Howard A. Schmidt joined the consulting group of IMlogic, an instant messaging management software company, on June 6. Schmidt's security experience includes the chairman and vice chairman of the President's Critical Infrastructure Protection Committee, eBay's VP, and CIS and chief security strategist. He also served as Chief Ann at MicrosoftAll officials. He told reporters about his opinions on computer security.
Reporter: Is computer security improving or getting worse?
SCHMIDT: This question is very interesting. "We are constantly improving" is probably the most correct answer. But I need to point out that it is not the guys who deliberately destroy us who have made our lives better, but we pay more attention to safety and take more safety measures. In addition, in response to security affairs, the industry has proposed solutions that are getting faster and faster than in the past.
Reporter: User education is the most important ingredient for online safety. And this seems like a difficult problem. Can we remain optimistic about users using computers more securely and keep them from computer attacks from all kinds of avenues?
SCHMIDT: I think this is possible. If you are paying attention to some TV commercials now, if you look closely at how the product is made - I mentioned to others earlier today, such as if you go buy a wireless access point, or if you buy a cable modem or route, you can now see embedded functions such as antivirus, content filtering and spam protection, which are one of the selling points. We are increasingly acquainted and understood by end users, which we did not have in the past. I think this is partly because the industry is taking security as a selling point and security as a key feature. For example, I remembered some of the things we used to do at the White House, where we developed national security strategies to keep computer space safe, and we held state government meetings nationwide. After that, security issues were finally recognized, not only those private sectors and commercial institutions, but also end users - PTAs, staff, etc.
Reporter: The complexity of Internet software and hardware makes it necessary for users to spend a lot of effort to avoid making mistakes on the Internet. Are suppliers making enough efforts to enable users to use their computers easily and safely?
SCHMIDT: Their efforts are enough. Looking back at the 1980s, Michelangelo virus and other viruses spread through disk rather than on the Internet. In order to deal with these viruses, you must install a virus software. And every once in a while you have to get updates to it. After that, we saw automatic online updates gradually gaining the upper hand. Then the integrated security suite software includes personal firewalls and antivirus software, which are integrated into a set of solutions. So it's obvious that it will be easier for end users to get a secure space. The same changes occurred in the operating system and the application. Looking back at Microsoft in 2001, when we started to trust computing, security became the primary business of Microsoft, Cisco, Oracle, Sun, and other large software vendors. Some automatic patching tools are easier with the help of some automatic vulnerability evaluation tools. Most of the problems become simple when it comes to security matters.
Reporter: I recently spoke to a professor at Michigan State University, which was about a new information release rule, which was enforced by the Federal Transaction Commission to limit identity theft. She expressed doubts about IT's ability to reduce identity theft. Her view is that identity theft generally comes from the workplace. Although IT technology has spent many years ensuring data security, it is a problem related to human factors. Do you have more confidence in IT security measures?
SCHMIDT: I have to clearly distinguish between technical crime and ordinary crime. When talking to IT experts, we generally talk about other PPTs, not Powerpoint, but people, processing processes and technology. According to these experts, her point of view is completely correct. Technology is not a panacea, but it is obviously a key element in dealing with these problems. People and experts are also part of these issues.
Looking back at those crimes, in 1986 I was a computer crime scout for the Arizona State Police Department and we had a group of criminals. They are all fraudsters, criminals in the traditional sense. At that time, we didn’t have the current transaction credit reporting bill and credit department, so basically anyone could start a fake travel agent. Then they used the agent to scam credit history – all of which happened before the internet world we know today – they were identity theft (and other scams). Now, it's still the same thing. It's still a fraud case. Just as we have never been able to stop human theft in history, we have no way to stop 100% of fraud cases. …We must ensure that there are training, processing procedures and strategies to help technology reduce fraud cases and identity theft.
Reporter: What do you think about this when an appeals court in Minnesota recently legislated that the emergence of encryption software can be seen as evidence of criminal tendencies?
SCHMIDT: I'm not very clear about the details of this case, but I've heard of it before. This is interesting because seeing two aspects of encryption – we can review a lot of the debates about encryption in the early 1990s – in security companies, most of us say that the use of encryption is very necessary. As an example, see what you hear in college, such as a notebook stolen with all kinds of information on it. The question is, why not encrypt? There are many reasons why you don't need encryption, but these reasons don't work at all in today's world. The fact is, security experts recommend encryption measures. We use IPSec, we use SSL, we use all encryption technologies to improve security.
