[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[infowar.de] MS-Sicherheitschef wird stellv. Vorsitzender des Cybersecurity Board
Infowar.de, http://userpage.fu-berlin.de/~bendrath/liste.html
-------------------------------------------------------------
Howard Schmidt, derzeit Chief Security Officer von Microsoft, wird
wahrscheinlich in das von Bush im Oktober neu berufene Gremium gehen. Er
hat einiges an Erfahrung im Staatsdienst, u.a. war er vor seinem Job bei
MS Direktor der Abteilungen Computer Forensic Lab und Computer Crime and
Information Warfare des Air Force Office of Special Investigations
(AFOSI) und beim Computer Exploitation Team des FBI Drug Intelligence
Center.
Nachfolgend zwei Artikel aus der Computerworld dazu: EIner mit der
ersten Meldung, ein weiterer mit einigen (auch skeptischen) Reaktionen
dazu. Kernsatz: "The security industry still hasn't come to grips with
defining the scope of critical-infrastructure protection".
RB
Microsoft top security officer expected to join U.S. cybersecurity team
BY JAIKUMAR VIJAYAN
Computerworld, December 14, 2001
Howard Schmidt, Microsoft Corp.'s chief security officer, is expected to
be appointed by President Bush as vice chairman of the newly constituted
federal Critical Infrastructure Protection Board, according to a
knowledgeable source.
In that role, Schmidt would work with national cybersecurity czar and
board chairman Richard Clarke in overseeing protection of information
systems for critical infrastructure.
The critical infrastructure board was established in an executive order
by Bush on Oct. 16 and is charged with securing information systems in
sectors such as telecommunications, energy, financial services,
manufacturing, water supply, transportation, health care and emergency
services.
The board is led by a chairman and vice chairman, both of whom are
designated by the president.
If confirmed, Schmidt is likely to start his new job sometime in early
January, the source said.
A Microsoft spokeswoman refused to comment on Schmidt's likely
appointment, saying only that he continues to be Microsoft's chief
security officer.
If appointed, Schmidt?s presence could ?lend somewhat of a higher
visibility to the infrastructure protection board,? said Charles
Kolodgy, an analyst with International Data Corp. in Framingham, Mass.
?In that sense getting him would be a coup,? Kolodgy said.
Schmidt?s previous experience in government agencies should give him
some familiarity with the inter-agency conflicts and the budgetary
constraints he is likely to face in his new role. Kolodgy said. ?But
after being among the [top executives] of a large company and not having
too many people question what you are doing, it should be interesting to
see,? how he readjusts to a bureaucratic environment, he said.
Before joining Microsoft, Schmidt was a supervisory special agent and
director of the U.S. Air Force Office of Special Investigations (AFOSI),
Computer Forensic Lab and Computer Crime and Information Warfare,
according to biographical information on Microsoft's Web site. The AFOSI
specializes in investigating intrusions in government and military
systems by unauthorized persons in counterintelligence organizations and
criminals.
Schmidt also was with the FBI's National Drug Intelligence Center, where
he headed the Computer Exploitation Team as a computer forensic
specialist.
--------------------------------
Mr. Schmidt goes to Washington
BY DAN VERTON
Computerweek December 17, 2001
WASHINGTON -- President Bush's pending appointment of Microsoft Corp.'s
chief security officer Howard Schmidt to the No. 2 position at the U.S.
government's Critical Infrastructure Protection Board raises an
important question about the homeland security effort: Should
private-sector experts be heading for the White House or frontline
security agencies?
News of Schmidt's expected appointment, first reported by Computerworld
last week, comes as the federal government's cybersecurity and
critical-infrastructure protection community struggles to define itself
amid a growing bureaucracy focused on homeland security.
While many experts praised the addition of Schmidt to the government's
critical-infrastructure protection team, others said tangible steps need
to be taken to improve the government's focus and the private sector's
cooperation with frontline cybersecurity agencies such as the FBI's
National Infrastructure Protection Center (NIPC). The NIPC, based at FBI
headquarters in Washington, was formed in 1998 to handle threat
assessment, investigations and responses to any attacks on critical U.S.
infrastructures.
