[ISN] Microsoft: Secure out of the Box?

From: InfoSec News (isnat_private)
Date: Wed Dec 19 2001 - 22:42:40 PST

  • Next message: InfoSec News: "[ISN] Certification What's hot, What's not"

    December 14, 2001 
    By: Paul Coe Clark III 
    Howard Schmidt is chief security officer at Microsoft. He recently
    testified before the House Subcommittee on Commerce Trade and Consumer
    Protection about the state of Internet and computer security. We
    tracked him down later to ask him about, among other things,
    cyberterrorism and the Microsoft's level of responsibility for the
    success of large virus attacks.
    Schmidt served in the US. Air Force, the F.B.I, and local law
    enforcement. After Sept. 11, he was called back to active duty with
    the Joint Task Force for Computer Network Operations, the Department
    of Justice and the FBI's National Infrastructure Protection Center.
    Q: In your testimony the other day, you listed a series of industries
    at risk for cyberterrorism or electronic intrusion. One of those you
    listed was telecom. What weaknesses are there in the telecom industry
    that haven't been addressed.
    A: I think it all revolves around the people and the process. I don't
    know that there's a specific weakness. I think, generally, that the
    concern we have as the industry partnerships, are, are we all
    prepared, as the owners and operators of the critical infrastructure,
    to be able to respond to three major areas of concern for the value of
    the country. There's the national-security piece, which we saw,
    responded in 9/11. There's the law enforcement/public-safety piece,
    which has some relation to 9/11, but also we've seen in other venues,
    even simple things like when an ice storm knocks down the ability to
    communicate. The third thing is the economic viability of the nation.  
    And that's our ability, because so much has been built, from an
    economic standpoint, around the technology piece.
    I'll cite a telecom component during 9/11. I was in D.C. You're based
    in D.C., aren't you?
    Q: Yes, I am, right off K Street, three blocks from the White House.
    A: So you know what it was like. I don't know if you tried to use a
    mobile phone, or you saw people lining up at the payphones, only to be
    able to get no signal. Those are the sort of things that we probably
    need to have more redundancy issues and have some resiliency on...
    Q: Capacity issues...
    A: Right.
    Q: Oddly enough, I worked the whole afternoon. I think I was the only
    person in downtown Washington, and I had no problem getting people on
    the phone. I was just blessed, I think.
    A: I was up at the Capitol, and I tried my darndest to get my cell
    phone working, and had no success. Interestingly enough, when I got
    down to Northern Virginia, outside some of the towers, I was able to
    call around the company with little or no problems.
    Q: How big a cyberterrorism threat is there? Let me define that a
    little better, because it's a meaningless question in some ways. How
    severe a threat is there of an Internet-based attack that does
    widespread economic or functional damage by a state-sponsored group or
    an independent group of terrorists, as opposed to the normal
    intrusion, denial-of-service attacks and virus problems we usually
    A: That's a tough question to answer, because I don't know if that
    question's been asked in all the appropriate circles. If you look at
    everything from Sen. Nunn's hearing, back in 1997, to the report of
    the President's Commission on Critical Infrastructure Protection, one
    of the things that they look at is the availability of being able to
    do harm relative to the cost. So when you talk about the actual threat
    piece of it, the cost is relatively insignificant. It's a piece of
    code that you write to go do something bad, and now the availability
    of those sort of things is very widespread. People have computers in
    their homes, connected to DSL and cable modems, so the cost of the
    ability to do damage is down. The availability, by having a lot of
    systems out there to attack, is up, so that puts a threat picture out
    there that's more viable than it was a few years ago.
    Q: Like leveraging box cutters to take out buildings.
    A: That's correct. That was a relatively inexpensive way to create
    havoc. And if you do that on the electronic piece of it, some of the
    threats that out there, we really don't have a handle on how viable
    they are, but we can do some modeling, and building of threat
    scenarios, to see, given what tools we know are available to be
    applied with malicious intent, how much damage can be done.
    Q: But do we know of any states or groups that have cyberterrorism
    efforts underway?
    A: I think, publicly, what we know is that there have been a number of
    nations that have created information-warfare groups, and they've been
    fairly public about it. But as far as anything beyond the
    cyberhacktivism we've seen, I don't know if there's been anything
    publicly discussed about state-sponsored cyberterrorism cells out
    there, if you would.
