Cybersecurity: Strategies for Internet Security Post-Sept. 11, 2001
Guest: Scott Charney, Microsoft Corp.'s chief security strategist
Tuesday, Sept. 17, 2002
| Cindy Webb |
A draft of the Bush administration's blueprint for cybersecurity asks both consumers and corporations to work to ensure that their computers and communications systems are secure. The White House IT security effort is already raising questions about consumer privacy, industry liability and who should cover the costs of protecting corporate networks. (For background, read "Administration Pares Cybersecurity Plan," from the Sept. 10 Washington Post, and "White House Slows Cybersecurity Planning" from washingtonpost.com.)
Corporate America is often at the forefront of debates about Internet policy and security and Microsoft Corp. is no exception. Microsoft recently hired a new chief security strategist, Scott Charney. Charney oversees Microsoft's strategies to boost security in both the products and services that the software giant sells. In his role, Charney works closely with computer industry leaders and the federal government on issues related to computer security.
Scott Charney was online on Tuesday, Sept. 17 to take questions about the nation's current cybersecurity landscape as well as Microsoft's work to reduce computer hacking and attacks in an effort to better secure personal computers. Washingtonpost.com's Cynthia L. Webb moderated the discussion.
Scott Charney is in charge of Microsoft's Security Strategies Group and is a member of Microsoft's Trustworthy Computing leadership team. Previously, Charney was a principal at PricewaterhouseCoopers, where he led PWC's cybercrime prevention and response practice. He was chief of the Computer Crime and Intellectual Property Section in the Justice Department's criminal division before joining PWC. He recently testified before Congress on cybersecurity -- read his testimony here.
An Edited Transcript Follows:
Editor's Note: Washingtonpost.com moderators retain editorial control over Live Online discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions.
Cynthia L. Webb: Thanks again for joining us today, Scott. I'd like to open our discussion by addressing cybersecurity news in the headlines today. The White House was to announce a cybersecurity blueprint tomorrow, which was expected to have implications for many software companies and security players. But now that plan has been scaled back to a draft that calls for more input from industry. What do you make of this change and how do you think any proposed guidelines from the government will eventually affect Microsoft?
Scott Charney: First of all, I think that this approach of releasing a draft plan is a good idea because it gives everyone a chance to comment, not just industry. The plan addresses almost every level of user, from the home user to industry to the government. The actual implications depends on what the plan ultimately looks like.
Cynthia L. Webb: One of the current White House cybersecurity policymakers, Howard Schmidt, was your predecessor at Microsoft. Do you feel your role leading Microsoft's security strategy, as Schmidt once did, gives you more insight into what is going on out of Washington as it relates to cybersecurity? And how has your company been adding input to the current cybersecurity "draft"?
Scott Charney: Certainly, my prior experience at the Justice Dept. gives me insight into how the government works and what the issues are from the government's side. Now, being at Microsoft, I get the industry perspective, which is of course different, although both government and industry share many concerns. As for Microsoft's input on the plan, we did respond to the 55 questions that were circulated for public comment on critical infrastructure protections. We also work with other industry groups, such as the Partnership for Critical Infrastructure Security and the Information Sharing and Analysis Center. So we also provide our views to the government through those industry groups.
Cynthia L. Webb: But does Microsoft plan to change any of its products to fit with any proposed guidelines that do come out from the White House or expect product sales to be affected by a new focus on having products and services that are more secure?
Scott Charney: Since January, when Bill Gates issued his trustworthy computing memo, we have been changing the way products are designed and developed. For example, in the Windows platform, we stopped development for roughly 8000 developers for two months so they could focus on the security of the product. Microsoft's concern about security of products and security of the infrastructure has already been reflected in the steps we have taken and will continue to take moving forward. We think this is very much in keeping with the spirit of the plan, but as to more particular changes, we have to wait and see the final plan and what the government attempts to do next.
