[ISN] Assessment Is Charney's Job One

From: InfoSec News (isnat_private)
Date: Wed May 29 2002 - 02:47:26 PDT

  • Next message: InfoSec News: "[ISN] Memo: FBI destroyed evidence in bin Laden case after glitch with e-mail surveillance system"

    May 27, 2002 
    By Dennis Fisher 
    Don't envy Scott Charney. He has one of the most difficult positions
    in the security industry: chief security strategist at Microsoft Corp.  
    The Redmond, Wash., company and its ubiquitous software are the
    targets of choice for crackers and Internet delinquents of every
    stripe - so much so that Microsoft has kicked off a very public
    security-improvement initiative called Trustworthy Computing. All of
    which means Charney, a former Department of Justice lawyer and head of
    PricewaterhouseCoopers' security practice, has his work cut out for
    him. Senior Writer Dennis Fisher spoke with Charney last month about
    the challenges of his new job and what his priorities will be for the
    eWeek: Now that you've had a few weeks to settle into your new job,
    what are your priorities for the next 12 to 18 months?
    Charney: Well, I want to figure out what organizational and product
    changes we need to make to make the best impact on security. We need
    to get the national plan right, get the ISACs [information sharing and
    analysis centers] and InfraGard up to speed.
    eWeek: Do you have any idea at this point what those product
    priorities will be?
    Charney: You can get some sense by just looking at the products.  
    Something like Windows is obviously a high priority, and we've shown
    that by sending 7,000 Windows developers to school. There's a big
    security push around Windows. We have to look at the product's role in
    the infrastructure and prioritize those [that play the biggest roles].  
    And in terms of other priorities, there's increased concern - as we
    put more personally identifiable information on the Internet - about
    privacy. We have to make those services [such as Passport] as robust
    as possible. There are really two issues: keeping the bad people out
    and how this information is shared. We have to religiously implement
    fair information practices.
    eWeek: Do you have a sense that most of the changes you'll propose 
    will be accepted by Chairman Bill Gates and CEO Steve Ballmer?
    Charney: I have a responsibility to propose intelligent changes, but 
    there's no question that for Gates [and] Ballmer security is clearly 
    Job One.
    eWeek: One of the things that Group Platforms Vice President Jim 
    Allchin said recently is that security is such a focus at Microsoft 
    now that if they have to break legacy application compatibility to 
    improve security, so be it.
    Charney: Well, you have to look at how far back in legacy apps you're 
    going. If we need to make a change and it's going to break something 
    in Windows 3.1, that's not really an issue. But if it's in Win 2000 or 
    XP, it's an issue. But there's a recognition that things aren't as 
    secure as they could be. To the extent that we're designing stuff with 
    security as a focus, if something really needs to be done for security 
    and it might break a legacy system, you have to make a business 
    eWeek: There's been a lot of talk lately in the testimony in the 
    antitrust case about the modularization of Windows. Have you had a 
    chance to consider what that might mean in terms of security?
    Charney: Because of my [previous] position with the government, I've 
    avoided the antitrust stuff altogether.
    eWeek: You mentioned that you wanted to work on the national security 
    plan. Do you speak to federal cyber-security czar Richard Clarke 
    regularly about what they're doing?
    Charney: I do talk to him regularly, through this job and also because 
    we're both on the lecture circuit. One of the big challenges we have 
    is to figure out the proper roles of industry and government. 
    Historically, government has had the responsibility for security and 
    protection. And when you start talking about critical infrastructure, 
    it's something the government needs to get in on. They have to look at 
    how much security will the markets actually get you. Then, how much 
    security do you really need. And how do we fill the gap between the 
    eWeek: The concept of the government legislating security makes a lot 
    of people nervous. Is there a way to make it work?
    Charney: I've written some laws in the past, and what I worry about is 
    how you say what you mean and get where you want to go without a lot 
    of unintended consequences. In my mind, there are only three pockets 
    of money: the taxpayer's pocket, the consumer's pocket and the 
    investor's pocket. What model is right for security? I would be 
    worried about how you move the ball forward without stifling 
    innovation. I always tried to be very technology-neutral when I was at 
    [the DOJ], and that seems to be the right approach.
    eWeek: Another topic that gets a lot of attention these days is 
    vulnerability disclosure. Where do you stand on the debate over full 
    Charney: I dealt with this in the government because we had a hacker 
    who hacked into a switch and shut down an airport, and the way that he 
    got into the switch was easily repeatable. If you know of a 
    vulnerability, you need to mitigate the risk by patching it. Once [the 
    patch] is out there, you need to advertise it with the understanding 
    that it's like a race because the hackers are racing for the 
    vulnerability, and the systems administrators are racing for the 
    patch. If you keep it quiet, you have a lot of people who are at risk. 
    But at the same time, I think it's incumbent on [vendors] to patch it.
    eWeek: There's been a lot of skepticism about Microsoft's Trustworthy 
    Computing effort. Is there anything that you can point to now to 
    reassure people that it's a sincere effort, or is it one of those 
    things where we have to wait two or three years to see if it works?
    Charney: In the short term, they need to take a look around at what 
    the company is doing: sending out products that are secure by default, 
    where before they were open by default.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed May 29 2002 - 06:26:17 PDT