What is a Cybersecurity Czar and is Dr. Howard Schmidt Qualified to Be It?

I was as shocked as most folks who’ve been following the tech goings on of the Obama Administration when I read the surprise announcement this morning’s naming of the President’s Cybersecurity Coordinator.

The man tapped for the job was a certain Howard Schmidt, former Chief Security Officer for Microsoft, and eBay.

My first thought this morning was to research Howard’s credentials, since so many other technology related appointees of the administration have been long on bureaucratic credentials, and particularly short on technology credentials (see: “US CIO Vivek Kundra is the Tip of the Iceberg,” “Obama Administration “Open” to State Run Newspapers,” “My Problem with the Modern Network Neutrality Debate,” and “DC Has Not Changed”).

Dr. Howard Schmidt Seems More Qualified than Most Administration Technology Appointees

Unlike most Obama appointees, Dr. Schmidt keeps an active LinkedIn page, and while it is true that he served as an executive-level security officer for both Microsoft and eBay (as has been widely reported today), it showed that he received his education at the University of Phoenix Online.

It’s a fact that sticks out like a sore thumb when compared to much of the rest of his resume – such an odd fact that I called the University of Phoenix Online to confirm that this was indeed fact. They told me that “Howard Schmidt received a BSBA on 9/30-1991 as well as a MAOM on 4/30/1998,” though that don’t “don’t have a record of an honorary doctorate in ‘humane letters,’” a data point on display in a great number of his online bios (including the Wikipedia and dozens of other places where he’s given public speeches). I was pointed to a video endorsement of the school on display at the University’s Youtube Channel, though no one I’ve contacted for this story can confirm where he received his honorary doctorate from.

This, though, really isn’t the shocking facts we were greeted with during John C. Dvorak’s investigation of Vivek Kundra, where most of the information on his public biographies were flat out incorrect.

It should also be mentioned that while Dr. Schmidt graduated from the University of Phoenix, he simultaneously teaches at Georgia Institute of Technology InfoSec center as well as at Idaho State University’s research center, according to his Wikipedia entry. I’m not sure how that’s supposed to work, and I haven’t heard back from either university yet to get the details, but I assume that one or both of those positions are not actually on campus, particularly since his LinkedIn profiles list his current location (prior to the appointment at the White House) as being the United Kingdom.

Like a great number of Administration employees, Dr. Schmidt has a number of years of purely bureaucratic work under his belt, though unlike others we’ve discussed, his resume isn’t dominated by that experience. Ever since his stint at eBay as security chief, he has either privately consulted, served as startup advisor, or worked in education. It’s hard to say whether or not he’s still up on his technology and security stuff, being so far removed from the day to day requirements of managing security needs for front-line organizations like Microsoft and eBay.

What Exactly Will He Be Doing, Though?

image It’s hard to say with any degree of certainty that Dr. Schmidt is qualified for this position, let alone security work in general. The scope of the job he’s taken today has no clear definition, and overlaps in it’s purview of a great number of already pre-existing departments, advisors and commissions.

Instead of explaining exactly what the position’s purview would be, a blog post from the White House spent 500-800 words the reader personal tips on how to secure their email and personal computers (how to deal with “phishing,” how to update your operating system).

Will the new Cybersecurity Coordinator be the first national help desk technician? If that’s going to be his job, did we need to hire someone who’s a former CSO for the job (though the University of Phoenix degree makes more sense in that context)?

The answer to these questions is unclear, as is the answer to why this job has been moved to a position directly under the President’s reporting structure, as opposed to the formalized position that existed under the Bush Administration (from 2008-2009), where the Cybersecurity Czar reported to the director of the Homeland Security Agency. Either Homeland Security now no longer has a cybersecurity expert, or the reporting bureaucracy has increased within the federal government (and neither possibility would be that surprising).

The last person reported to hold the position was Melissa Hathaway, a Bush-era appointee kept on at HSA by the Obama administration, but she resigned this summer. No successor within the agency has since been reported.

The UK Register says that Schmidt faces a host of responsibility (though no real power):

Schmidt faces a huge swathe of problems, including formulating an updated strategy for defending critical national infrastructure (utilities, transport, banking etc.) from hacking attacks, as well as a plan for raising consumer awareness about risks such as scareware and phishing. He will have to negotiate a political minefield to get anything done, not least because several agencies (including the Pentagon and Department of Homeland Security) are vying for alpha male status in defining federal cybersecurity strategy.

I certainly remember similar responsibilities being ascribed to some sort of promised cybersecurity office during the Obama campaign for president, but no such description was found in official White House communications today, so it’s hard to say what he’ll be doing. Without knowing that, how can one truly say he’s qualified?

More importantly, if the plan for this position was what was described in the Register, wouldn’t this have worked better as a position with an organization that actually has enforcement power like the Homeland Security Agency, rather than as an advisory role for the president?