But markets are demanding security and we think products are best developed in response to market demands as opposed to government regulation because the latter tends to be inflexible.
Silver Spring, Md.: What do you think of the job that Richard Clarke and Howard Schmidt are doing at the White House these days? Is there really a way for the government to take the lead on improving national cybersecurity? Should industry be taking the lead on this, given that it's in their economic best interests?
Scott Charney: I think the answer is that both government and industry have a huge role to play. The government actually plays many roles because as a purchaser of products, they are part of the marketplace. They can also lead by example by doing good security at federal installations. They participate in the standards processes and for example they are responsible for enforcing cybercrime laws.
Industry has its role to play, as it responds to threats and needs to develop secure products, make them easier to deploy securely and make it easier to maintain security over time as threats changes and vulnerabilities are uncovered.
Sydney, Australia: Mr. Charney, President Bush has said that a key focus is to ensure the security of the nation and the security of infrastructures. With that in mind, it would appear that Microsoft has done little to put the minds of the enterprise at ease by ensuring that security flaws in products such as Win 2K and XP are fixed prior to release. Is it Microsoft's intention to guarantee the safety of Microsoft SOE's deployed within government and the enterprise if they are breached because of the existing "known" security flaws?
Scott Charney: The short answer: Microsoft is committed to securing its products by design and by default, which means products will increasingly be shipped in a locked-down, secure state. And Microsoft is absolutely committed to quickly patching vulnerabilities when found. The difficulty is, software tends to be very complex, and today it's virtually impossible to release bug-free software. But we are also working on long-term research, along with others, on how to build more secure software and keep it secure.
Cynthia L. Webb: Scott, you mentioned the Trustworthy Computing memo. You work closely with this initiative within Microsoft. Can you detail some more of your work in that area? And do consumer and customer concerns lead your team to make changes in this area to bolster secure products and services?
Scott Charney: Trustworthy computing has four pillars: reliability, security, privacy and business integrity. In my role, I focus on the security pillar. Some of the things we are doing include: much more extensive design reviews, threat modeling, code reviews, and penetration testing. The goal is not just to find a flaw that can be fixed, but also to examine the process that allowed the flaw to enter the product in the first instance.
Bethesda, Md.: Microsoft has said in the past that its software was never set up to be secure. Has that opinion or statement changed?
Scott Charney: Yes, we have now said that security is job 1 and that security is now more important than enhancing the features of products. So this is a significant and important change.
Lexington, Ky.: Do you think the government should set regulatory standards for software security?
Scott Charney: The answer is no for a couple of reasons. One is that the standards process takes a long time, but products evolve quickly. Second, it's hard to modify standards, and we need to be flexible to address new threats. Third, it assumes that the government can actually determine across the board and for long periods of time what the best security is. In fact, it takes more than just the government, but users from across the board to input into the security process. The risk from setting standards is that you may stifle innovation and end up with a less secure environment.
Cynthia L. Webb: Microsoft has been criticized for its products having holes that have led to various cyberattacks (such as e-mail viruses spread through Outlook). Since your company's software is so widely used, do you think the new plan should address some of these concerns, such as the speed at which patches and security alerts are issued?
Scott Charney: The answer is yes, that's an important topic. Having said that, it's important to note a few points. One is that if you look at reports that look at vulnerabilities in products, Microsoft's products are as secure as other products on the market. Having said that, we have a larger responsibility that comes with our market share. But we also have a very robust response center. The challenge is that when a vulnerability is reported, you must do two things in particular that are in conflict. One is that you need to get the patch out quickly, but two you have to test the patch thoroughly to make sure it really fixes the problem and doesn't cause new problems. So there's a natural tension, because the more you test, the longer it takes to release the patch.
Alexandria, Va.: Should software firms be held liable for security flaws in their products?
Scott Charney: Liability of software is actually a very complicated issue, in part because software is so complex that passing regulations that say 'It shall be secure' will not make them secure. So the question becomes, 'What is the purpose of imposing liability?' and 'What does it do to actually increase security of products.?'
