Howard A. Schmidt joins the board of advisers of instant-messaging-management software company IMlogic Inc. on June 6. Schmidt's security experience includes serving as chair and vice chair of the President's Critical Infrastructure Protection Board. He previously headed up security for eBay, as its VP and chief information security officer and chief security strategist, and for Microsoft, as its chief security officer. He spoke to InformationWeek about cybersecurity.

InformationWeek: Are things getting better or are they getting worse?

Schmidt: It's interesting. "We're getting better" is probably the most correct answer. But I qualify that by saying it's not because the bad guys are making it easier for us. It's because we're, one, recognizing that there are certain things we have to do to be more secure. And secondly, the response of industry in identifying solutions for security issues has been much quicker than it has been in the past.

InformationWeek: User education is a critical component of online security. It also seems like an intractable problem. Is there any reason to be optimistic about the ability of computer users to practice safe computing and to immunize themselves from social-engineering attacks?

Schmidt: I think there is. If you look at some of the advertisements you see on television now, if you look at the way products are made now--I was remarking to someone earlier today about if you go out and you buy, say, a wireless-access point or you buy a cable modem or router, now you're seeing the ones that have antivirus, content filtering, spam protection, not only built into the box but as selling points. We're seeing a lot more awareness and recognition by end users that we didn't see in the past. I think part of it is because industry is advertising security as one of the key functions. I think some of the things, for example, when we did at the White House and we did the National Strategy to Secure Cyberspace, we did town-hall meetings around the country, and it really got the awareness, not only of private sector, the businesses, but also the end users--PTAs, stuff like that.

InformationWeek: The complexity of networked software and hardware complicates users' efforts to do the right thing online. Are vendors doing enough to make it easier for people to use PCs securely?

Schmidt: They are. Back in the '80s, the Michelangelo virus and some of the others were transmitted via disk, as opposed to over the network. In order to combat that you would have go out and install antivirus software. Then you would have to go out every once in a while and get an update for it. Then we started to see the automatic live updates taking place. Then the integrated security suites with personal firewalls, antivirus, all these things being built in to a suite, which makes it much easier to manage and much easier to update. So clearly it's been getting easier for the end user in the security space. It's also been happening with applications and operating systems. When we launched Trustworthy Computing back when I was with Microsoft in 2001, [security] clearly became a priority for Microsoft and Cisco and Oracle and Sun, all the big software vendors. It's been made easier with some of the automated vulnerability-assessment tools, some of the automatic patching tools. It's getting easier all across the board.

InformationWeek: I recently spoke with a professor at Michigan State University about a new information disposal rule designed to curb identity theft that's being enforced by the Federal Trade Commission. She was skeptical about the ability of IT to mitigate identity theft. Her position was that identity theft comes mostly from people in the workplace and that despite years of IT efforts to secure data, it's still a people-oriented problem. Do you have more faith in IT security efforts?

Schmidt: I want to make a clear distinction between crimes that use technology and crime in general. Most times when I talk to IT professionals I talk about the other PPT. Not PowerPoint, but people, processes, and technology. And to the professor's point, she's absolutely correct. Technology is not a panacea but it's clearly a component in dealing with some of these issues. And the people and the processes are an integral part of it as well.

Going back to the fraud issue, back in 1986 when I was a computer crime investigator with the police department in Arizona, we had a group of guys that were criminals. They were fraudsters, traditional con men. At that point we didn't have the restrictions we have now under the Fair Credit Reporting Act and credit bureaus, so basically anybody that had a business could then pull credit reports on people. So these guys opened up a fake travel agency, which anybody could do. And they went out and pulled credit reports--this was before the Internet as we know it today--and they were doing identity theft [and other fraud]. Nowadays, it's the same thing. It's a fraud issue. Just like we've never been able to stop burglaries over the history of mankind, we will never be able to stop fraud 100%. ... We have to make sure that there's the training, the process, and the policy in place to aid the technology to reduce fraud and identity theft.

InformationWeek: An appeals court in Minnesota recently ruled that the presence of encryption software could be viewed as evidence of criminal intent. Any thoughts?

Schmidt: I'm not familiar with the details of the case, but I have heard about it. It's interesting because when we look at the two sides of the encryption coin--this goes back to the debates about encryption in the early '90s--many of us in the security business were saying we need to use encryption. As an example, look at the sort of incidents you hear about at universities, where a laptop was lost or stolen that had all kinds of information on it. And the question is, why wasn't it encrypted? There are dozens of different reasons why people say they don't use encryption, but none of them are really valid in today's world. We should be using it. That clearly does not infer any criminality. As a matter of fact, security people recommend it. We use IPSec, we use SSL, we use all kinds of encryption technologies to enhance security.

But when it comes to the use by criminals in a criminal enterprise--this is the other side of the coin--when we go out and basically you've got someone who's involved in terrorist funding or fraud or child pornography, oftentimes you see those type of folks, you have enough evidence to show that they're committing crimes but using encryption to further hide the evidence. Clearly that's a criminal act and clearly they should be held accountable for that. And if we don't have the ability to decrypt that data, then the only provisions that the legal folks have come up with in the past year is using encryption to facilitate criminal activity is a crime, and not just pure use of encryption somehow infers criminal intent.

InformationWeek: What can the government do that it hasn't yet to improve cybersecurity?

Schmidt: First and foremost, given that 85% or more of critical infrastructure is owned and operated by the private sector, the government, by identifying the National Strategy to Secure Cyberspace, which we did at the White House, by putting out the strategy clearly raised the level of awareness in the private sector that they need to do more. The creation of the NIAC, the National Infrastructure Assurance Council, which is an advisory board to the president, the National Security Telecommunications Advisory Council, once again an advisory board for the president, the Information Security and Privacy Advisory Board for the Department of Commerce and the Office of Management and Budget, all clearly bring to the forefront recognition by private-sector executives that this is a serious issue around national security, public safety, as well as economic viability.

The government has done a really, really good job at using government perspective and making sure people are aware they have a special responsibility when it comes to critical infrastructure protection.

The other aspect, which the government has done, which initially was very worrisome, involves issues of regulation such as Gramm-Leach-Bliley and Sarbanes-Oxley. Of course, Sarbanes-Oxley was not designed specifically for IT security. It was designed around financial controls. And clearly if you don't have good IT security, you don't have good financial control. So that's been very helpful. What the government needs to continue to do is work on continuing to clear up their own internal processes. For a number of years, the government has said, including me when I was with the government, that the government can and should be a model for cybersecurity. And I think the way we've approached it up to now has been somewhat disjointed.

InformationWeek: How do you see the Internet security picture in two to three years?

Schmidt: In the future we will have better segmentation in the online world, very similar to what we see in the physical world relative to what you can do anonymously, as opposed to what you need to have nonrepudiation for, such as doing stock transactions. We will have better granularity around that that will better protect privacy because we'll have better identity management in the online world.