Schneier on Security
A blog covering security and security technology.
« Santa's Naughty–Nice Database Hacked |
| Luggage Locator »
December 22, 2009
Howard Schmidt to be Named U.S. Cybersecurity Czar
I head this rumor two days ago, and The New York Times is reporting today.
Reporters are calling me for reactions and opinions, but I just don't know. Schmidt is good, but I don't know if anyone can do well in a job with lots of responsibility but no actual authority. But maybe Obama will imbue the position with authority -- I don't know.
Posted on December 22, 2009 at 9:28 AM
• 20 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
He's not walking into it blind...'s been there before.
Good luck Howard!
I'll light a candle to St George and an offering to Ogum for you.
Responsibility without authority is a recipe for getting thrown under the bus anywhere, let alone inside the beltway. Schmidt can reenter the private sector with ease and if the reason for his eventual departure is sufficiently notorious he'll be able to demand big bucks on the professional speaking circuit. Interesting career move.
One possible positive role the C-Czar could play would be to launder knowledge and technology and technique currently resident inside the NSA -- which is legally proscribed from intervening in domestic non-government computer security issues -- making that information legally distributable to the public.
That is, the position could act as a work-around for the legal firewalls that surround NSA, and which ensure that currently, the government agency with the greatest expertise on the subject is also the agency least capable of communicating that expertise to the public.
I wish we didn't have to call the guy a "Czar", though. We are a republic, after all.
I think several folks predicted this potential outcome. The Cybersecurity Czar position is security theater at its best and for that I don't think anyone is surprised Schmidt is put on that stage. It's simply politics and has very little to do with security. Responsibility w/o authority = ineffectiveness. Not to mention there has been a number of comments from other government entities currently responsible for security that have made it clear that the position is "undesirable", read: "appoint who you want, we're going to do what we want to regardless". Schmidt will say all the right things and be politically correct as the face of US cybersecurity, but that's as far as it will go.
I'm actually more optimistic about the position. The czar can tap into the President's transparency directives and give us important information about outcomes and effectiveness in a large set of large organizations. Having such data would be a catalyst for empirical research.
Some additional thoughts, long before the announcement are at http://newschoolsecurity.com/2009/08/...
If he was involved as part of the Bush administration, this promises to NOT be an improvement. Others here have correctly observed that it is a position completely set up to fail.
This trend was also seen during the Bush administration, where the General appointed to run the war in Iraq had no actual command over the troops and was instead a person "reporting directly to the President". End result: the people really running the show continue to do whatever they want, while the "Czar" provides an enthusiastically performed puppet show to keep the general public and the press off the President's back.
If anything goes wrong and news of what's really going on manages to get back to the public and/or the press, the Czar is removed with stentorian announcements that the administration disapproves of "his" actions. He is subsequently rewarded with a cushy job in the private sector for his role in the scam.
This particular play in the security theater repertoire is getting really old. Why are we still falling for it?
"But maybe Obama will imbue the position with authority"
Luckily the 10th amendment and other governmental constraints should keep Obama from imbuing just any old authority.
@Trichinosis USA at December 22, 2009 11:38 AM
Well, be grateful Bush is no longer president, Iraq is over, and you can move on. Sooner or later, you may have to find someone else to blame for all the world's problems. Your (bitter) partisan jabber gets old.
By taking this job, Schmidt is able to cash out of eBay without having to pay some taxes on gains he made there. For Schmidt taking the job is question of trading his ego (nobody will be successful in this job) for finances.
It's a political job. He's set up to fail.
But in the meantime, he'll find nice paying jobs for his family and friends at all the "security" companies that he'll be recommending to the federal government.
There are lots of kinds of power. Not having enforcement authority wouldn't keep me from having press conferences, going on TV and sending out a monthly "who screwed up the most" report.
@Steven Hoober: There are lots of kinds of power. Not having enforcement authority wouldn't keep me from having press conferences, going on TV and sending out a monthly "who screwed up the most" report.
I would say his level of power would be dependent on how much influence he has over the president and other members of government. If others, especially the president, follow his advice he has enormous power. If not, he's powerless.
Many people see such positions as puppets and fall guys. I'm not saying that isn't the case, but there is a flip side. It can be dangerous to set up a sacrificial lamb in a position of knowledge. Such people can become PR nightmares with what they can disclose.
When leaders don't solve problems but only perpetuate them, I will use what little freedom I have left - freedom I more than earned with six years of active military service, thank you - to call them on it. As is my constitutional right and DUTY as a citizen of this country.
YOU deal with it.
Schmidt has never stayed in any one position very long. What has he ever actually accomplished over the years? Has he ever made a significant impact related to security? He likely made more of an impact related to security when he was a police officer.
@Trichinosis: "When leaders don't solve problems but only perpetuate them, I will use what little freedom I have left - freedom I more than earned with six years of active military service, thank you - to call them on it. As is my constitutional right and DUTY as a citizen of this country."
I never questioned your constitutional duty or your rights. And I sincerely have tremendous respect for your service to our country.
However, that said, you used a a thread about a cybersecurity czar to bash a former president over Iraq. So I used my constitutional rights to tell you that such off topic partisan whoppers get tiresome.
YOU deal with that. (your words, not mine).
It sounds like Schmidt has the same authority of must of us here. Little to no authority, because the business typically is the decision maker. Govt. is just a really big business at the end of the day. So, is his lack of authority really that different than any other security job? I guess the main exception is a military position, where security typically comes first.
There's a guy I know from the Bush WH who remembered Howard and how assiduously he was ignored by his colleagues. "There is barking incompetence. Drooling incompetence. And standing around in soiled undies looking face up into the sky and cooing unintelligibly incompetence. Then there's Howard."
New Cybersecurity coordinator Howard Schmidt is yet another Obama Administration Czar Wreck!
Schmidt is a "Distinguished Fellow" of Carnegie Mellon University's CyLab, whose management is a catastrophe.
We're looking at the cover-up of identity fraud, securities fraud, hedge fund fraud, and felony theft-by-deception!
Were there Congressional scrutiny, Schmidt would never have been a serious candidate for the critical job he now has.
About Schmidt: Just read how Pres. Obama turned up at a Cyber Security meeting chaired by Howard. So shame on all those who posted negative comments out him. The guy authored a book "Lessons learned from a Lifetime in Data Security". So while you or I spent our infancy breast feeding and soiling our diapers, Howard must have been doing IT risk assessments. Remarkable. He probably virus-scanned the Maternity ward computers straight from the womb.
LOCATOR, GETTING OFF A CRUISE SHIP WHERE THEY LINE UP 5OO BAGS, AND 50 PEOPLE HAVE THE ITEM, THATS 50 PEOPLE WHO WILL KNOW EXACTLYWHERE THEIR BAG IS. SAME PRINCIPLE AT AIRPORTS, BOTTOM LINE IT WORKS
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.