Most people who talk about product liability in software today are saying it's necessary to encourage industry to build secure products. But as can be seen from the Trustworthy Computing Initiative by Microsoft and the work of many other companies, they are already working diligently on security issues.
The second part is that assuming there is software liability, how is that liability funded? One option is to increase the cost of products to cover litigation and award expenses. But that makes software less available by raising its cost. Another possibility is to fund the expenses out of profits, which means it comes from investors. The third possibility is to reduce internal costs such as salaries and equipment which results in less secure products because you are not hiring the best people and giving them the tools they need to do security right.
So, I think it's a complicated issue that people need to think a lot more about in terms of the pros and cons.
New York, N.Y.: Please comment on whether the closed source model has inherent weaknesses in security. Are vendors incented enough to spend on improving security? How does this compare with the open source model "all bugs are shallow?" Is there a happy median?
Scott Charney: First of all, there's a lot of debate over whether open-source or proprietary code is inherently more secure. And there are arguments on both sides. With that said, there may be a happy medium that is reflected in part by some recent Microsoft approaches. Although our code is proprietary, we have a shared-source program where large enterprise customers and academic institutions can sign a non-disclosure agreement and have access to our source code.
So, it's proprietary, but many eyes are looking.
Cynthia L. Webb: You co-authored the original Federal Guidelines for Searching and Seizing Computers and other guidelines during your days as a Justice Department attorney. How do you think laws like these have impacted computing and security issues? Have they ended up impacting the industry at a level that you expected?
Scott Charney: We knew at the time that these documents would be extremely significant, but I think the impact has also been extremely positive because what we did, essentially, is create best practices for the law enforcement community. Those best practices included an understanding of how IT systems were critical to the business environment, and so balanced the needs to protect public safety with the needs of victims whose computers contained evidence.
As an example, the preference asserted for on-site searches, which reduces the need to seize computers and disrupt businesses, reflects the balance.
Cynthia L. Webb: Can you talk a bit about your day-to-day role at Microsoft? What is a typical day for you?
Scott Charney: First, I have to confess there is no typical day. But my job has two components. The first is figuring out ways strategically to improve the security of products and services working with the various product and service groups. For example, my staff might work on the design of a product using their knowledge of security to supplement the knowledge of security that exists in a particular group.
The second part of my job is working on critical infrastructure protection issues and making sure that Microsoft is playing its part along with other members of industry in forging a productive partnership with the government.
Cynthia L. Webb: How do you think Sept. 11, and the increased focus on the need for better security both online and offline, has affected the work that you do and development that Microsoft is undertaking?
Scott Charney: I think the most significant effect of 9-11 in the cyber world, since it was not a cyber-based attack, was to force us to re-examine the threat model and also think about how physical attacks, if combined with cyber attacks, could pose a new and more significant threat to our infrastructures.
If on Sept. 10 someone had asked, 'What is the risk of four planes being hijacked, three hitting buildings and the World Trade Center collapsing?', most people would have put the risk at close to zero and not taken steps to directly counter that event. On Sept. 11, that risk was 100 percent. And that forces people to rethink everything.
Cynthia L. Webb: This is a follow-up from the reader in Sydney. Is it the view of Microsoft that a global Security Identification Framework should be developed to ensure appropriate levels of response to breaches?
Scott Charney: I would agree. In the United States, we have set up information sharing and analysis centers to share information on threats, vulnerabilities and how we can use this information to proactively do a better job of mitigating our risks. Internationally, there are efforts underway, such as the Council of Europe convention on cybercrime, to help harmonize our legal regimes so action can be taken against hackers. And there are also groups like the Forum of Incident Response and Security Teams (FIRST) that share vulnerability information and fixes so that the security of our networks can be enhanced. These types of international efforts are critical because the Internet is global.
