One of the biggest differences in the federal cybersecurity landscape over the last two years is the recognition by the most senior leaders of the importance of securing agency, contractor and critical infrastructure systems.
Howard Schmidt, the outgoing White House cybersecurity coordinator, said in his first interview since announcing his retirement May 17 that IT security ranks in every agency’s top five priorities. It’s that acknowledgement that shows both the impact of the White House’s cyber office and the broader change across government.
“It’s now top of mind for everybody who is part of the leadership teams where before it was one of many, many things they had to deal with,” Schmidt said in an exclusive interview with Federal News Radio. “Part of the role as the president established this office is coordinating these efforts. When you are at different levels of a start some need additional meetings and some structure to help them build the things they need to build. When you are coordinating now and in particular everybody recognizes they need to be on the same sheet, how they get there makes life a lot easier for this office to coordinate activities moving forward.”
Two reasons to leave
Schmidt will leave his position in the Executive Office of the President in about 10 days after more than two years overseeing the policy and expanding the structure of federal cyber efforts with the public and private sectors. He said his decision to retire was driven by two specific reasons. The first was the desire to spend more time with his family, which includes a recently-born fifth grandchild.
The second reason came down to what has been accomplished so far.
“The biggest thing is I was looking out ahead on what things we may have on tap to do that are in the context of big ticket items and all those things are either pretty much either completed or in a mode where we can get them institutionalized and there isn’t a whole lot of extra work that needs to be done on them,” he said.
Michael Daniel, who spent 17 years working on the budget side at the Office of Management and Budget, will replace Schmidt. The White House cyber coordinator’s office recently added Andy Ozment as a senior director as well.
“Michael is a great guy to replace me,” Schmidt said. “Michael is very much a seasoned professional. I don’t know if there is any advice I could give him that he doesn’t already know himself.”
Daniel comes into an office that is out of the start-up mode and moved to growth stage, Schmidt said.
“There’s a lot of understanding where this fits into the overall EOP structure and also where the key linkages are,” he said. “What we’ve seen particularly across this part of it, that every directorate, whether it’s a regional or specific functional directorate, now recognizes cybersecurity had to be part of their dialogue.”
Now, the White House office has established those relationships and can build on the foundation, especially by creating standard processes.
DHS authority a ‘sea change’
One such process, which Schmidt credits among the biggest success stories during his tenure, is the decision to give the Homeland Security Department operational authority over civilian agency networks. This includes the use of Cyberscope and the move to continuous monitoring.
“I think that really created a sea change as far as the ability to use Cyberscope and do CyberStats, having departments and agencies come into the White House on a regular basis and not to look at this as sort of an annual report that often times gathers dust, which really doesn’t make us more secure,” he said. “That was the thing that really made a big difference coupled with the attention of senior leadership.”
Schmidt said agency processes to ensure they can identify vulnerabilities, remediate them and recover from intrusions are more mature and puts them in a better state protect their networks.
Along with the successes, Schmidt said his only real regret is not having enough time to work on more issues.
He wouldn’t even point to the inability of Congress to pass new cyber laws as a disappointment.
“It’s tough to say it didn’t get enough traction,” Schmidt said. “We worked really hard across the departments and agencies to prepare [the administration’s proposal], and they in turn worked with the private sector folks. No one was 100 percent happy and no one was 100 percent angry about it either. There was a lot of pieces to this that took place. Now we have Congress who has long stated they are interested in finding out solutions. There continues to be discussion about the best way to get that. But I think the thing that a lot of us receive a great deal of gratification from is Congress recognizes they must do something.”
He still holds out hope for Congress to pass a bill this session, but admits it could be picked up in the next session just as easily. Either way, lawmakers understand the need for modernized cyber laws, he said.
As for the future, Schmidt said he doubts he will ever fully retire. He plans to return to the private sector after the summer and consult with companies to try to improve their cybersecurity.
“We have tremendous talent across the government who have really worked hard on these issues,” he said. “It’s particularly gratifying again to see the hard work the people at the departments and agencies do on a day-to-day basis, the ones in the wiring closet at 2 o’clock in the morning that are reading logs over and over, trying to identify if something is indeed a cybersecurity issue or a technical breakdown. It’s wonderful to see them working hard and it’s particularly even more wonderful to see the recognition of the work they do on a day-to-day basis be elevated. With them out there, their expertise, their continued dedication to public service, there is no reason we will not continue to make good progress.”