But if criminals use encryption to commit crimes - that's the other side of encryption - we've seen terrorist fundraising, scams, and child pornography movies, etc. Generally speaking, if you see that situation, you already have enough evidence to point out that they have a criminal tendency, but encryption allows them to hide the evidence further. It is obvious that those are criminal acts and they should be charged for these acts. If we do not have the technology to decrypt data, then legal groups have naturally concluded over the past period of time that using encryption technology to conduct criminal activities is a crime, rather than an attempt to eliminate crime to some extent.
Reporter: What other measures does the state government have not taken yet to improve computer security?
SCHMIDT: The first and most important thing is that assuming 85% or more of the important infrastructure is owned by private companies, the government must confirm national security policies to ensure computer security, which is what we have been doing at the White House, and by promoting the implementation of these strategies, let private business owners know that they have a lot of work to do. The establishment of the NINAC (National Infrastructure Assurance Parliament, one of the President’s Advisory Bodies), the National Security Communications Advisory Board (also one of the President’s Advisory Bodies), the Ministry of Trade Information Security and Privacy Advisory Board, and the Management and Budget Office, all give private business owners a reminder that security is an important issue regarding national security, public security and economic feasibility.
From the government's perspective, the government has done a very good job and ensures that people are aware of their special responsibilities in terms of security protection of important infrastructure.
Another aspect that the government has already started is certain bill-related matters, such as Gramm-Bliley and Sarbanes-Oxley, which are worrying at the beginning. Of course, Sarbanes-Oxley is not specially designed for IT security. It is designed for financial control. If you don’t have good IT security, you don’t have good financial control. So IT security is very useful. What the government needs to work hard is to continue to sort out their internal affairs. For a long time, government officials, including me, have been saying that computer security must have a model. I think we have already had preliminary countermeasures for the current slightly scattered situation.
Reporter: What do you think the online world will be like in the next two or three years?
SCHMIDT: In the future, we will have a better division of the online world. This division is very similar to what we see in the physical world. What you can do in it is similar to the activities you can engage in anonymously in the real world. This is the opposite of activities that require real-name systems, such as stock trading. We will have a better granularity division and better protect everyone's privacy, because we will better manage identity verification in the online world.
Reporter: Is computer security improving or getting worse?
SCHMIDT: This question is very interesting. "We are constantly improving" is probably the most correct answer. But I need to point out that it is not the guys who deliberately destroy us who have made our lives better, but we pay more attention to safety and take more safety measures. In addition, in response to security affairs, the industry has proposed solutions that are getting faster and faster than in the past.
Reporter: User education is the most important ingredient for online safety. And this seems like a difficult problem. Can we remain optimistic about users using computers more securely and keep them from computer attacks from all kinds of avenues?
SCHMIDT: I think this is possible. If you are paying attention to some TV commercials now, if you look closely at how the product is made - I mentioned to others earlier today, such as if you go buy a wireless access point, or if you buy a cable modem or route, you can now see embedded functions such as antivirus, content filtering and spam protection, which are one of the selling points. We are increasingly acquainted and understood by end users, which we did not have in the past. I think this is partly because the industry is taking security as a selling point and security as a key feature. For example, I remembered some of the things we used to do at the White House, where we developed national security strategies to keep computer space safe, and we held state government meetings nationwide. After that, security issues were finally recognized, not only those private sectors and commercial institutions, but also end users - PTAs, staff, etc.
Reporter: The complexity of Internet software and hardware makes it necessary for users to spend a lot of effort to avoid making mistakes on the Internet. Are suppliers making enough efforts to enable users to use their computers easily and safely?
SCHMIDT: Their efforts are enough. Looking back at the 1980s, Michelangelo virus and other viruses spread through disk rather than on the Internet. In order to deal with these viruses, you must install a virus software. And every once in a while you have to get updates to it. After that, we saw automatic online updates gradually gaining the upper hand. Then the integrated security suite software includes personal firewalls and antivirus software, which are integrated into a set of solutions. So it's obvious that it will be easier for end users to get a secure space. The same changes occurred in the operating system and the application. Looking back at Microsoft in 2001, when we started to trust computing, security became the primary business of Microsoft, Cisco, Oracle, Sun, and other large software vendors. Some automatic patching tools are easier with the help of some automatic vulnerability evaluation tools. Most of the problems become simple when it comes to security matters.