Baltimore: When you look down the road 5 to 10 years, what scares you the most?
Scott Charney: I think a couple of things. One is that computers will continue to control in even greater ways all the infrastructures upon which we rely. Many of these machines will be in un-managed environments, and the sophistication of those who would do harm will continue to increase as more people become computer literate, and perhaps hostile groups such as terrorists devote additional resources to thinking about the possibilities of cyber-based attacks.
Washington, D.C.: Microsoft is touting its Passport service as a secure way to use the Web for a variety of commerce and communications activities. How confident are you that Passport can't be hacked into or disabled?
Scott Charney: We have devoted significant resources to Passport security. And as you may also know, Passport was recently the subject of an agreement between Microsoft and the Federal Trade Commission. As part of that agreement, we have certain obligations that include an independent, third-party audit of our security. So, there will be an objective measure of how we are doing in the future.
Cynthia L. Webb: How much does your security team work on Passport or is this a separate division?
Scott Charney: There are people who work in Passport who are responsible for the security, but I also have three people who are involved in the security program.
Los Angeles, Calif.: Did you ever work for the FBI?
Scott Charney: No, I worked for the Dept. of Justice as a prosecutor in the Criminal Division. The FBI is a different part of Justice.
Cynthia L. Webb: You have quite an experienced background in both law and security from your days before Microsoft. Can you talk some about the experience of your other team members? Who are some of your group's key players?
Scott Charney: My team here comprises of computer security professionals as opposed to lawyers/prosecutors. I have a couple of folks with PhDs in computer science and they come from a variety of past experiences, from industry to academia and are well-known in the security industry.
For example, David LeBlanc recently published a book with Mike Howard on writing secure code, which was used extensively during the security push and they are now writing the 2nd edition.
Cynthia L. Webb: I assume the reader is referring to fears related to cybersecurity. As a follow-up, what do you think are the major threats at this time to critical infrastructures?
Scott Charney: I think one of the most serious threats now is a combined physical/cyber attack. During 9-11, it was the telecommunications infrastructure that was critical to emergency response, as well as the people responding. But those people needed a way to be coordinated. Had there been an attack on the telecommunications infrastructure at the same time, the response would have been even more difficult.
Cynthia L. Webb: I have some questions from readers asking about conflicts of interest with a company as large as yours being involved with shaping cybersecurity policy, when any changes could potentially have a positive impact on your business. What's your response to these criticisms?
Scott Charney: It is not really a conflict of interest problem in a legal sense, but the questioners seem to be highlighting a different issues, which is: There can be competing concerns in any debate. For example, as a large company that has a responsibility to shareholders and to be profitable, one would not spend a million dollars to protect a $10 asset. On the other hand, the government may at times see a need to do things that are not supported by market forces. Market forces could not justify the expenses incurred during the Cold War, for example. So we taxed the populace as a whole to pay for something in the public interest.
They key point, I think, is that Microsoft has to be concerned about a wide range of issues, including public safety, including our national security, including working to secure our infrastructures against those who would harm them. But at the same time, Microsoft has to do it within a market-based framework. That can be where the tension lies.
Cynthia L. Webb: Since so many of the ways we communicate, via the Internet, cell phone or hand-held wireless devices, are intertwined, what are some things you suggest consumers do to better secure their own hardware and software?
Scott Charney: Obviously, there is a range of different devices mentioned in the question, but as a general rule, what users need to do is take reasonable steps to secure their own computers and networks. Some of those steps include: Using robust passwords, encrypting their data in storage, encrypting their data in transmission, applying patches when they are made available by vendors, and even more mundane things like not sharing passwords with others and making sure no one is looking over their shoulder when they enter their calling-card number into a pay phone.
Cynthia L. Webb: Is Microsoft doing any type of consumer-reaching campaign to talk about security measures that can be undertaken to ward off computer threats and the like?
