Bush Names New Cyber Security Czar

goombah99 writes "The Washington Post reports that Cybersecurity "czar" Richard Clarke has confirmed widespread reports that he is leaving the White House, to be replaced by former microsoft security chief Howard Schmidt. He was also part of the Air Force's 'Computer Crime and Information Warfare division'. In related news, the National Strategy to Secure Cyberspace has received Bush's signature and will be released to the public in the next few weeks. Clark's blunt staements on the to the need to avoid erosion of privacy rights is rumored to have rubbed the administration the wrong way, prompting his exit. Anyone know how Schmitt will view the relative security of closed versus open source?" Nothing says "Security" better to me than "Former Microsoft Security Chief".

Not surprising

[0x0d0a]

Nothing says "Security" better to me than "Former Microsoft Security Chief".

Look, do you want extensive experience or not? I trust this guy to have run into more security problems than just about anyone else out there.

I wonder if he leaned more toward engineering (and the godawful CryptoAPI) or policy (and the signing procedures that let Nimda get out)?

On a more realistic note, in terms of practical security benefit, the recent spending of taxpayer dollars on a set of minimum Windows security standards (the "Gold Standard") is probably one of the most cost-effective things that could have been done for nationwide security. Even if it grates those Linux/Mac OS/etc people among us the wrong way... It beats blowing more money on facial recognition at Super Bowls.

Interesting. because

[Sh0t]

I've worked for the Dept of the Navy for 6 years now,4 years as an active marine and 2 for a navy contractor and I've seen a trend in the Navy/MC away from microsoft products and their consultation.

But then again, it doesn't mean that everything will be MS because he's a former MS officer, but it is more than possible. If anything he may have a VERY humble attitude toward things because I'm sure he's been the brunt of many criticisms from his past post.

It's no secret MS has had problems with security.

But I wonder what this will mean for upcoming copyright and piracy issues involving computer software and the like. Since he comes from a company where the doctrine is pretty strict in terms of copyrighting and such, we will see a severe change in the laws?

"Clark's blunt staements on the to the need to avoid erosion of privacy rights is rumored to have rubbed the administration the wrong way, prompting his exit"

Well if the previous guy was removed because he was in favor of keeping privacy rights a concern, this may indeed be the case.

Overall, I can't say this is a good sign.

Excuse my above ramblings, I have strep throat and it's driving me crazy.

When was the last time microsoft.com was cracked?

[Temporal]

Just to point out... According to the article, this guy was in charge of Microsoft's network's security, not Microsoft's software's security. The fact that he has been able to keep that web site, which runs on NT, from being cracked for so many years must qualify him as some sort of security god.

(If I am misinformed, and microsoft.com has actually been cracked and defaced at some point in the past, do tell...)

Alarming related news

[mysticgoat]

Quoting the last five (short) paragraphs of the story:

The White House has so far been unable to fill top leadership posts at the Homeland Security department's division charged with protecting the Internet and other communications systems from attacks.

The administration's first choice to run the Information Analysis and Infrastructure Protection Division was former Defense Intelligence Agency Director James Clapper.

Clapper, a retired Air Force lieutenant and the head of the National Imagery and Mapping Center, unexpectedly pulled his name from consideration.

John Tritak, former director of the Critical Infrastructure Assurance Office and pegged as the administration's pick for deputy undersecretary for infrastructure protection at the Homeland Security Department, is still a name under consideration, though he recently left the government.

Another noted name in online security, Ron Dick, director of the FBI's cyber threat and warning bureau, has also resigned from government service.

Is anyone else disturbed by the way first choice candidates seem to be running away from any involvement with government internet security?

That's too bad

[drix]

I had the opportunity to meet and interview Clarke when he came to my school last year to give a speech as part of a post-9/11 outreach program to CS faculties around the nation. (In fact, I wrote an article about it for our school newspaper, if you're interested.) He really handled himself well. The crowd was more or less 100% engineering and CS faculty, grad students, and the type of smart undergrads that would actually care about such a thing, in other words a tough crowd to play to. And I think everyone was a pretty skeptical at the outset that any government official would know his ass from a hole in the ground when it comes to IT policy, so-called "cybersecurity" (blech), and such. But he did! After he spoke he gave about a 40 minute Q&A where people asked him all sorts of tough and sometimes really esoteric questions concerning software patents, the DMCA, network security, hell, something about quantum computing even came up. His knowledge was impressive and, even more heartening, when he didn't know the answer he just said so rather than bullshitting. All in all I left with a good feeling that this guy was the White House's go-to man for IT policy and would be protecting our computers from the terrorists. Now it sounds like he got fired because he wasn't quite fascist enough for the Bushies, which is really depressing. Guess I should have seen it coming all along.

Nothing new here

[jc42]

About 15 years ago, I was working on for a consulting firm (which shall remain nameless here ;-) that does mostly government contract work. I was one of a small group that was assigned the task of analyzing and reporting on security issues with the growing collection of commercial networked small computers. My task was mostly collecting and/or writing security-test software.

After a couple of months, the security guys discovered some of the things that I'd collected (or written). I was summarily fired.

During the discussions, my boss observed that I was perhaps lucky that they didn't decide to prosecute me. He thought that there were two reasons they merely fired me: 1) I was doing the job that I'd been assigned, and 2) They were afraid that my lawyer would merely demand that all the evidence against me be presented in court.

Within six months, all the rest of the group had quietly resigned. I'm still in occasional contact with some of them. None of us has ever accepted another security-related job.

Computer security is of growing importance. But nobody with much experience in it is likely to accept a government job. I wouldn't avise anyone to take such a job, unless you know that you have the power and money to defend yourself when the inevitable happens.

(It might be interesting to hear from others with similar experiences. Of course, the poster boy for this whole topic is Randal Shwartz. Google him and read all about it.)