TechNews.com: National Cybersecurity Strategy
Guest: Security expert Richard M. Smith
Thursday, Sept. 19, 2002
On Wednesday, the White House unveiled its national cybersecurity strategy.
Richard M. Smith joined TechNews.com readers for a special one-hour discussion of the administration's plan. Smith is an Internet consultant based in Cambridge, Massachusetts. He works primarily with the media, policymakers and law enforcement to interpret Internet technologies. He has more 25 years of experience in the computer software field. He is also the former president of Phar Lap Software and the former Chief Technology Officer of the Privacy Foundation.
Washingtonpost.com staff writer Brian Krebs moderated the discussion.
An Edited Transcript Follows:
Editor's Note: Washingtonpost.com moderators retain editorial control over Live Online discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions.
Brian Krebs: Good morning, Richard and thank you for joining us today. You've spent a good part of the last several years showing companies like Microsoft simple ways to improve the security of their products. The Bush administration has taken some heat these past few days over the lack of meaningful mandates in its cybersecurity plan for the software and computer industry. Yet techie types tend to cringe at the idea of government mandating technology standards. Is there a more active role for the government to play here?
Richard M. Smith: Sure. As a minimum the federal government can use the power of the checkbook. It can make sure that computer hardware and software that it purchases meets basic security standards. Federal computer networks also seem to have a lot of security problems on their own, so the government can lead by example to get some of these problems cleaned up. The Washington Post recently ran a front page story about how easy it was for outsiders to download and view documents from desktop computers belonging to military personnel. The problem is caused by open file shares on Windows PC. This one particular problem seems like a wide-scale problem that needs to be fixed.
Arlington, Va.: An early draft of the White House cybersecurity plan called for appointing a privacy czar. What did you think of that original proposal? Does a "czar" appointed by the president mean much if actual laws aren't being updated? If not a czar, then what?
Richard M. Smith: I hate the term "czar.: However I do think that the federal government needs an adviser for privacy issues. Peter Swire had this role in the Clinton administration and I think that the Bush admin. needs a similar kind of person. There are many different privacy issues that come up not related to laws that need to be addressed by someone versed in privacy.
Brian Krebs: The administration's cybersecurity strategy was released on the one-year anniversary of the emergence of the "Nimda" virus, a particularly nasty piece of code that tried at least five methods for breaking into Microsoft Internet servers. NIMDA caused an estimated $3 billion in damages, and prompted Bill Gates to name computer security a top priority. What basic steps could Microsoft and other industry leaders take to improve the security posture of their products? How likely do you think it is we'll see major changes in the next generation of Microsoft products?
Richard M. Smith: Microsoft needs to do a couple of basic things. First, create tiger teams that attack and attempt to break Microsoft's own products. These teams would work in parallel with the software development teams to attempt to discover and fix problems before products ship.
Second, Microsoft needs to make their software products less programmable. I'm glad to see, for example, that Microsoft has turned off scripting in HTML e-mail messages in all of their e-mail reader products. The bottom line is that Microsoft needs to reduce the number of security risks in the products.
Arlington, Va.: It seems like most of the guidelines in the draft reflect common wisdom in the industry. What do you see in the plan that is anything new?
Richard M. Smith: I don't really see too much knew. But it is still good to see the White House talk about this issue, not just computer security people.
Fairfax County, Va.: Should the government be in the business of writing guidelines or regulations for computer security? Do you buy industry's line that the government is incapable of writing rules that wouldn't be outdated by the time industry was asked to abide by them?
Brian Krebs: We've received several questions along this line.
Richard M. Smith: For its own computer purchases, I think the federal government should be have some standard security guidelines. I'm not sure if we need new labs mandating computer security, however. Holding companies liable for security problems in their hardware and software products might be a more effective solution.
Silver Spring, Md.: Is there any group within industry -- a company or trade organization -- that "gets it" when it comes to computer security (in your opinion, of course)?
Richard M. Smith: I work more with individuals rather than organizations. I think most people get what the problems are. The disagreements seem to be what are the priorities for solving which problems first.
However, I think everyone agrees that products need to have less security problems when they ship from the factory.
San Francisco, Calif.: I know you used to work at the Privacy Foundation. Is there an inherent tension between the need to secure our important systems and the need to protect the privacy of the people who use those systems?
Richard M. Smith: Here's how I put it: Good data privacy needs good IT security. However, good IT security doesn't necessarily mean good data privacy.
But even if data is well protected it can still be misused by a company. Also, security solutions which rely on increased surveillance won't be privacy friendly.
Brian Krebs: So, is it more a matter of Microsoft shipping products with a greater number of potentially vulnerable programs turned off by default, or does the company need to build more affirmative and proactive security tools into the operating system?
Richard M. Smith: Most of the security issues in Windows desktop systems can be fixed by turning stuff off by default. I don't think we need a lot of new technology to be implemented. Here's my quick list: disable Windows Script Host, detune some of the scripting features of Windows Media Player, fix file sharing so that disks don't get shared with the Internet, and tighten up file download rules in IE.
The other thing that needs to be addressed is how to alert the world about these kinds of security fixes in Windows and Office.
