Mr Howard Schmidt may have stepped down from public service when he retired as Special Assistant to the President and the Cybersecurity Coordinator for President Barack Obama, but he continues to play an active role in the cyber security community, serving on corporate boards and providing consultation to international governments and private sector organisations. In Singapore recently to deliver the keynote speech at the Information Security Seminar 2012, he shared some of the insights distilled from a long and distinguished career in defence, law enforcement and corporate security.

In the 45 years that you have been involved in security, with the last 25 in cyber security, how has the landscape evolved and what are some of the strategies that we can adopt today to contain the threats?
Over the years, business processes have become more secure and we can identify vulnerabilities much better now. Our ability to stop malware at the Internet service provider or enterprise level has also improved. But we still see people opening infected files which go on to compromise the system.

The pattern of cyber or virus attack has been very much the same over the past five to 10 years. Almost 85-90 per cent of successful intrusions take the same path. A piece of malware, for example, a spear phishing email, infects a system and then goes on to look for vulnerabilities and spreads to other systems on the network.

A lot of this can be reduced with good cyber hygiene, for example, keeping the system updated at all times – the OS and the applications as well. Sometimes we forget that while we do a lot to secure the OS, the applications are akin to the windows to the world. Make sure that the browsers have all the security controls and when we are making a secure transaction, ensure that the “lock” icon is on. When we go to a website, remember that it is always safer to type in the URL than to click on a link.

All these have to do with education, which is why programmes like Singapore’s Cyber Security Awareness Day are important. A lot of people do not understand the various technologies but they have to understand that when they click on something, there are possible consequences.

As for the other 10 per cent of intrusions, cyber security experts can look at what cyber criminals or organisations are doing, identify the attack vectors and close those down. We can reduce the overall impact of vulnerabilities through better information sharing and coordination. If an agency has information on a piece of malware, that same malware should not go on to affect any other parts of the government system.

We need to be meaningfully secure, so that people can conduct business without worrying that the systems are going to shut down. It is about the business processes that we run. We have to build business systems that give people the tools to protect themselves.

What do you see as the main cyber security challenges facing governments today?
In the past 20 years, we have seen how a small threat in one country follows the sun and as the business community opens up, it becomes disruptive globally. The threat lies not only in advanced economies but also in developing countries as well.

A fear I have had for a number of years was that as we provide aid and tools to developing countries and if we do not build in cyber security from the beginning, there is the likelihood of two things happening. The first is that we are creating a new generation of victims because they do not have the tools, political infrastructure or enforcement mechanisms to protect themselves. Cyber security criminals will always be looking for the next generation of victims. It is important for us to understand this as we work with partners to address cyber security threats. The second thing that could happen is that we create another safe haven for cybercriminals. We cannot allow this to happen.

How can governments respond to these challenges?
We need to understand the various roles – the federal government, the local government, the private sector, academia and research community – and how they fit in together with intelligence and law enforcement.

It is also very important for governments to share information with the private sector, especially those who operate critical infrastructure. We recognise this, but at the same time there are certain things that should be shared and others that should not because they have an impact on national security. We have had to build processes to do this, and there is a cultural barrier that has to be overcome. But in my opinion, getting the word out quicker is better than not getting it out at all. We cannot always adjust the threats. Threats will always be there. But we can do with increased awareness, to better protect ourselves wherever the threats may come from.

We have to build our system to recognise the threats we witnessed in the past but also what we expect to see in the future. For example, we are now raising a generation that has not known any communication device other than the mobile device. What implications will this have for personal safety online? We have to recognise where we came from and where we are going.

We do not have to agree on everything to do something. For example, there is a lot of discussion on whether governments should have more control over the Internet, particularly with governments that are just starting to embrace ICT. There are discussions over the role of international non-profit organisations. The Internet has been successful because such organisations have been working collaboratively with multiple stakeholders worldwide. What happens if that gets disrupted? We do not always agree on these issues. But we all agree that we need to do more to boost cyber security.

In your years of experience with defence, law enforcement, industry and academia, what was the most challenging cyber security incident that you have had to deal with?
One week after the September 11 attack, when the country’s focus was still on airplanes and bombs, all of a sudden the virus Nimda hit and shut down computer systems and networks. We had no idea who was behind it.

I was in Washington DC at that time. I was with Microsoft (as Chief Security Officer) and also a Special Agent with the US Army Reserves. When Nimda struck, we had to bring together different groups of people to address the threats – executives and senior leadership from the government and industry, the technologists as well as the media.

Dealing with cyber security has been described as trying to paint a plane while you are in flight. We needed to keep system running while fixing it, but we also needed to shut down certain parts to stop them from being infected. We had to be very structured in our approach. How do you keep critical systems up and running without creating more problems?

We were fortunate then in that we had an office called the National Communications Systems, where telecom companies came together to deal with issues on a regular basis. We had phone lines to security experts in universities, public sector and the government. We were bringing people together without a lot of structure, to work on different parts of the problem. But they had a common goal – to minimise the impact.

We were able to recover quickly – within 48 to 72 hours. But to this day, we do not know the source or motivation; we only knew the effect. And the potential of that recurring is very real.

The positive side of it is that out of that incident, we recognised that we needed a better structure to deal with such threats. Eleven years ago, the plans that we have in place today were not there.