest: well, and can that's one of the things we continue to debate with really, really smart lawyers. the part in there about the ability to respond in like. hopefully, we'll never see that. there's been a lot of discussion about putting labels associated with cyber intrusions, denial of service sort of things, and we continue to look at what is that escalation point. but to your point specifically about the dependency of the department of defense, the department of homeland security or any government has on those resources, we have a mechanism which is part of the proposal, the legislation is to say prove to us that you can do this, prove to us that you are set up to deal with most things that get thrown at you, and if not, what are you going to do to fix it? and it's almost, it sounds like in some cases a silly discussion, but how do we deal with a, you know, major snowstorm where we're shut down for days and days and days?

we have processes in the place to deal with that, the unexpected. we have to do the same thing in a critical infrastructure realm as well. >> host: but even as lawyers debate this notion of what an act of war would be, you've now studied this problem for decades. what's your sense of it? >> guest: i think if we ever get to a point where it's military against military or military against civilian structures, then that sort of flips the switch the other way. and that's not to say it's automatically turn the switch back and become military. you have diplomatic, economic, you have all kinds of pieces to deal with those sort of things. but that's sort of the worst case scenario. >> host: so is that if u.s. can prove that some other country's military actually attacked? because, i mean, proving that a specific government, much less their military is responsible is something that is really difficult to do. i mean, that almost seems like i'm not sure when you would prove that. >> guest: well, and that's the thing. when you look at attribution, number one, i think it's just foolhardy of any government to do something like that because

they're going to be affected by it as well, and we've talked about that before. because it's in the nobody's interest to create some sort of a cyber armageddon as people say or digital pearl harbor. but on the same token, that's why we have to be very careful in analyzing everything we see take place, every intrusion, every denial of service attack, every left theft of pass words o analyze them and say do these rise to the level of being a threat to the u.s. or the u.s.' interests, and if so, how do we deal with them? a lot of this, as i mentioned earlier, is just about basic hygiene and making sure these things we know out there just can't effect us. >> host: howard schmidt is currently the special assistant to the president, but identify got to tell you, he's had one of the most intriguing careers that i've ever seen, and i would suggest you go to the white house web site in case you'd like to look at it further. but he served in vietnam with the air force, he worked as a policeman in chandler, arizona, he worked for the fbi at the national drug intelligence

center. he was a special adviser for cyberspace security for the white house chief security, for the white house under the george w. bush administration he was vice chair of the president's critical infrastructure protection board. he served with microsoft as well, and that's just a couple of the things. he's gotten both his b a&m ba from the university of phoenix. mr. schmidt, one of the proposals that the president calls for is that this needs to be coordinated from the white house. do you see this as a cybersecurity czar type position, who coordinates this activity? is. >> guest: yeah. i wouldn't call it a czar. truly, the term coordinator is what this job is all about. and interestingly enough and very positive, we've seen similar states around the world do similar type things recognizing there is the defense side, the intelligence side, the commerce side, that there needs to be somebody sort of bringing those things together, getting

the input from everybody and making good advice to, in the our case, the president and in other countries the prime ministers or presidents there as well. so, clearly, it has to be anchor inside the white house as the president has put forth. >> host: are there any funding numbers put in place for this? >> guest: yeah. and we do have some things that go back to the comprehensive national cybersecurity initiative where money's allocated for that. once again, as we involve in cybersecurity, one of the things we look at was cybersecurity cost, and that would be antivirus or firewalls, those sort of things. no longer are they viewed as strictly security type things. it's just like when we buy a car today, we don't say, gee, i want to have brakes or i don't want to have brakes. that's why when we look at the i.t. infrastructure, the security's got to be built into it. >> host: looking at your office, one of the proposals that's still circulating on the hill is to sort of create more structure

around your position. and i'm wondering now that you've, obviously, had some time to spend in that position, i mean, what is your take in terms of proposals that would either give it more control over the purse pursestrings or just sort of establish your office more kind of grounded in statute? >> guest: well, first, you know, having control of the pursestrings doesn't necessarily make you more secure. we've seen that with the evolution of fizz ma and be most recently some of the changes we've made to make that work. the structure we have now is a good structure. we have the ability to bring all the leadership into one room and go through these tough issues, who handles what, how it gets handled, what are the policies we need to do. so i think by virtue of the fact we've been able to accomplish so much in the such a short period of time for cybersecurity sort of lends credence to the fact that i think we're well structured. plus, it wasn't mentioned earlier when the president created this position, it was not only part of the national