    Q: Give us the Reader's Digest one-paragraph description of IT-ASAC.
    A: The IT-ASAC is a group of some of the key owners and operators of
    the infrastructure that belong to the IT community. It's a group of us
    that put aside any competitive differences to share information on
    best practices and vulnerabilities anonymously among each other to
    maintain the viability of the critical infrastructure. We also develop
    mechanisms to share that with the government as a sort of
    early-warning system, using our collective 24-by-7 information centers
    and the collective knowledge and expertise of our companies.
    Q: You're the chief security officer of Microsoft. Explain for us a
    little bit how security fits into the Microsoft corporate structure.
    A: I think security is recognized as the number-one priority across
    the company. That goes not only to operational security and securing
    our assets, but also to product development. In my role, I report to
    the CTO, and I have Advanced Security Strategy Group, which works on
    security architecture, security auditing, incubation of
    security-related tools and security policy across the company that
    transcends the operational groups as well as the development groups.
    Q: One of the things that you took a position on in your testimony was
    on openness and security, in terms of being against people publishing
    exploit codes to point out weaknesses  which in some sectors of the
    software-development community is considered a good thing.
    A: What we're relating to is responsible reporting, and there's a
    difference. In some cases, it's tantamount to screaming "fire!" in a
    crowded movie theater. Responsible reporting means if you find a
    vulnerability, you contact the person in the best position to fix it,
    normally the vendor of whatever the product is, give them all the
    information possible so that they can create a fix, and then go out
    and get the fix installed  as opposed to going out and telling
    everyone that everybody in this one apartment complex doesn't lock
    their doors or leaves their keys in their cars, which then opens them
    up to malicious attacks.
    Q: I was at a cybersecurity event last night. I don't know if you know
    Richard Forno, CTO of Shadowlogic?
    A: Yes, I do know Richard.
    Q: He said his theory was "D3"  "declassify, demystify and diversify
    (software)." All three of those things are not things associated with
    Microsoft. Is that a policy you'd take issue with?
    A: I think any time we find any security vulnerability, we're one of
    the best in the industry to notify people of the details of them and
    give them the details to get it fixed.
    Q: Microsoft, traditionally, though, although less so of late, has
    been known for having a relatively closed security-reporting and
    bug-reporting system compared to the *NIX and open-source communities.  
    Has that changed, and how much?
    A: Well, for one I think it's a misperception or an undeserved
    reputation. One of the things I hear most often is that people
    responsible for these things at their companies say they're seeing too
    many of these things. I don't think it's an issue about open-source, I
    think it's an issue about responsibly, once somebody reports
    something, we have to replicate what they've reported to make sure
    it's a product-security issue and not some hardware problem they've
    got, or some incompatibility with some other application they've got,
    to replicate that, analyze that, and put the patch out. I don't know
    of any time in the four years I've been here that that hasn't been a
    priority. It's probably a misperception and mischaracterization of our
    Q: Today, some of the states came back with a proposal for opening up
    Microsoft code. What effect would that have about security.
    A: [Explains that he is not involved in antitrust issues] I think the
    position has always been that you check the final product for
    vulnerabilities. Because there's a whole lot of open source out there
    that, day after day after day, there's more reports of
    vulnerabilities. I think it doesn't make any difference whether it is
    open source or closed source, it's a matter of identifying them once
    the product is released.
    Q: How much of computer and network security should be handled by
    technology and how much by law enforcement?
    A: Law enforcement's role is very much a reactive role. After
    something bad happens, then they come in, and I think they have an
    extremely vital part to help investigating these things to deter
    people from attacking these systems. But the idea on the front end is
    to use the people, the processes and the technologies to prevent these
    things from happening as much as we can, and if there's something we
    can't handle, law enforcement comes in and identifies those that have.
    Q: I assume from your testimony that you guys supported the language
    in the USA PATRIOT Act on cyberterrorism and intrusion. Are we in
    danger of over-broadening the standard for calling something
    cyberterrorism to include routine exploratory intrusions and port
    scans and other minor events, in the heat of the moment after Sept.  
