Howard Schmidt Resigns As Cybersecurity Advisor

scubacuda writes "CNN and others report that former Microsoft chief of security Howard Schmidt has resigned as White House cybersecurity adviser. 'With the historic creation of the Department of Homeland Security, the transfer of many of the responsibilities from the Critical Infrastructure Protection Board and the release of the strategy, I have decided to retire after approximately 31 years of public service and return to the private sector,' Schmidt said in his April 21 e-mail."

What?

[SixDimensionalArray]

I might be way off here, but didn't he just recently ACCEPT this position and he's already resigning?

Re:What?

[Blaine+Hilton]

This is probably a sign that the current administration has really bad cyber security plans. I know they really are not doing too much for homeland security too. They have all these billions of dollars, but it doesn't seem that it's going for any real protective measures.

Go calculate something

Re:What?

[Motherfucking+Shit]

I might be way off here, but didn't he just recently ACCEPT this position and he's already resigning?

Yep. His predecessor resigned, too, just three months ago, citing the Slammer worm as his reason for leaving. It seemed like a bad excuse at the time, and it seems even worse now, after two people have resigned that position this year.

My hunch is that either:

a) Whoever's in the office of Cybersecurity Adviser is basically the designated fall guy. We'll see this person pushed out (e.g. fake resignation) whenever there's a "cyber attack" that he "should have seen coming."

b) Both men accepted this position, realized that the plans they're supposed to implement are just feel-good actions which aren't going to really accomplish anything security wise, and decided to get out.

c) Both men accepted this position, were asked to do something they couldn't morally/personally agree to do (perhaps some sort of TIA-style project, or overzealous "figure out how to route the entire internet through the NSA" plan) and decided to get out.

d) The government doesn't pay me enough to put up with all this shit.

e) Some combination of the above.

Granted, all of these are speculation, but I imagine the true answer is probably e). It'll be interesting to see how long the next one lasts.

Actually a loss to the Government

[D3TH]

Having worked with Howard during his time with the Air Force, and having followed his career in the private sector and post-Air Force public service, this is really too bad.

For those who don't know (which I assume is most of you), Howard was a pioneer in the area of computer evidence analysis, first as a 'local' police officer, and then as a federal Special Agent. It's important to note that his time at Microsoft had nothing to do with their products (this in response to all those "we all know how secure Microsoft products are" trolls out there).

He and his wife are avid computer users, and Howard was one of the few people I've ever encountered at his level in Government service that could talk to you about technology and computers with any degree of real understanding. He built his own machines (at least when I was working with him) and was taught classes on low-level file system internals and disk layouts.

He became involved with computer crime at a time when only hard-core hackers (not crackers) were really playing around with computers, and paved the way for many others who are themselves pioneers in the information security community, both in the public and private sectors. The atmosphere created and fostered during his time at the Air Force allowed many people to grow and learn, and many of them are not only members of the InfoSec community, but the open-source community as well.

I'd better quit before this turns into blatant fanboyism, if it hasn't already. My intent is not to deify him, I just want all of you who've only heard him give nicely formatted press conferences or canned interviews to know that there's more to him than that. I'm not sure if you could really find someone better to be involved with the goings-on at that level, but I'm absolutely certain that you can find many many worse.

Re:Actually a loss to the Government

If he's so great then what was he on about with all those interviews where he insisted that Microsoft was completely focused on security? It was only a couple of years later when everyone at Microsoft resigned the fact that they didn't have a clue about security and took time off to try to figure it out.

Canned interviews are quite telling because it puts a face on the hype. He was either saying things he didn't understand or he was knowingly selling a myth.

Re:Actually a loss to the Government

[0x0d0a]

He may well have done all that. However, his two last major jobs were:

* Microsoft chief of security -- Microsoft placed very, very little emphasis on security for years. It came back and bit them on the ass -- hard -- with IIS worms and a few high profile exploits. This became one of the most severe threats to their market share. So, you could say that maybe he was recommending improvements and being ignored, but the point remains that his sole responsibility in his job was to ensure that Microsoft dealt well with the issues in the security world and allocated to security an appropriate amount of resources, to keep their product on top. He completely fucked up, and Microsoft is still scrambling to try to regain lost customers moving to reduce administration costs and improve security. Security issues are the biggest threat to MS's server market share. So he managed to fuck over Microsoft more than any other person at the company. I have to say that that doesn't sound all that impressive.

* Cybersecurity advisor for the US govt. He managed to get the Office of Homeland Security set up control over computer crime? Lovely...that's led to some of the most idiotic crap coming out of Washington in the last decade, like life sentences for hacking. Not what I'd call an accomplishment.

So he may be a nice guy. He may be smart. But he's done one hell of a lousy job being an administrator, and I have to say that I'm not sorry seeing him go.

31 Years???

[ackthpt]

I have decided to retire after approximately 31 years of public service and return to the private sector,' Schmidt said in his April 21 e-mail."

That reads like he's been working in the public sector all that time. But, I'm sure he hasn't divided his attention when working in the public sector ... unless it really turns out that Microsoft has been around longer than we all thought and the rise of Microsoft, Gates, et al, has been part of a massive plot!

No... I wouldn't even consider that... well, probably not anyway.

We've made a wrong turn somewhere.

[eidechse]

As evidenced by the fact that this: "We are concerned that the cybersecurity issue is losing visibility inside the White House," said Harris Miller, president of the Information Technology Association of America. "In this case, the 'bully pulpit' opportunity to influence the development of a truly secure cyber infrastructure and associated best practices will be lost." is one of the main opinions expressed in this article. We've elevated commerce to such a position that the perspective of a trade group is of primary importance when reporting on government and security. I know this isn't new. Business has played a large role in politics and civics (if the two can be separated) for at least the last 2000 years, but it seems especially egregious when Miller laments the loss of the "bully pulpit" as if he just got outpid for a Super Bowl commercial slot.