Despite lessons learned from the Sept. 11 terrorist attacks on the
U.S., which demonstrated the nation's vulnerability to physical
disruptions and the interdependency of its critical infrastructures, the
government and private-sector stakeholders in the CIP effort remain
uncertain about the definition of critical-infrastructure protection
and, in some cases, uninvolved -- a problem that a political appointment
like Schmidt's can't fix, experts said.
"A large majority of the focus up until Sept. 11 has been on the
information security side of the equation, and there has been a limited
focus on infrastructures, particularly physical disruptions and the
interdependencies that proved so important during the Sept. 11 attacks,"
said Paula Scalingi, former director of the U.S. Department of Energy's
Office of Critical Infrastructure Protection and now president of The
Scalingi Group, a Tysons Corner, Va.-based infrastructure security
consulting firm.
The security industry still hasn't come to grips with defining the scope
of critical-infrastructure protection, she said.
The more pressing need, said government and private-sector officials, is
for industry experts like Schmidt to provide expertise to the NIPC so
that interdependencies among the telecommunications grid, power grid,
energy pipelines, emergency service networks and other critical services
can be better understood.
In fact, NIPC Director Ronald Dick last August acknowledged a critical
need for private-sector expertise. "I need people who know gas and
water, people who know electric power and the transportation system," he
said.
Dick has praised the relationship between his agency and the North
American Electric Reliability Council in Princeton, N.J., citing it as
one of the first arrangements in which classified cybersecurity
information is being shared with industry.
However, the electric power industry is a prime example of an industry
in which cooperation and focus remain moving targets. Joe Weiss,
technical manager of the enterprise infrastructure security program at
the Electric Power Research Institute in Palo, Alto, Calif., said the
fact that some of the leading suppliers of IT systems that control
electric power throughout the country aren't members of the Partnership
for Critical Infrastructure Security (PCIS) is a major threat to
critical infrastructure. The PCIS is a key government/private-sector
security organization working to enhance IT security,
"The Web sites will be safe, but the lights will be out, and water and
oil won't flow," said Weiss, stressing the fact that existing IT
technology won't work in industrial control systems and, in some cases,
can actually shut them down. "There have been vulnerability assessments
done, and these important control systems have been shown to be
vulnerable," he said. "This is not in any way, shape or form
hypothetical."
GTE Corp., one of the suppliers mentioned by Weiss, couldn't be reached
for comment. However, Bud Greebey, a spokesman for Siemens AG, another
major supplier of critical industrial systems, said the company is "not
aware of any overtures to us from the PCIS." Even so, the premise behind
the PCIS is something Siemens fully supports, he said.
Ron Ross, director of the National Information Assurance Partnership, a
Washington-based government/industry consortium led by the National
Institute of Standards and Technology and the National Security Agency,
agreed that there is an education and awareness gap regarding potential
vulnerabilities in some important systems and networks that make up the
critical infrastructure.
"We now have to begin to delve into a variety of areas that need
significant attention with regard to computer security," said Ross.
Alan Paller, director of the SANS Institute in Bethesda, Md., said
every technical, hands-on expert that the NIPC can add to its ranks from
the private sector would immediately help the cause of homeland
security. And while Schmidt offers policy expertise to the government,
his addition to the President's Critical Infrastructure Protection Board
directly supports the NIPC, said Paller.
A former senior government official, speaking on condition of
anonymity, said appointments that are heavy on prestige but light on
hands-on analysis capabilities aren't what's needed right now. "They
[the NIPC] need sector expertise and particularly analytic capabilities
to address infrastructure interdependencies," the official said.
---------------------------------------------------------------
Liste verlassen:
Mail an infowar -
de-request -!
- infopeace -
de mit "unsubscribe" im Text.