Scott Charney: Yes, we are part of the groups that promote messages on safety online, like Stay Safe Online. And we are frequently talking to groups on all levels about what Microsoft is doing and what others need to do to be secure. For example, an individual may wish to visit www.staysafeonline.info or www.cybercitizenship.org.
Fairfax County, Va.: How closely does your company work with the U.S. government and government abroad to fight or deter cybercrime? Can you offer some specifics?
Scott Charney: We do work very hard with both U.S. and foreign governments in securing infrastructures and addressing cybercrime issues. For example, proactively, we have worked with groups such as the G8 sub-group on high-tech crime to help develop better relations between industry and governments on cybercrime response issues and to give them a better understanding of how expected changes in technology may affect their mission in protecting public safety. Additionally, we may give governments specific information in relation to a particular investigation, but only when they produce judicial process to ensure compliance with laws.
Cynthia L. Webb: What have been the differences for you working in the public sector and now working for a company as large as Microsoft? And how did you make the switch? Were you recruited?
Scott Charney: First, it's interesting how large organizations are similar. And because the issues I'm involved with are similar as well, it has been an easy transition. It's worth noting that when I left the government, I spent 2 years as a cybersecurity consultant at PricewaterhouseCoopers. That gave me an opportunity to better understand the business pressures surrounding the implementation of security, since in the government one pursued prosecutions of merit without concern about costs. Put another way, if someone did a bad thing, you would investigate and prosecute rather than do a cost-analysis to see if you could afford the process. By contrast, businesses do need to consider some issues that the government does not. So, my time in the private sector has in part been familiar territory, but also given me an opportunity to learn new things and how to balance different interests.
Cynthia L. Webb: You testified before Congress in July. What was that about?
Scott Charney: That was a cyberterrorism hearing and the testimony related to the threats posed by cyberterrorists and what Microsoft is doing to enhance the security of networks.
Cynthia L. Webb: Scott, what aspects of security tie into the .NET initiative?
Scott Charney: The .Net initiative envisions a world where people are empowered by having access to their data at any time, from any place with a variety of devices. This means a mobile population that may be connecting over land lines, wireless devices. Since security may only be as strong as your weakest point, the .NET initiative needs that we need to consider every aspect of security and think about security in this new inter-connected model.
Cynthia L. Webb: How do you keep up on all the changes in your industry? There seems to be a cross-section of a number of focus areas with your jobs -- policy, legal and technical. What's your secret to staying informed on such cutting-edge issues?
Scott Charney: Giving up sleep. Actually, it is very hard. And no one person could do it. Fortunately, Microsoft is an organization with great depth, with many knowledgeable people throughout the organization. By relying on the security experts and the legal and policy experts, one can get their arms around the problem, although it is indeed difficult.
Cynthia L. Webb: The economic downturn in the IT sector in particular has hit many companies hard, presumably some Microsoft partners. Has this affected your team's ability for making new developments or has your group remained unscathed from economic changes?
Scott Charney: Actually, my group has been growing and that reflects Microsoft's commitment to security. There is no doubt, however, that from a broader industry perspective, weak economic times may reduce R&D funding and the ability to invest in new products. And to the extent that security is part of that equation, that can be a problem.
Cynthia L. Webb: Scott, if you could give Richard a few pieces of advice, what would it be?
Scott Charney: I think the Administration has done a good job of raising the level of awareness of this issue. I think the important thing to move forward is to balance substance and process. There are a lot of important things that we need to do, and there are still many tough questions that we need to discuss. But we certainly need a process that sets clear target dates and milestones so the nation can continue to move forward and do it not just well, but also quickly, because the threat is real.
Thank you Cindy and all the users for providing me the opportunity to discuss this important issue. I look forward to attending the event on Wednesday where the draft cybersecurity strategy will be release. Thank you.
Cynthia L. Webb: Thanks again, Scott, for joining us. And readers, thanks for tuning into our Live Online with Scott Charney of Microsoft. Have a great day.