    A: I have met with a number of attorneys both in the corporate world
    as well as the justice world, and I don't see that's the case. I think
    all the changes that were made in the USA-PATRIOT Act relative to
    online surveillance, relative to any cyber-related investigative
    capability, have revolved around not changing the thresholds of what
    it takes to get a search warrant, not changing the threshold of what
    it takes to get a wiretap, but streamlining the process; you have to
    prove with probable cause that something has occurred to get most of
    the court orders .
    If I'm tracking somebody that's, say, involved in terrorist activity,
    and they're using a cell phone, and they can put the cell phone down
    from having a voice call to use the same cell phone to do an Internet
    message because they've got a Web-enabled phone, and then they go home
    and they use an online account to communicate further, rather than go
    get five warrants for the same thing, they don't have to chase the
    technology, they chase the criminal activity.
    Q: One of the things you opposed in your testimony was federal
    security mandates for the industry. But there's a strong push for
    strong industry best-practices policies or government mandates.  
    Christopher Painter (Department of Justice, Deputy Chief of the
    Computer Crime and Intellectual Property Section] says the industries
    needs bet practices; he says, too often the industry has no plan for
    dealing with intrusions at all. Is there going to be pressure for
    government standards?
    A: I hope not. What we've seen from time immemorial, market forces
    drive a lot of what happens in the development efforts. Standards
    don't drive it, because what happens, you wind in a situation where
    standards may turn around and inhibit the ability to innovate and the
    ability to build more secure products.
    Q: In your testimony, you listed several attacks, virus attacks and
    others, some of them against Microsoft weaknesses, and some of them
    against Linux and other operating systems. But how much responsibility
    does Microsoft have because of its market share for security.
    A: I think Microsoft has recognized that, because we are the market
    leader, we have a special obligation to improve security. This is an
    industry issue we're all working on, but because of that special role
    out obligation is increased. Which is why we created programs like the
    strategic technology protection program -- helping people get secure
    with a number of free tools, then getting them to stay secure by
    changing, fundamentally, some of our internal processes, to further
    strengthen the security that we've been working on internally.
    Q: Some of the security problems with Microsoft products are things
    like buffer overflows. That happens in programming, and you fix it.  
    But others seem like boneheaded decisions based on marketing. Things
    like enabling Windows Scripting Host by default on millions of
    consumer machines and making e-mail attachments executable. In these
    big virus attacks, doesn't Microsoft bear some responsibility for
    those choices?
    A: I think that picture has changed. Once again, we've been developing
    stuff based on ease-of-use for the customer and what the customer
    requirements are. I think what happens now is that we've seen the
    threat picture change. I think it goes back to a physical analogy. If
    I leave my keys in my car because it's convenient for me, and somebody
    steals my car, is that my fault? Ten or 15 years ago, the likelihood
    of that happening was very, very low. But the threat picture has
    changed dramatically in most places.
    That's the same thing that's happened with software. Those things were
    designed to make it easy for people to do the stuff that they were
    doing. It turns out that criminals and others with malicious intents
    have turned those good things into bad things. Which is why we've had
    to fundamentally ... the way we ship products. They will be shipped
    secure out of the box now. It may be a little more difficult to get
    some of the features turned on, but it's going to be more secure,
    because that's what the new picture warrants for us.
    Q: But that kind of begs the question, because it wasn't completely
    unthinkable, like someone flying a plane into a building. At the time
    when all these features were being rolled out, programmers online were
    screaming left and right that this was inevitably going to result in
    these massive incidents, and, sure enough, they did.
    A: If you look at the development process, and how long it takes to
    develop these things and get them out the door, this is not something
    that people started working on six months ago, and the developer
    community is saying this is a bad thing. This is stuff that has been
    in progress for years, which is why we've had to effectively retool
    the way we do things internally, to meet that new threat environment.
    Q: I'll give you a cheerful quote from Rick Forno. He said one of our
    major security problems is "our continuing blind dependence on
    Microsoft operating systems."
    A: Richard's entitled to his opinion, but I ask Richard or anyone else
    to look at the security vulnerabilities that have been identified in
    anything else that's out there, and the response mechanism. Until some
    time as we develop a society that's perfect in writing code, as you
    actually pointed out; until some time as we have perfect processes,
    then we have to do some level of maintenance, some level of fixing
    things. I agree that we all continue to do more work on it.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Thu Dec 20 2001 - 15:55:17 PST