Appointed one year ago by President George W. Bush to lead the President's Critical Infrastructure Protection Board, the former chief security officer at Microsoft is a recognized pioneer in the field of computer forensics and computer evidence collection. As coordinator of all federal activities related to the protection of the information systems and networks that underpin the nation's critical infrastructure, Schmidt is convinced that post-Sept. 11, cybersecurity will transform the information technology world--for better or for worse. 
News.com Vision Series 3
Twenty minds
on tech's future
We will see the widely accepted use of two-factor authentication (which requires people to identify themselves using two unique factors, such as a password and a digital certificate) or smart cards. What most of us use now is a user ID and password. That's traditionally been a weak point in authentication systems.
Also, we will see a proliferation of solutions that make dealing with security vulnerabilities less painful. This includes things like automatic patch installation and more information on what a patch does, so people can identify whether or not it will break an application they have.
I expect to see increased use of encryption through the Internet, with virtual private networks (VPNs) and IP Security Protocol (IPSEC). We'll never see a system that's 100 percent perfect, but using encryption reduces the risk, for home users, of credit card numbers being stolen and private information being infringed upon. Can I have a fourth prediction?
Sure, what is it?
There will be better quality-control in commercial software because of the emphasis people are placing on developing more security in products.
What makes you so sure?
Businesses and government are demanding more secure products. Security is becoming a procurement requirement--a mandatory requirement that people are placing on vendors, because we won't buy their product otherwise.
But do most people really have a choice if, say, Microsoft doesn't deliver the kind of security users want?
Sure, there are lots of choices. There's the Macintosh OS X; there's Linux. There are alternatives out there.
The unfortunate thing is that everyone has to be moving in that direction (of more secure products). That's what I see will be taking place. Any student of Business 101 would understand that if that is what the market is demanding, that is what the market should be producing.
From the consumers' perspective, unless we can start trusting the IT environment, people won't be using it. Why would you jump in a car and drive if every time you drove it, it broke down?
Will security breaches become fewer or will they increase?
They will increase over the next few years, because there will be a larger number of people online who are shifting to an "always-on" environment.
What's "always-on," and why does that mean more security problems?
It's people using cable modem and digital subscriber line (DSL) Internet services. The reason that introduces more problems is that the more people you have online at any one time, the more exposure you have to security breaches.
As the technologies you described become more widely used, will cyberattacks decline?
The number of successful attacks will go down over time.
What kind of impact will the National Strategy to Secure Cyberspace proposal have on computer security?
It's already starting to have an impact. As we bring security-related issues into the national limelight and the national debate, the vendor community, business owners and operators, and people who use digital control systems for critical infrastructure all have recognized that they need to do certain things differently. They've been proactively implementing some things in the
You guys have been taking some heat for this plan. People say it's a paper tiger--that it's too full of compromises and that it won't change anyone's approach to Internet security. What is your response to the critics?
We believe it will effect real change. I don't think the criticism is fair. People are doing an awful lot, but it's not going to happen overnight.
What about government regulation of computer security? Is there a place for that?
I don't think it's the government's place to regulate the Internet. I don't think you'll ever see something called the Internet Security Regulatory Agency. We don't see a need for it, and we don't see it being in the best interest of the networked environment. It's better to use market-driven forces, not government mandate.
Will the federal government ever enact legislation spelling out the liability for damages caused by lax computer security?
No, I don't see that at this point.
Why?
The government shouldn't be meddling in what goes on in private industry, because it has a chilling effect on the ability to innovate.
How serious is the threat of cyberterrorism?
We don't use the term "cyberterrorism" in our office. It conjures up something related to physical terrorism. We've seen (virus) attacks like Code Red, Melissa and the Anna Kournikova virus that have adversely affected our ability to do e-commerce and communicate. But the bigger concern is that there (might) be a physical attack that affects life, limb and property at the same time as an attack on 911 (emergency services) or (on) our telecommunication infrastructure, affecting our ability to respond.
Are we headed for a devastating attack on the Internet or on other critical computer networks?
If you had asked me that question two years ago, I would have said there was a potential for that. But in the past two years, we've come a long way, to be more secure and be more reactive (in responding) to things that happen.
It's also tough to define "devastating." Could we sustain another Code Red that's as disruptive? Yes. As far as something devastating, if we continue like we're doing, we reduce the chances of that every day.
In what way have we come a long way over the last two years?
There is a big community of executive support--chief executives are becoming more aware of security issues. That's not to say everything's fine. But I've heard cases of business execs postponing deployment of IT infrastructure that would have been insecure in order to improve the security. Businesses are funding groups they wouldn't have funded before.
What kinds of things are they funding?
Security directors and security officers in corporations have lamented that they are just one of many cost centers vying for attention. Now they are being consulted by the (corporation's) business units.
Will the government ever do a better job of catching cyberattackers?
It's tough to tell. There are so many variables, such as where in the world the hacker may be coming from. It's not so much a factor of technical limitations as it is (of) legal limitations. But we will get better. If we didn't have so much other noise we had to deal with, we'd do better. It takes a lot of time and resources to investigate those things, whereas so much can be done to prevent them. I say let's keep these things from happening, so we can focus on the really serious offenses.
Will security firms and corporations come up with the secret weapon that turns the tables on cyberintruders and thus banishes illegal hacks to memory?
No, I don't think so. As long as we have an environment designed to be open, to foster collaboration and (to) do online purchases, people will continue looking for weak links in that. I don't think there's much likelihood (of) eradicating it.
What will be the biggest wild card in Internet security?
One hundred ten million users--that's the biggest thing we have to deal with. The difficult thing is we have such a great dependency on computers, and they do so much for us, but few people understand them well.