security council, but also dual hat at the national economic council which, once again, i think is vitally important because our economy deals so much with cybersecurity and technology. >> host: what's the hardest issue you've had to sort out among the agencies so far? >> guest: well, when you have great expertise in different areas looking at it very specifically from their area which is what we want them to do and getting people to come together with a consensus of what are the things we need to fix right now. moving away from the edges like we've seen in so many venues recently, getting to the middle and how can we move this forward. >> host: so what are you hearing from congress? >> guest: well, the meetings we've had with congress and on the heels of us submitting the president's proposal, we're getting a lot of good feedback, that they welcome the opportunity to debate this more deeply, they look forward to us providing some input into what are the things we really need. i think the last count when we first submitted this, there were 50 some odd pieces of proposed

legislation across 26 committees, all of them very well intended, all of them exercising jurisdiction but had not heard from us saying what are the things that you guys really need, and that's what we put forth. and we're very happy to get that. as we mentioned earlier, though, the debate's going to start when congress comes back and really get into the details to of this. >> host: given the realities of about three months or so of legislative season left this year, do you foresee anything happening? >> guest: i do. i'm very far confident because there seems to be a commitment from leadership up there that says, yes, now that we've got this big issue behind us right now, we can start focus on this. because they all recognize we need to do things, and those things are part of the proposed legislation we put forward, and we need to move them forward. so i feel very confident they'll be moving this forward. >> host: have you gotten a commitment from republicans to move forward on this? because that was one of the things i was hearing on the hill that the republicans had other

priorities. >> guest: yeah. and my conversations have not been, have not been partisan at all. i meet with members of both parties. they've all committed, they recognize we need to do more, and it's a matter of getting educated on it and figuring out a way forward. i see no break in which side of the aisle's going to be working with us on this. >> host: and you think they're actually going to have time to pass legislation in the next few months? >> guest: i do. i feel very good because they recognize how critical this is to so many different pieces of what we look across the united states. >> host: mr. schmidt, we have not talked about the privacy concerns of some groups, the electronic privacy information center which will be a guest in this series a little later in a couple of weeks. this is a quote by marc rotenberg looking at the white house proposal: >> host: when it comes to controls on privacy. >> guest: yeah. and one of the things we did not only for the legislation, but also any of the other works we've done, we're engaged with the privacy and civil liberties

community. if you read through the president's international cyberspace strategy, it has had in many, many places references to freedom of speech, freedom of expression, privacy, civil liberties when it comes to cyberspace. so that's one of the core ten ends in what we're doing. even to the point where the president has a dedicated privacy officer in my office. but when marc or anybody from cdt or any other privacy agencies look at this, we want to make sure they have the confidence that we're focusing on it, that we have controls in if place to make sure we're protecting privacy and civil liberties and it's something we're accountable for. something that's transparent to whatever organization wants to look at it. i think we're doing that, we'll continue to move forward with the legislation to make sure this takes place. the other piece is the data breach notification. there's two pieces to that when we look at a national breach notification law. one is citizens, often times we're not sure what our rights

are when it comes to our information being compromised that's this hands of a third party. on the same token, businesses that have that information are, you know, dealing with 47 odd pieces of legislation from different states on it's encrypted, not encrypted, we think something happened. so once again, i think we help vulcanize a little more this proposal with the national data breach notety case. >> host: how do you make this user-friendly? >> guest: well, that's one of the tough things, and security eat got to be transparent to the end user. and when i see end user, it's just not any of us sitting in front of a computer, it's the small and medium-sized businesses. when you look across the united states, 27 plus million businesses are doing things online. we saw even during the economic problems we had a couple years ago we saw a tremendous increase in the billions of dollars of online e-commerce. so it's got to be transparent, user-friendly. users should not be the ones