So when the Windows update servers got pantsed...

[Wee]

It's important to note that his time at Microsoft had nothing to do with their products (this in response to all those "we all know how secure Microsoft products are" trolls out there).

Yeah, about that Windows update service, when it got compromised Mr. Schmidt did...? What exactly? Was that "product security" or "infrastructure security"? Or was the actual buffer overflow a product-level security issue, but the unpatched servers a corporate security issue? I wonder which one would have been easier to prevent... Hmmm...

When Microsoft started distributing the NIMDA worm was that the application group's screw-up? Did Mr. Schmidt's security policies extend to internal processes like QA? Surely when they release software internally, Mr. Schmidt's group had to make sure that it was safe, right? Why not give the rest of the world the same courtesy? Does MS have separate internal and external QA groups? If not, do their internal SQL, web, etc servers have holes? Is MS's security policy therefore "crunchy on the outside, soft in the middle"? That's not very reassuring.

I could go on, but rather than be labeled a "troll" for simply pointing out facts and asking rhetorical questions, I'd just like to offer that perhaps, just perhaps, there might be some merit to the whole "security is a process, not a product" idea. Put another way, I for one would feel better if the U.S. Cybersecurity Advisor didn't have a "that's not my department" precedent coloring his judgement. Or maybe I'm taking your statement out of context and unfairly judging Mr. Schmidt for being asleep at the wheel when he was merely in the passenger seat inert, in which case I apologize.

While I certainly have nothing personal against Mr. Schmidt, like it or not he was the front man for Microsoft's "security". If MS gets a bad rap on security issues, for whatever reason, then Mr. Schmidt takes the heat on it -- if only for being the most visible target. And honestly, you can't really say with a straight face that MS's products have nothing to do with its corporate security. Microsoft's products have everything to do with many thousands of other corporations' security. If those products had built with security in mind, maybe there wouldn't need to be this big, mystical demarcation between the security inherent in MS's products and its corporate computing infrastructure. In the public's eye, anyway, there isn't any difference. Microsoft is its products -- and its products have a really appalling track record with regard to security.

-B

Re:So when the Windows update servers got pantsed.

[D3TH]

It's easy to sit on the sidelines and snipe, but the fact of the matter is you've done nothing to address my original post. Instead of nitpicking my statement about his position not being related to products, it would be nice if you had addressed my point, which is simply that during the time that I worked with him, he was significantly more clueful than the other administrators I've interacted with at his level.

Since it's doubtful you were employed at Microsoft during his tenure there, and even less likely to have been privy to any policy or other decisions he made while there, its fairly disingenuous for you to now judge him on the content of a few news stories. I suppose that's always the problem with any position related to security, people never hear about the incidents that DIDN'T happen.

Regardless, I'm not here to defend Howard's performance per se just to give my opinion, having worked directly with him (unlike you?) that there are certainly worse people they could tap for the job (see post below re: Hillary Rosen).

Re:Wow!

[Ben+Hutchings]

His role is effectively being replaced by a role in the Department of Homeland Security, and he failed to get that job. He didn't feel like sticking around being irrelevant. Well, that's my guess.

Re:So when the Windows update servers got pantsed.

[D3TH]

I used the term "snipe" specifically because you're pointing out facts. The problem is your facts have little or nothing to do with the thrust of my original post. The best trolls are always the ones based in the truth.

Listen, if you want to start your own thread attacking Howard for his lousy public performance during his tenure at Microsoft, or his willingness to attend press conferences and praise Microsoft's (fabricated?) single-minded focus on security I promise I'll have little or nothing to say in response. I consider those critisisms valid, if somewhat shortsighted. My intent in stating his job was unrelated to products was nothing more than an attempt to defuse the more obvious trolls that did nothing but scream that flaws in IIS were somehow directly traceable back to his desk. If I take a slightly longer view, as you've advocated, perhaps at least some of those flaws could be traced there, at least indirectly. I agree that security is a mindset and a process, and the responsability can't all be placed on the shoulders of the developers. It cannot, however, be placed soley at Howard's feet by the very same token. Please take a few minutes and re-read my original post. No time? Too lazy? Ok, I'll quote it here:

"I just want all of you who've only heard him give nicely formatted press conferences or canned interviews to know that there's more to him than that."

You ask me to step back and take the outsider's perspective. You complain that "Not everyone has the luxury to know him personally". The WHOLE POINT of my original post was to give you an "insider's" perspective on him. I very specifically did not speak to his performance in his position at Microsoft or the position he has just resigned for the very reasons you've cited: all I have to go on, really, is public information and in my opinion that's not enough. That's the reason that I posted initially, to attempt to give others the benefit of my perspective. And I still stand by my original conclusion. Someone like Howard, with at least a background in hands-on computer hacking (again, not cracking) is relatively difficult to find at that level, and is very possibly a better choice than whoever gets tapped to replace him. That's not to say that if they were to bring in someone with an unimpeachable record of attacking and solving larger-than-enterprise-level security problems, that I would still feel the same. The bottom line is that right now, at this moment, I see that as extremely unlikely. Again, to quote myself:

"I'm not sure if you could really find someone better to be involved with the goings-on at that level, but I'm absolutely certain that you can find many many worse."

Right now, until we learn who they select, it's my feeling that they will find someone worse, especially if you're correct and they're just looking for a fall guy.