Arlington, Va.: Given the toothless nature of the latest draft of the national plan, do you see any improvements on the horizon in our overall electronic defenses? I mean, do the companies that control our critical infrastructure have any motivation (other than altruism) to beef up electronic security
Richard M. Smith: Holding companies liable for security problems is one motivator. Bad press and social pressure is another. Also other companies can force companies to implement better security measures. Visa, the credit card folks, now have security standards in place that Web sites must adhere to. If companies don't, Visa will stop doing business with them.
Arlington, Va.: Yesterday, Richard Clarke kept saying during the Webcast that the government isn't trying to mandate to industry how to do things, hence the "draft" version of the Cybersecurity Plan. But Alan Paller [of the SANS Institute] yesterday said industry has obvious failed to fix things on its own. Where do you opine in the blame game?
Richard M. Smith: Security problems come at a lot of different levels. We are dealing with poorly designed communications protocols, software products that weren't designed with security in mind, software bugs, products being used in inappropriate ways, etc. It's really hard to blame one single person or group. In general, companies and organizations need to ship products and deploy systems and security takes a back seat. People just don't consider it a priority.
Washington, D.C.: Hi Richard. What do you think is the biggest threat for computer users right now? Is it mischievous teenage hackers, or do you think international terrorists are using home-computers to funnel information?
Richard M. Smith: Microsoft. Their products are just too quirky and require way too much effort to get working right.
On the security front, I don't really see terrorists being interested in home users. So the 15 to 25-year hackers are more of threat.
Frederick, Md. : Aside from using firewall and antivirus software, what advice would you give to the average consumer who's interested in securing their own computers from attack?
Richard M. Smith: If your Microsoft Office user, either upgrade to Office XP or download the Office Security Update. Microsoft has done some good stuff in these products to effectively kill Word Macro viruses and e-mail worms which seem to be the biggest problems right now for home users.
Also turn off file sharing or at least add passwords for all shared drives. Most people who have file sharing turned on probably are sharing their hard drives with the whole world and don't even know it.
If one is running wireless network, turn of WEP encryption. WEP isn't perfect, but it is much better than no encryption.
Alexandria, Va.: I noticed an extensive section on biometrics on your Web site. What's your view on the face-scanning technologies? Ready for prime time yet, or seriously flawed? And what about the privacy implications?
Richard M. Smith: At airports for spotting terrorists, face scanning isn't ready for prime-time, IMHO. The US government doesn't have pictures of very many terrorists for one thing. The other thing is that airport security people will spend too much time tracking down "face positives" when one of these systems flags an innocent person. The face positive rates for these systems are about .5% to 2%. That's about 1 to four people per plane load. The bottom line is the fiddle factor seems too high for these systems.
Fairfax, Va.: Mr. Smith: How serious is the continued threat to cybersecurity, now that we have to wait longer for a FINAL cybersecurity plan? What are we losing by this extension?
Richard M. Smith: Securing computer networks is an ongoing process. It started many years ago, so delaying this report doesn't really effect this either way.
We make do anyway with insecure systems quite successfully. The credit card system is hardly a great example of a well designed security system, yet it will continue to exist with ongoing fraud problems -- which become the cost of doing business. However, the increased ID theft problem may change some of the equations to force better security in apply and using credit cards.
Alexandria, Va.: Back to biometrics. Do you think face scanning, red-light cameras, etc. are violations of privacy?
Richard M. Smith: Yes, I do. They are surveillance systems that I don't think have a place in this country.
However, there are many valid applications of face scanning. Building access is one. Detecting people getting multiple drivers licenses is another.
Brian Krebs: You mentioned the need for laws that would hold companies liable for shoddy security. Would something along the lines of the Y2K "disclose and fix" model work today, or do we need stronger disincentives for companies that make products with poor security?
Richard M. Smith: Maybe more along the line of a private right of action. Where affected parties can go after vendors.
Vienna, Va.: Mr. Smith, seems to me that you want it both ways. You can't hold private industry liable for security infractions if it is not allowed to make those security regs (or at least have a say in them). If government - be it Congress or the administration - forces industry to adopt its own set of regs, then government is going to have to be responsible if it doesn't work out. If government balks at this, it could be on the receiving end of an unconstitutionality suit.
Richard M. Smith: The Nimda and Code Red worms were both a result of buffer overflows, that is, product defects. These worms cost industry, universities, and governments a lot of money to fix. The question in my mind here does Microsoft have any obligations to addressing these problems beyond just providing patches to the software.
Mill Valley, Calif.: Do you think it will take a major security breach -- one that takes a big bite out of several companies' bottom lines -- to spur real attention to security in the corporate world?
Richard M. Smith: We have seen security improvements in software products after many of the high-profile worms such as Melissa, ILOVEYOU, Nimda, etc. hit the Internet. It's natural for human beings to try to fix problems after it is obvious that they can actually occur.
Bethesda, Md.: What is your opinion about open vs close software...do you think one is inherently safer than the other?
Richard M. Smith: If think it is a wash because the arguments go both ways. Open source in theory has more eyes looking at to spot security problems. However, in theory open source also lets the bad guys to spot problems.
Brian Krebs: That about wraps up our time for today. Thank you, Richard, for your time and insights. Thanks also to everyone who made this discussion such a success!