Reporter: I recently spoke to a professor at Michigan State University, which was about a new information release rule, which was enforced by the Federal Transaction Commission to limit identity theft. She expressed doubts about IT's ability to reduce identity theft. Her view is that identity theft generally comes from the workplace. Although IT technology has spent many years ensuring data security, it is a problem related to human factors. Do you have more confidence in IT security measures?
SCHMIDT: I have to clearly distinguish between technical crime and ordinary crime. When talking to IT experts, we generally talk about other PPTs, not Powerpoint, but people, processing processes and technology. According to these experts, her point of view is completely correct. Technology is not a panacea, but it is obviously a key element in dealing with these problems. People and experts are also part of these issues.
Looking back at those crimes, in 1986 I was a computer crime scout for the Arizona State Police Department and we had a group of criminals. They are all fraudsters, criminals in the traditional sense. At that time, we didn’t have the current transaction credit reporting bill and credit department, so basically anyone could start a fake travel agent. Then they used the agent to scam credit history – all of which happened before the internet world we know today – they were identity theft (and other scams). Now, it's still the same thing. It's still a fraud case. Just as we have never been able to stop human theft in history, we have no way to stop 100% of fraud cases. …We must ensure that there are training, processing procedures and strategies to help technology reduce fraud cases and identity theft.
Reporter: What do you think about this when an appeals court in Minnesota recently legislated that the emergence of encryption software can be seen as evidence of criminal tendencies?
SCHMIDT: I'm not very clear about the details of this case, but I've heard of it before. This is interesting because seeing two aspects of encryption – we can review a lot of the debates about encryption in the early 1990s – in security companies, most of us say that the use of encryption is very necessary. As an example, see what you hear in college, such as a notebook stolen with all kinds of information on it. The question is, why not encrypt? There are many reasons why you don't need encryption, but these reasons don't work at all in today's world. The fact is, security experts recommend encryption measures. We use IPSec, we use SSL, we use all encryption technologies to improve security.
But if criminals use encryption to commit crimes - that's the other side of encryption - we've seen terrorist fundraising, scams, and child pornography movies, etc. Generally speaking, if you see that situation, you already have enough evidence to point out that they have a criminal tendency, but encryption allows them to hide the evidence further. It is obvious that those are criminal acts and they should be charged for these acts. If we do not have the technology to decrypt data, then legal groups have naturally concluded over the past period of time that using encryption technology to conduct criminal activities is a crime, rather than an attempt to eliminate crime to some extent.
Reporter: What other measures does the state government have not taken yet to improve computer security?
SCHMIDT: The first and most important thing is that assuming 85% or more of the important infrastructure is owned by private companies, the government must confirm national security policies to ensure computer security, which is what we have been doing at the White House, and by promoting the implementation of these strategies, let private business owners know that they have a lot of work to do. The establishment of the NINAC (National Infrastructure Assurance Parliament, one of the President’s Advisory Bodies), the National Security Communications Advisory Board (also one of the President’s Advisory Bodies), the Ministry of Trade Information Security and Privacy Advisory Board, and the Management and Budget Office, all give private business owners a reminder that security is an important issue regarding national security, public security and economic feasibility.
From the government's perspective, the government has done a very good job and ensures that people are aware of their special responsibilities in terms of security protection of important infrastructure.
Another aspect that the government has already started is certain bill-related matters, such as Gramm-Bliley and Sarbanes-Oxley, which are worrying at the beginning. Of course, Sarbanes-Oxley is not specially designed for IT security. It is designed for financial control. If you don’t have good IT security, you don’t have good financial control. So IT security is very useful. What the government needs to work hard is to continue to sort out their internal affairs. For a long time, government officials, including me, have been saying that computer security must have a model. I think we have already had preliminary countermeasures for the current slightly scattered situation.
[1][2] Next page
Article entry: csh Editor in charge: csh
Reporter: What do you think the online world will be like in the next two or three years?
SCHMIDT: In the future, we will have a better division of the online world. This division is very similar to what we see in the physical world. What you can do in it is similar to the activities you can engage in anonymously in the real world. This is the opposite of activities that require real-name systems, such as stock trading. We will have a better granularity division and better protect everyone's privacy, because we will better manage identity verification in the online world.
Previous page [1][2]
Article entry: csh Editor in charge: csh